CN106161024B - USB control chip-level USB equipment credibility authentication method and system thereof - Google Patents
USB control chip-level USB equipment credibility authentication method and system thereof Download PDFInfo
- Publication number
- CN106161024B CN106161024B CN201510156573.8A CN201510156573A CN106161024B CN 106161024 B CN106161024 B CN 106161024B CN 201510156573 A CN201510156573 A CN 201510156573A CN 106161024 B CN106161024 B CN 106161024B
- Authority
- CN
- China
- Prior art keywords
- usb
- control chip
- chip
- master control
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
A USB device credibility authentication method and a system thereof of a USB control chip level relate to the technical field of information security. The USB equipment trusted authentication system consists of a third party authentication authorization management system, a USB master control chip equipment certificate generation management system, a USB master control chip safety management system and a USB equipment trusted authentication system. Compared with the prior art, the invention comprehensively utilizes the asymmetric cryptographic technology and the trusted authentication technology to carry out security enhancement reconstruction on the main controller of the USB host and the main control chip of the USB device, carries out authentication authorization management on the USB main control chip through the third party detection mechanism, realizes the trusted authentication of the USB host on the USB device, achieves the aim of preventing all hacking modes which try to take the firmware of the USB control chip as an intermediary, and thus constructs the trusted computing and communication environment of the computer system and the USB device system.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a USB device credibility authentication method and a system thereof of a USB control chip level.
Background
USB (Universal Serial Bus) is a bus for connecting a computer and a peripheral device, and has Plug and Play (Plug and Play) function, so that the peripheral device can be connected, configured, used and removed without complicated installation. Because of the elasticity and ease of use of USB, USB-enabled peripheral devices have increased year by year, including mice, keyboards, speakers, modems, scanners, and the like. To date, the USB interface has become the most successful peripheral connection interface on computers since the COM port (serial port), and related products have also entered the market with an increase of more than 30% per year.
The mobile storage medium (U disk for short) is used as the most widely used USB equipment, has the characteristics of small volume, large capacity and convenient carrying, and is a convenient medium for information exchange. In order to facilitate production and after-sales maintenance, the USB flash disk main control chip provides mass production tools for the partners to define product functions and technical parameters and repair problems caused by after-sales products through software. However, the firmware of the USB flash disk main control chip belongs to the secret of the chip manufacturer, and is not opened, and similar methods are also adopted in other peripheral equipment products of the USB.
Through principle analysis and reverse engineering of USB master control chip firmware, hackers organize and find out a security defect called BADUSB, so that a computer can modify the firmware of the USB master control chip by itself, and the computer system into which the USB master control chip is inserted can be attacked through the master control chip; the main control chip firmware can also actively attack the computer system to form a chain for attack propagation, and an exponential diffusion infection model of 'computer-multiple U disks-more computers' is formed, so that the thinking about how to safely manage the mobile storage medium is initiated.
In the prior art, due to the design defects of a computer, an operating system and a USB protocol, the attack method cannot be defended through a software means at present, and the global computer system, including an automatic control system of industrial and national infrastructure, forms an urgent serious threat.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a method and a system for authenticating the credibility of USB equipment on a USB control chip level. The method comprehensively utilizes an asymmetric cryptographic technology and a trusted authentication technology to carry out security enhancement reconstruction on a main controller of a USB host and a main control chip of USB equipment, and carries out authentication authorization management on the USB main control chip through a third party detection mechanism, thereby realizing the trusted authentication of the USB host on the USB equipment, achieving the purpose of preventing all hacking modes attempting to take firmware of the USB control chip as an intermediary, and further constructing the trusted computing and communication environment of a computer system and a USB equipment system.
In order to achieve the above object, the technical solution of the present invention is implemented as follows:
a USB device credibility authentication method of USB control chip level uses a credibility authentication system composed of a third party authentication authorization management system, a USB master control chip device certificate generation management system, a USB master control chip safety management system and a USB device credibility authentication system. The third party authentication and authorization management system used by the third party chip detection mechanism consists of an authorization manager, an authorization cryptographic algorithm module and a USB main control chip equipment certificate issuing manager, wherein the authorization cryptographic algorithm module comprises a hash algorithm, a digital signature algorithm and a digital signature verification algorithm. The USB master control chip equipment certificate generation management system used by the USB master control chip manufacturer consists of a system cryptographic algorithm module and a chip equipment certificate generator, wherein the system cryptographic algorithm module comprises a hash algorithm and a digital signature algorithm. The USB master control chip safety management system built in the USB master control chip of the USB equipment consists of a chip safety storage unit, a chip cipher algorithm hardware module, a safety self-checking ROM (read only memory) bootstrap program and a safety verification management firmware program, wherein the chip cipher algorithm hardware module comprises a hash algorithm and a digital signature verification algorithm. The USB equipment credible authentication system of the USB host end consists of a USB main control chip authentication manager, a secret key safe storage unit and an authentication cipher algorithm module, wherein the authentication cipher algorithm module comprises a digital signature verification algorithm. The method mainly comprises the following implementation steps:
1) System authorization:
(1) an authorization manager in the third party authentication authorization management system provides a third party authentication public key for the USB device trusted authentication system and stores and solidifies the third party authentication public key into a key security storage unit of the USB device trusted authentication system.
(2) And an authorization manager in the third party authentication authorization management system provides a third party authentication public key for the USB main control chip security management system and stores and solidifies the third party authentication public key into a chip security storage unit of the USB main control chip security management system.
2) Generating, issuing and storing and solidifying equipment certificates of the USB main control chip:
(1) the chip equipment certificate generator of the USB master control chip equipment certificate generation management system uses a hash algorithm in a system cryptographic algorithm module to hash all or part of data of USB master control chip firmware in the USB master control chip to generate a USB master control chip firmware digital abstract, and uses a chip equipment private key and a digital signature algorithm in the system cryptographic algorithm module to generate a digital signature of the USB master control chip firmware digital abstract. And packaging the USB main control chip identification, the USB device type description, the chip device public key, the USB main control chip firmware digital abstract and the digital signature information of the USB main control chip firmware digital abstract to generate a chip device certificate body corresponding to the USB main control security chip, wherein the chip device certificate body is provided for a third party authentication authorization management system.
(2) A USB master control chip equipment certificate issuing manager in the third party authentication and authorization management system uses a chip equipment public key in a chip equipment certificate body and a digital signature verification algorithm in an authorization cryptographic algorithm module to verify the digital signature of a USB master control chip firmware digital abstract in the chip equipment certificate body, and confirms the validity and the integrity of the USB master control chip firmware digital abstract; if the digital signature is verified, the hash algorithm in the authorization cryptographic algorithm module is used for carrying out hash processing on all or part of data of the USB main control chip firmware, and a USB main control chip firmware digital abstract is generated. Comparing the USB master control chip firmware digital abstract with the USB master control chip firmware digital abstract in the chip equipment certificate body, if the data are consistent, generating a digital signature of the chip equipment certificate body by using a digital signature algorithm in a third-party signature private key and an authorized cryptographic algorithm module, and packaging the digital signatures of the chip equipment certificate body and the chip equipment certificate body to generate the USB master control chip equipment certificate.
(3) The USB master control chip equipment certificate is stored and solidified in a chip safety storage unit of the USB master control chip safety management system.
3) Safety self-checking of USB main control chip:
(1) the USB equipment is connected to the USB host computer through the USB bus, and after the USB equipment is powered on, the USB main control chip starts to execute the safe self-checking ROM boot program of the USB main control chip safety management system.
(2) The secure self-checking ROM bootstrap program uses a third party authentication public key in the chip secure storage unit and a digital signature verification algorithm in the chip cipher algorithm hardware module to verify the digital signature of the USB master control chip equipment certificate in the chip secure storage unit, and confirms the validity and the integrity of the USB master control chip equipment certificate. If the digital signature verification is not passed, the USB device will be prevented from making a communication connection with the USB host.
(3) The secure self-checking ROM bootstrap program uses a chip device public key in a USB master control chip device certificate and a digital signature verification algorithm in a chip cryptographic algorithm hardware module to verify the digital signature of the USB master control chip firmware digital digest in the USB master control chip device certificate, and confirms the validity and the integrity of the USB master control chip firmware digital digest. If the digital signature verification is not passed, the USB device will prevent a communication connection with the USB host.
(4) The secure self-checking ROM boot program uses a hash algorithm in a chip cryptographic algorithm hardware module to hash all or part of data of the USB main control chip firmware to obtain a USB main control chip firmware digital abstract. And comparing the digital abstract with the digital abstract of the USB master control chip firmware in the USB master control chip equipment certificate, and if the data are consistent, confirming that the USB master control chip firmware data are not tampered. If the data is inconsistent, the USB device will be prevented from making a communication connection with the USB host.
(5) After the USB equipment and the USB host are in communication connection, the USB main control chip executes a security verification management firmware program of the security management system of the USB main control chip, and the security verification management firmware program is matched with the trusted authentication of the USB host to the USB equipment.
4) Trusted authentication of USB master control chip:
(1) after the USB host detects the USB equipment, communication connection is established, a USB master control chip authentication manager of the USB equipment trusted authentication system performs session communication with a security verification management firmware program of the USB master control chip security management system, a USB master control chip equipment certificate is obtained, a third party authentication public key in a secret key security storage unit and a digital signature verification algorithm in an authentication password algorithm module are used for verifying the digital signature of the USB master control chip equipment certificate, and the validity and the integrity of the USB master control chip equipment certificate are confirmed. If the digital signature verification is not passed, the communication connection between the USB host and the USB device is directly disconnected.
(2) And a USB master control chip authentication manager of the USB device trusted authentication system starts a USB device enumeration process, acquires a USB device type statement from the USB master control chip, and compares the USB device type statement with a device type statement in a device certificate of the USB master control chip. If the device types are consistent, continuing the enumeration process of the USB device; if the types are inconsistent, the communication connection between the USB host and the USB device is directly disconnected.
In the above-mentioned method for authenticating the trust of the USB device on the USB control chip level, the key security storage unit of the trust authentication system of the USB device and the chip security storage unit of the security management system of the USB master control chip are both tamper-proof storage units protected by the chip after the data is written once by the chip burning tool in the chip.
In the above-mentioned USB device trusted authentication method of USB control chip level, the said third party authenticates public key and third party signature private key is managed by the third party authentication authorization management system A, digital signature and signature verification used for USB master control chip apparatus certificate; the chip equipment private key and the chip equipment public key are all and managed by a USB main control chip manufacturer and are used for carrying out digital signature and signature verification on the USB main control chip firmware, and have no one-to-one correspondence with the USB main control chip.
In the above-mentioned method for authenticating the trust of the USB device on the level of the USB control chip, the identification of the USB master control chip is an identification composed of the model number of the USB master control chip and the firmware version number of the USB master control chip, and corresponds to the device certificate of the USB master control chip one by one.
The USB equipment credible authentication system of the USB control chip level is structurally characterized by comprising a third party authentication authorization management system, a USB master control chip equipment certificate generation management system, a USB master control chip safety management system and a USB equipment credible authentication system. The third party authentication and authorization management system consists of an authorization manager, an authorization and password algorithm module and a USB main control chip equipment certificate issuing manager, wherein the authorization and password algorithm module comprises a hash algorithm, a digital signature algorithm and a digital signature verification algorithm. The USB master control chip equipment certificate generation management system consists of a system cryptographic algorithm module and a chip equipment certificate generator, wherein the system cryptographic algorithm module comprises a hash algorithm and a digital signature algorithm. The USB master control chip safety management system consists of a chip safety storage unit, a chip cipher algorithm hardware module, a safety self-checking ROM guide program and a safety verification management firmware program, wherein the chip cipher algorithm hardware module comprises a hash algorithm and a digital signature verification algorithm which are realized by hardware. The USB equipment trusted authentication system consists of a USB main control chip authentication manager, a secret key safe storage unit and an authentication cipher algorithm module, wherein the authentication cipher algorithm module comprises a digital signature verification algorithm. The third party authentication and authorization management system is a system used by a third party chip detection mechanism and is used for completing the authentication and authorization functions of the USB main control chip security management system and the USB equipment trusted authentication system. The USB master control chip equipment certificate generation management system is a system used by a USB master control chip manufacturer and is used for completing the generation and management of the USB master control chip certificates. The USB master control chip safety management system is built in a USB master control chip of the USB equipment, and the master control chip level safety self-checking and safety verification functions of the USB equipment are completed. The USB equipment trusted authentication system is built in the USB host controller or is realized by an independent chip, and the trusted authentication and the safe use verification function of the USB host to the USB equipment are completed.
The invention adopts the method and the structure, and on one hand, the chip-level security transformation is carried out on the main control chip of the USB equipment, and the security self-checking function of the USB main control chip is added before the communication connection is established with the USB host, so that the self security of the USB main control chip is ensured; on the other hand, the main controller of the USB host is safely modified or an independent chip is added, and the trusted authentication function of the USB host on the USB device is added before the USB host enumerates the USB device, so that the USB device accessed to the host is ensured to be safe and trusted. Meanwhile, the third party detection mechanism performs trusted authentication management on the USB main control chip, so that the trusted authentication of the USB host to the USB device is realized, and the USB device which does not pass the authentication is refused to be connected with the host. The invention provides a USB device credible authentication technology of a USB control chip level for defending information and network systems from attacks taking USB as a medium, thereby solving the problem that the attacks taking USB as the medium cannot be defended by a software means due to the defects of computer, an operating system and USB protocol design. The invention adopts the asymmetric cryptographic technology to realize the authorization management and the trusted authentication of the USB main control chip, and through adding the safe self-checking of the USB main control chip, the self-safety of the USB equipment is realized from the chip layer, and the reliable technical guarantee is provided for the trusted authentication of the USB equipment.
The invention is further described below with reference to the drawings and the detailed description.
Drawings
FIG. 1 is a schematic block diagram of a system of the present invention;
FIG. 2 is a schematic diagram of a system authorization process for a USB host and a USB device in the method of the present invention;
FIG. 3 is a schematic diagram of the process of generating, issuing, storing and solidifying a device certificate of a USB main control chip in the method of the invention;
FIG. 4 is a flowchart of a device certificate generation system of the USB main control chip in FIG. 3;
FIG. 5 is a flow chart of a security self-checking processing system of a USB master control chip in the method of the invention;
FIG. 6 is a flow chart of a trusted authentication processing system of a USB host to a USB master control chip in the method of the invention.
Detailed Description
Referring to fig. 1 to 3, a system for implementing a method for trusted authentication of a USB device at the level of a USB control chip is composed of a third party authentication authorization management system A, USB, a master control chip device certificate generation management system B, USB, a master control chip security management system C, and a trusted authentication system D for the USB device.
The third party authentication and authorization management system A is a system used by a third party chip detection mechanism and consists of an authorization manager 1, an authorization and password algorithm module 2 and a USB master control chip equipment certificate issuing manager 3, wherein the authorization and password algorithm module 2 comprises a hash algorithm, a digital signature algorithm and a digital signature verification algorithm, and the authentication and authorization functions of a system USB master control chip security management system C and a USB equipment trusted authentication system D are completed. The third party authentication and authorization management system A realizes the authorization management of the USB host and the USB equipment through the authorized use of the third party authentication public key 13 on one hand, and on the other hand, generates the USB master control chip equipment certificate 15 through carrying out security detection on the USB master control chip and carrying out digital signature on the chip equipment certificate body 14 to be signed, thereby realizing the issuing of the USB master control chip equipment certificate 15.
The USB master control chip equipment certificate generation management system B is a system used by a USB master control chip manufacturer and consists of a system cryptographic algorithm module 4 and a chip equipment certificate generator 5, wherein the system cryptographic algorithm module 4 comprises a hash algorithm and a digital signature algorithm, and the generation and management work of the USB master control chip equipment certificate is completed.
The USB master control chip safety management system C is internally provided with a USB master control chip of USB equipment and comprises a chip safety storage unit 6, a chip cipher algorithm hardware module 7, a safety self-checking ROM guide program 8 and a safety verification management firmware program 9, wherein the chip cipher algorithm hardware module 7 comprises a hash algorithm and a digital signature verification algorithm realized by hardware, and the safety self-checking and safety verification functions of the USB equipment master control chip are completed.
The USB equipment trusted authentication system D is built in a USB host controller or is realized by an independent chip, and consists of a USB main control chip authentication manager 10, a secret key safe storage unit 11 and an authentication password algorithm module 12, wherein the authentication password algorithm module 12 comprises a digital signature verification algorithm, so that the trusted authentication and safe use verification functions of the USB host to the USB equipment are completed.
The USB master control chip equipment certificate 15 of the invention contains a USB master control chip firmware digital abstract and a digital signature thereof, and provides important support for realizing the trusted authentication of the whole system.
Referring to fig. 1 to 6, the method of the present invention is used as follows:
1) System authorization:
(1) the authorization manager 1 in the third party authentication authorization management system A provides a third party authentication public key 13 for the USB device trusted authentication system D, and stores and solidifies the third party authentication public key 13 into the key security storage unit 11 of the USB device trusted authentication system D to realize authentication authorization of the USB device trusted authentication system D.
(2) The authorization manager 1 in the third party authentication authorization management system A provides a third party authentication public key 13 for the USB master control chip security management system C, and stores and cures the third party authentication public key 13 in the chip security storage unit 6 of the USB master control chip security management system C to realize authentication authorization of the USB equipment.
2) Generating, issuing and storing and solidifying equipment certificates of the USB main control chip:
(1) the chip equipment certificate generator 5 of the USB master control chip equipment certificate generation management system B uses a hash algorithm in the system cryptographic algorithm module 4 to hash all or part of data of the USB master control chip firmware in the USB master control chip to generate a USB master control chip firmware digital abstract, and uses a chip equipment private key and a digital signature algorithm in the system cryptographic algorithm module 4 to generate a digital signature of the USB master control chip firmware digital abstract. And packaging the USB master control chip identification, the USB device type description, the chip device public key, the USB master control chip firmware digital abstract and the digital signature information of the firmware digital abstract to generate a chip device certificate body 14 corresponding to the USB master control security chip. The chip device certificate authority 14 will be provided to the third party certificate authority management system a.
(2) The USB master control chip equipment certificate issuing manager 3 in the third party authentication and authorization management system A uses a chip equipment public key in the chip equipment certificate body 14 and a digital signature verification algorithm in the authorization cryptographic algorithm module 2 to verify the digital signature of the USB master control chip firmware digital abstract in the chip equipment certificate body 14, and confirms the validity and the integrity of the USB master control chip firmware digital abstract; if the digital signature is verified, the hash algorithm in the authorization cryptographic algorithm module 2 is used for carrying out hash processing on all or part of data of the USB main control chip firmware to generate a USB main control chip firmware digital digest, the digital digest is compared with the USB main control chip firmware digital digest in the chip equipment certificate body 14, if the data are consistent, the digital signature of the chip equipment certificate body 14 is generated by using the third party signature private key and the digital signature algorithm in the authorization cryptographic algorithm module 2, and the chip equipment certificate body 14 and the digital signature are packaged to generate the USB main control chip equipment certificate 15.
(3) The USB host chip device certificate 15 is to be stored and cured in the chip security memory unit 6 of the USB host chip security management system D.
3) Safety self-checking of USB main control chip:
(1) the USB equipment is connected with the USB host through a USB bus, and after the USB equipment is electrified, the USB main control chip starts to execute the safe self-checking ROM boot program 8 of the USB main control chip safety management system C;
(2) the secure self-checking ROM bootstrap program 8 uses a third party authentication public key 13 in the chip secure storage unit 6 and a digital signature verification algorithm in the chip cipher algorithm hardware module 7 to verify the digital signature of the USB master control chip equipment certificate 15 in the chip secure storage unit 6, and confirms the legality and the integrity of the chip equipment certificate; if the digital signature verification is not passed, the USB device is prevented from being connected with the USB host in a communication way;
(3) the secure self-checking ROM bootstrap program 8 uses a chip device public key in the USB master control chip device certificate 15 and a digital signature verification algorithm in the chip cryptographic algorithm hardware module 7 to verify the digital signature of the USB master control chip firmware digital digest in the USB master control chip device certificate 15, and confirms the validity and the integrity of the USB master control chip firmware digital digest; if the digital signature verification is not passed, the USB device is prevented from being connected with the USB host in a communication way;
(4) the secure self-checking ROM boot program 8 uses a hash algorithm in the chip cryptographic algorithm hardware module 7 to hash all or part of data of the USB main control chip firmware to obtain a USB main control chip firmware digital abstract; comparing the digital abstract with the digital abstract of the USB master control chip firmware in the USB master control chip equipment certificate 15, and if the data are consistent, confirming that the USB master control chip firmware data are not tampered; if the data is inconsistent, the USB device is prevented from being connected with the USB host in a communication way;
(5) after the USB equipment and the USB host establish communication connection, the USB main control chip executes the security verification management firmware program 9 of the security management system C of the USB main control chip, and the security verification management firmware program is matched with the trusted authentication of the USB host to the USB equipment.
4) Trusted authentication of USB master control chip:
(1) after the USB host detects the USB equipment, establishing communication connection, and carrying out session communication between a USB master control chip authentication manager 10 of a USB equipment trusted authentication system D and a security verification management firmware program 9 of a USB master control chip security management system C to obtain a USB master control chip equipment certificate 15; the third party authentication public key 13 in the key safety storage unit 11 and the digital signature verification algorithm in the authentication cipher algorithm module 12 are used for verifying the digital signature of the USB master control chip equipment certificate 15, and the validity and the integrity of the USB master control chip equipment certificate 15 are confirmed; if the digital signature verification is not passed, the communication connection between the USB host and the USB device is directly disconnected.
(2) The USB master control chip authentication manager 10 of the USB device trusted authentication system D starts a USB device enumeration process, acquires a USB device type statement from the USB master control chip, and compares the USB device type statement with a device type statement in the USB master control chip device certificate 15; if the device types are consistent, continuing the normal enumeration process of the USB device; if the device types are inconsistent, the communication connection between the USB host and the USB device is directly disconnected.
Claims (5)
1. A USB device credibility authentication method of USB control chip level, it uses and includes the credibility authentication system composed of third party authentication authorization management system (A), USB master control chip device certificate generation management system (B), USB master control chip security management system (C) and USB device credibility authentication system (D); the third party authentication and authorization management system (A) used by the third party chip detection mechanism consists of an authorization manager (1), an authorization cryptographic algorithm module (2) and a USB master control chip equipment certificate issuing manager (3), wherein the authorization cryptographic algorithm module (2) comprises a hash algorithm, a digital signature algorithm and a digital signature verification algorithm; the USB master control chip equipment certificate generation management system (B) used by a USB master control chip manufacturer consists of a system cryptographic algorithm module (4) and a chip equipment certificate generator (5), wherein the system cryptographic algorithm module (4) comprises a hash algorithm and a digital signature algorithm; the USB master control chip safety management system (C) built in the USB master control chip of the USB equipment consists of a chip safety storage unit (6), a chip cryptographic algorithm hardware module (7), a safety self-checking ROM (read only memory) bootstrap program (8) and a safety verification management firmware program (9), wherein the chip cryptographic algorithm hardware module (7) comprises a hash algorithm and a digital signature verification algorithm which are realized by hardware; the USB equipment trusted authentication system (D) at the USB host end consists of a USB main control chip authentication manager (10), a secret key safe storage unit (11) and an authentication cipher algorithm module (12), wherein the authentication cipher algorithm module (12) comprises a digital signature verification algorithm; the method mainly comprises the following implementation steps:
1) System authorization:
(1) an authorization manager (1) in the third party authentication authorization management system (A) provides a third party authentication public key (13) for the USB equipment trusted authentication system (D), and stores and solidifies the third party authentication public key into a key security storage unit (11) of the USB equipment trusted authentication system (D);
(2) an authorization manager (1) in the third party authentication authorization management system (A) provides a third party authentication public key (13) for the USB master control chip security management system (C), and stores and cures the third party authentication public key into a chip security storage unit (6) of the USB master control chip security management system (C);
2) Generating, issuing and storing and solidifying equipment certificates of the USB main control chip:
(1) a chip equipment certificate generator (5) of the USB master control chip equipment certificate generation management system (B) uses a hash algorithm in a system cryptographic algorithm module (4) to hash all or part of data of USB master control chip firmware in the USB master control chip to generate a USB master control chip firmware digital abstract, and uses a chip equipment private key and a digital signature algorithm in the system cryptographic algorithm module (4) to generate a digital signature of the USB master control chip firmware digital abstract; packaging digital signature information of the USB main control chip identifier, the USB equipment type description, the chip equipment public key, the USB main control chip firmware digital abstract and the firmware digital abstract to generate a chip equipment certificate body (14) corresponding to the USB main control chip; the chip device certificate body (14) is to be provided to a third party authentication authorization management system (a);
(2) a USB master control chip equipment certificate issuing manager (3) in the third party authentication and authorization management system (A) uses a chip equipment public key in a chip equipment certificate body (14) and a digital signature verification algorithm in an authorization cryptographic algorithm module (2) to verify the digital signature of a USB master control chip firmware digital abstract in the chip equipment certificate body (14) and confirm the validity and the integrity of the USB master control chip firmware digital abstract; if the digital signature is verified, the hash algorithm in the authorization cryptographic algorithm module (2) is used for carrying out hash processing on all or part of data of the USB main control chip firmware to generate a USB main control chip firmware digital digest, the digital digest is compared with the USB main control chip firmware digital digest in the chip equipment certificate body (14), if the data are consistent, a digital signature of the chip equipment certificate body (14) is generated by using a third party signature private key and the digital signature algorithm in the authorization cryptographic algorithm module (2), and the chip equipment certificate body (14) and the digital signature are packaged to generate a USB main control chip equipment certificate (15);
(3) the USB master control chip equipment certificate (15) is stored and solidified in a chip safety storage unit (6) of the USB master control chip safety management system (C);
3) Safety self-checking of USB main control chip:
(1) the USB equipment is connected with the USB host computer through a USB bus, and after the USB equipment is electrified, the USB main control chip starts to execute a safe self-checking ROM bootstrap program (8) of the USB main control chip safety management system (C);
(2) the secure self-checking ROM bootstrap program (8) uses a third party authentication public key (13) in the chip secure storage unit (6) and a digital signature verification algorithm in the chip cryptographic algorithm hardware module (7) to verify the digital signature of the USB master control chip equipment certificate (15) in the chip secure storage unit (6) and confirm the validity and the integrity of the chip equipment certificate; if the digital signature verification is not passed, the USB device is prevented from being connected with the USB host in a communication way;
(3) the secure self-checking ROM bootstrap program (8) uses a chip device public key in the USB master control chip device certificate (15) and a digital signature verification algorithm in the chip cryptographic algorithm hardware module (7) to verify the digital signature of the USB master control chip firmware digital abstract in the USB master control chip device certificate (15) and confirm the validity and the integrity of the USB master control chip firmware digital abstract; if the digital signature verification is not passed, the USB device is prevented from being connected with the USB host in a communication way;
(4) the secure self-checking ROM boot program (8) uses a hash algorithm in the chip cryptographic algorithm hardware module (7) to hash all or part of data of the USB main control chip firmware to obtain a USB main control chip firmware digital abstract; comparing the digital abstract with a USB master control chip firmware digital abstract in a USB master control chip equipment certificate (15), and if the data are consistent, confirming that the USB master control chip firmware data are not tampered; if the data is inconsistent, the USB device is prevented from being connected with the USB host in a communication way;
(5) after the USB equipment and the USB host are in communication connection, the USB main control chip executes a security verification management firmware program (9) of a security management system (C) of the USB main control chip, and the security verification management firmware program is matched with the trusted authentication of the USB host to the USB equipment;
4) Trusted authentication of USB master control chip:
(1) after the USB host detects the USB equipment, establishing communication connection, and carrying out session communication between a USB master control chip authentication manager (10) of a USB equipment trusted authentication system (D) and a security verification management firmware program (9) of a USB master control chip security management system (C) to obtain a USB master control chip equipment certificate (15); the third party authentication public key (13) in the secret key safe storage unit (11) and the digital signature verification algorithm in the authentication cipher algorithm module (12) are used for verifying the digital signature of the USB main control chip equipment certificate (15), and the validity and the integrity of the USB main control chip equipment certificate (15) are confirmed; if the digital signature verification is not passed, the communication connection between the USB host and the USB device is directly disconnected;
(2) a USB master control chip authentication manager (10) of the USB device trusted authentication system (D) starts a USB device enumeration process, acquires a USB device type statement from a USB master control chip, and compares the USB device type statement with a device type statement in a USB master control chip device certificate (15); if the device types are consistent, continuing the normal enumeration process of the USB device; if the device types are inconsistent, the communication connection between the USB host and the USB device is directly disconnected.
2. The method for authenticating the trust of the USB device on the USB control chip according to claim 1, wherein the key security storage unit (11) of the USB device trust authentication system (D) and the chip security storage unit (6) of the USB master control chip security management system (C) are tamper-proof storage units which are protected by a chip after the data is written once in the chip by a chip burning tool.
3. The method for trusted authentication of USB devices on a USB control chip level according to claim 1 or 2, wherein the third party authentication public key (13) and the third party signature private key are managed by a third party authentication authorization management system (a) for digital signature and signature verification of a USB host chip device certificate (15); the chip device private key and the chip device public key are all and managed by a USB main control chip manufacturer and are used for carrying out digital signature and signature verification on the USB main control chip firmware, and have no one-to-one correspondence with the USB main control chip.
4. A method for authenticating a USB device at the USB control chip level according to claim 3, wherein the USB host chip identifier is an identifier composed of a model number of the USB host chip and a firmware version number of the USB host chip, and corresponds to the USB host chip device certificate (15) one by one.
5. The USB equipment credible authentication system of the USB control chip level is characterized by comprising a third party authentication authorization management system (A), a USB master control chip equipment certificate generation management system (B), a USB master control chip safety management system (C) and a USB equipment credible authentication system (D); the third party authentication and authorization management system (A) consists of an authorization manager (1), an authorization cryptographic algorithm module (2) and a USB master control chip equipment certificate issuing manager (3), wherein the authorization cryptographic algorithm module (2) comprises a hash algorithm, a digital signature algorithm and a digital signature verification algorithm; the USB master control chip equipment certificate generation management system (B) consists of a system cryptographic algorithm module (4) and a chip equipment certificate generator (5), wherein the system cryptographic algorithm module (4) comprises a hash algorithm and a digital signature algorithm; the USB master control chip security management system (C) consists of a chip security storage unit (6), a chip cryptographic algorithm hardware module (7), a security self-checking ROM (read only memory) bootstrap program (8) and a security verification management firmware program (9), wherein the chip cryptographic algorithm hardware module (7) comprises a hash algorithm and a digital signature verification algorithm which are realized by hardware; the USB equipment trusted authentication system (D) consists of a USB main control chip authentication manager (10), a secret key safe storage unit (11) and an authentication cipher algorithm module (12), wherein the authentication cipher algorithm module (12) comprises a digital signature verification algorithm; the third party authentication and authorization management system (A) is a system used by a third party chip detection mechanism and is used for completing the authentication and authorization functions of the system USB main control chip security management system (C) and the USB equipment trusted authentication system (D); the USB main control chip equipment certificate generation management system (B) is a system used by a USB main control chip manufacturer and is used for completing the generation and management work of the USB main control chip equipment certificate (15); the USB master control chip safety management system (C) is internally arranged in a USB master control chip of the USB equipment and completes the safety self-checking and safety verification functions of the USB master control chip of the USB equipment; the USB equipment trusted authentication system (D) is built in a USB host controller or is realized by an independent chip, and the trusted authentication and the safe use verification function of the USB host to the USB equipment are completed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510156573.8A CN106161024B (en) | 2015-04-03 | 2015-04-03 | USB control chip-level USB equipment credibility authentication method and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510156573.8A CN106161024B (en) | 2015-04-03 | 2015-04-03 | USB control chip-level USB equipment credibility authentication method and system thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106161024A CN106161024A (en) | 2016-11-23 |
| CN106161024B true CN106161024B (en) | 2023-05-12 |
Family
ID=57338008
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510156573.8A Active CN106161024B (en) | 2015-04-03 | 2015-04-03 | USB control chip-level USB equipment credibility authentication method and system thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106161024B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108345805B (en) * | 2017-05-05 | 2022-09-02 | 清华大学 | Method and device for verifying firmware |
| CN107358109A (en) * | 2017-07-17 | 2017-11-17 | 山东超越数控电子有限公司 | A kind of safety enhancing intelligent terminal encryption storage system |
| CN108199849B (en) * | 2018-01-04 | 2021-01-05 | 北京中电华大电子设计有限责任公司 | USBKey equipment security attack system and method for real-time data acquisition |
| CN110532777B (en) * | 2018-05-24 | 2023-08-29 | 霍尼韦尔环境自控产品(天津)有限公司 | Secure start system and method, terminal equipment and core system thereof |
| DE102018211597A1 (en) | 2018-07-12 | 2020-01-16 | Siemens Aktiengesellschaft | Procedure for setting up a credential for a first device |
| CN109063470A (en) * | 2018-07-26 | 2018-12-21 | 郑州云海信息技术有限公司 | A kind of safe verification method and system of BMC firmware |
| CN111181724A (en) * | 2018-11-09 | 2020-05-19 | 紫光同芯微电子有限公司 | SIM chip security credibility authentication system and authentication method thereof |
| CN112579374B (en) * | 2020-12-16 | 2024-03-08 | 惠州市德赛西威智能交通技术研究院有限公司 | System and method for secure debugging of embedded device |
| CN115630377B (en) * | 2022-10-10 | 2023-06-06 | 广州市金其利信息科技有限公司 | External device access method and device, computer device and external device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1553349A (en) * | 2003-05-29 | 2004-12-08 | 联想(北京)有限公司 | Safety chip and information safety processor and processing method |
| CN102427449A (en) * | 2011-11-04 | 2012-04-25 | 北京工业大学 | Trusted mobile storage method based on security chips |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8898477B2 (en) * | 2007-11-12 | 2014-11-25 | Gemalto Inc. | System and method for secure firmware update of a secure token having a flash memory controller and a smart card |
-
2015
- 2015-04-03 CN CN201510156573.8A patent/CN106161024B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1553349A (en) * | 2003-05-29 | 2004-12-08 | 联想(北京)有限公司 | Safety chip and information safety processor and processing method |
| CN102427449A (en) * | 2011-11-04 | 2012-04-25 | 北京工业大学 | Trusted mobile storage method based on security chips |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106161024A (en) | 2016-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106161024B (en) | USB control chip-level USB equipment credibility authentication method and system thereof | |
| CN114154135B (en) | Internet of vehicles communication security authentication method, system and equipment based on state cryptographic algorithm | |
| JP5703391B2 (en) | System and method for tamper resistant boot processing | |
| CN105144626B (en) | The method and apparatus of safety is provided | |
| CN103079200B (en) | The authentication method of a kind of wireless access, system and wireless router | |
| CN103269271A (en) | Method and system for back-upping private key in electronic signature token | |
| CN103248491B (en) | A kind of backup method of electronic signature token private key and system | |
| CN101610150B (en) | Third-party digital signature method and data transmission system | |
| CN110795126A (en) | Firmware safety upgrading system | |
| CN112866242B (en) | Block chain-based digital identity authentication method, equipment and storage medium | |
| CN108900296B (en) | Secret key storage method based on biological feature identification | |
| CN102262599A (en) | Trusted root-based portable hard disk fingerprint identification method | |
| CN109190401A (en) | A kind of date storage method, device and the associated component of Qemu virtual credible root | |
| CN105099705A (en) | Safety communication method and system based on USB protocol | |
| WO2021128988A1 (en) | Authentication method and device | |
| CN112311718A (en) | Method, device and equipment for detecting hardware and storage medium | |
| CN106992978B (en) | Network security management method and server | |
| WO2023070425A1 (en) | Device identity authentication method and apparatus, electronic device, and computer readable medium | |
| CN105933117A (en) | Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage | |
| CN104486322A (en) | Terminal access authentication authorization method and terminal access authentication authorization system | |
| CN105873043B (en) | Method and system for generating and applying network private key for mobile terminal | |
| CN103281188A (en) | Method and system for backing up private key in electronic signature token | |
| TWI789291B (en) | Module and method for authenticating data transfer between a storage device and a host device | |
| CN112968774B (en) | Method, device storage medium and equipment for encrypting and decrypting configuration file | |
| CN108390892B (en) | Control method and device for security access of remote storage system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |