CN109255231A - A kind of encryption hard disk cryptographic key protection system and method based on trust computing - Google Patents
A kind of encryption hard disk cryptographic key protection system and method based on trust computing Download PDFInfo
- Publication number
- CN109255231A CN109255231A CN201811139767.7A CN201811139767A CN109255231A CN 109255231 A CN109255231 A CN 109255231A CN 201811139767 A CN201811139767 A CN 201811139767A CN 109255231 A CN109255231 A CN 109255231A
- Authority
- CN
- China
- Prior art keywords
- key
- hard disk
- tcm
- encryption
- hash
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
Abstract
The present invention relates to trusted cryptography's technical field and HD encryption technical field, in particular to a kind of encryption hard disk cryptographic key protection system and method based on trust computing.Its system structure includes TCM chip, and nonvolatile storage and enciphering algorithm module are provided in the TCM chip, and the enciphering algorithm module is used for: A, the encryption hard disk key generated to dense tubular system (DTS) re-encrypts, and obtains encrypted secret key;B, Hash calculation is carried out to the encryption hard disk key that dense tubular system (DTS) generates, obtains encryption hard disk keyed hash value;C, the encrypted secret key and encryption hard disk keyed hash value are stored in the nonvolatile storage.A kind of encryption hard disk cryptographic key protection system and method based on trust computing of the invention, system combination TCM chip access control to encryption hard disk key, can encrypt to hard disk key is encrypted, and carry out integrity measurement.
Description
Technical field
The present invention relates to trusted cryptography's technical fields and HD encryption technical field, in particular to a kind of to be based on trust computing
Encryption hard disk cryptographic key protection system and method.
Background technique
Reliable computing technology development is increasingly mature, and the country also has numerous producers to land, the terminal based on trust computing
The protection of safety has also obtained more application, but domestic trust computing is mainly used in the anti-of BIOS or operating system level
Shield includes actively measurement, integrity measurement, credible operation control etc..
Trust computing provides the cryptographic key service of bottom using credible password module, credible password module with it is traditional close
There is difference in code hardware module, the cryptographic key protection inside credible password module is based on trusted root, and using tree structure, compare biography
Crypto module of uniting is more credible.
TCM, the english abbreviation of credible password module, full name are " Trusted Cryptography Module ", TCM core
Piece is the hardware module of credible calculating platform, provides crypto-operation function for credible calculating platform, has shielded storage empty
Between.
Usually encryption hard disk key storage carries out being synthetically formed final key by common password in inside, this
Mode is unfavorable for the centralized management of key, is unfavorable for the cascade protection of key.
In order to play the advantage of reliable computing technology, reliable computing technology is applied to more fields, the present invention can
Believe that computing technique in conjunction with encryption hard disk, for protecting the key of encryption hard disk, improves the safety of data access in encryption hard disk
Property.
Summary of the invention
In order to solve problems in the prior art, the present invention provides a kind of encryption hard disk cryptographic key protection based on trust computing
System and method, system combination TCM chip access control to encryption hard disk key, can add to hard disk key is encrypted
Privacy protection, and carry out integrity measurement.
The technical solution adopted in the present invention is as follows:
A kind of encryption hard disk cryptographic key protection system based on trust computing, including TCM chip are provided in the TCM chip
Nonvolatile storage and enciphering algorithm module, the enciphering algorithm module are used for: A, hard to the encryption of dense tubular system (DTS) generation
Disk key is re-encrypted, and encrypted secret key is obtained;B, Hash calculation is carried out to the encryption hard disk key that dense tubular system (DTS) generates, obtained
To encryption hard disk keyed hash value;C, the encrypted secret key and encryption hard disk keyed hash value are stored in described non-
Volatile storage area.
The encrypted secret key and encryption hard disk keyed hash value are stored in by TCM chip by TCM memory interface
The nonvolatile storage.
TCM chip includes TCM authentication interface and TCM hash algorithm interface, and the TCM chip passes through TCM identity
Authentication interface carries out authentication, and the TCM chip calculates Hash to identity authenticating password by TCM hash algorithm interface,
Obtain authentication cryptographic Hash.
A kind of encryption hard disk cryptographic key protection method based on trust computing, including key method for implanting and key load side
Method:
Steps are as follows for the key method for implanting:
Step I1: the encryption hard disk key K1 that dense tubular system (DTS) generates is imported into computer;
Step I2: calling TCM authentication interface to carry out authentication, and authentication executes step I3 after passing through, otherwise terminates;
Step I3: it calls TCM hash algorithm interface to calculate Hash to identity authenticating password, obtains authentication cryptographic Hash H1;
Step I4: using authentication cryptographic Hash H1 as encryption key, call TCM symmetric encipherment algorithm to encryption hard disk key K1
It is encrypted, obtains encrypted secret key K2;
Step I5: calling TCM hash algorithm to calculate encryption hard disk key K1 Hash, obtains encryption hard disk keyed hash value H2;
Step I6: call TCM memory interface by encrypted secret key K2 and encryption hard disk keyed hash value H2 store with it is non-volatile
Memory block.
Steps are as follows for the key loading method:
Step S1: prompt user inputs TCM identity authenticating password first, carries out authentication;
Step S2: authentication calls TCM hash algorithm that password cryptographic Hash H3 is calculated after passing through;
Step S3: the encrypted secret key K2 and encryption hard disk keyed hash value H2 of injection are read from the nonvolatile storage TCM;
Step S4: using password cryptographic Hash H3 as decruption key, the symmetrical decipherment algorithm of TCM is called to solve encrypted secret key K2
It is close, obtain key plain K3;
Step S5: calculating cryptographic Hash to encrypted secret key K2 and obtain cryptographic Hash H4, cryptographic Hash H4 and cryptographic Hash H4 is compared, if
It is equal, key plain K3 is loaded into encryption hard drive internal, otherwise prompts user's failure.
Technical solution provided by the invention has the benefit that
Safeguard protection is carried out to encryption hard disk key by reliable computing technology, is taken by the TCM authentication provided and password
Business carries out authorization access and secure storage to encryption hard disk key, improves the safety of encryption hard disk key.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is a kind of method flow diagram of encryption hard disk cryptographic key protection system and method based on trust computing of the invention
(key injection);
Fig. 2 is that a kind of method flow diagram of encryption hard disk cryptographic key protection system and method based on trust computing of the invention is (close
Key load).
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention
Formula is described in further detail.
Embodiment one
A kind of encryption hard disk cryptographic key protection system based on trust computing, including TCM chip are provided in the TCM chip
Nonvolatile storage and enciphering algorithm module, the enciphering algorithm module are used for: A, hard to the encryption of dense tubular system (DTS) generation
Disk key is re-encrypted, and encrypted secret key is obtained;B, Hash calculation is carried out to the encryption hard disk key that dense tubular system (DTS) generates, obtained
To encryption hard disk keyed hash value;C, the encrypted secret key and encryption hard disk keyed hash value are stored in described non-
Volatile storage area.
The encrypted secret key and encryption hard disk keyed hash value are stored in by TCM chip by TCM memory interface
The nonvolatile storage.
TCM chip includes TCM authentication interface and TCM hash algorithm interface, and the TCM chip passes through TCM identity
Authentication interface carries out authentication, and the TCM chip calculates Hash to identity authenticating password by TCM hash algorithm interface,
Obtain authentication cryptographic Hash.
A kind of encryption hard disk cryptographic key protection system based on trust computing of the present embodiment, function include:
1, HD encryption key injects: by TCM identity authenticating password, hash algorithm being called to calculate identity authenticating password Hash
Value calls TCM Encryption Algorithm to encrypt the encryption key of encryption hard disk in plain text, simultaneously using cryptographic Hash as encryption key
Hash algorithm is called to calculate the cryptographic Hash of HD encryption key plain, cryptographic Hash and encrypted key storage is non-easily in TCM
The property lost memory block;
2, HD encryption key loads: BIOS prompt user inputs TCM identity authenticating password, after password authentication passes through, calls and breathes out
Uncommon algorithm calculates the cryptographic Hash of identity authenticating password, using cryptographic Hash as encryption key, reads and adds from the nonvolatile storage TCM
Key ciphertext calls TCM decipherment algorithm that the HD encryption key ciphertext of reading is decrypted, hash algorithm is called after decryption
Cryptographic Hash is calculated, and is compared with cryptographic Hash when injection, encryption hard disk is passed to if consistent, otherwise prompts user.
Embodiment two
A kind of encryption hard disk cryptographic key protection method based on trust computing, including key method for implanting and key loading method:
As shown in Fig. 1, steps are as follows for the key method for implanting:
Step V101: the encryption hard disk key K1 that dense tubular system (DTS) generates is imported into computer;
Step V102: calling TCM authentication interface to carry out authentication, and authentication executes step I3 after passing through, otherwise ties
Beam;
Step V103: it calls TCM hash algorithm interface to calculate Hash to identity authenticating password, obtains authentication cryptographic Hash H1;
Step V104: using authentication cryptographic Hash H1 as encryption key, call TCM symmetric encipherment algorithm to encryption hard disk key
K1 is encrypted, and encrypted secret key K2 is obtained;
Step V105: calling TCM hash algorithm to calculate encryption hard disk key K1 Hash, obtains encryption hard disk keyed hash value H2;
Step V106: call TCM memory interface by encrypted secret key K2 and encryption hard disk keyed hash value H2 store with it is non-volatile
Property memory block.
As shown in Fig. 2, steps are as follows for the key loading method:
Step V201: prompt user inputs TCM identity authenticating password first, carries out authentication;
Step V202: authentication calls TCM hash algorithm that password cryptographic Hash H3 is calculated after passing through;
Step V203: the encrypted secret key K2 and encryption hard disk keyed hash value H2 of injection are read from the nonvolatile storage TCM;
Step V204: using password cryptographic Hash H3 as decruption key, the symmetrical decipherment algorithm of TCM is called to carry out encrypted secret key K2
Decryption, obtains key plain K3;
Step V205: cryptographic Hash is calculated to encrypted secret key K2 and obtains cryptographic Hash H4, cryptographic Hash H4 and cryptographic Hash H4 is compared, such as
Fruit is equal, and key plain K3 is loaded into encryption hard drive internal, otherwise prompts user's failure.
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and
Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (4)
1. a kind of encryption hard disk cryptographic key protection system based on trust computing, including TCM chip, the interior setting of the TCM chip
There are nonvolatile storage and enciphering algorithm module, the enciphering algorithm module is used for: the A, encryption generated to dense tubular system (DTS)
Hard disk key is re-encrypted, and encrypted secret key is obtained;B, Hash calculation is carried out to the encryption hard disk key that dense tubular system (DTS) generates,
Obtain encryption hard disk keyed hash value;C, the encrypted secret key and encryption hard disk keyed hash value are stored in described
Nonvolatile storage.
2. a kind of encryption hard disk cryptographic key protection system based on trust computing according to claim 1, which is characterized in that institute
The encrypted secret key and encryption hard disk keyed hash value are stored in described by the TCM chip stated by TCM memory interface
Nonvolatile storage.
3. a kind of encryption hard disk cryptographic key protection system based on trust computing according to claim 1, which is characterized in that institute
The TCM chip stated includes TCM authentication interface and TCM hash algorithm interface, and the TCM chip passes through TCM authentication
Interface carries out authentication, and the TCM chip calculates Hash to identity authenticating password by TCM hash algorithm interface, obtains
Authentication cryptographic Hash.
4. a kind of encryption hard disk cryptographic key protection method based on trust computing, including key method for implanting and key loading method:
Steps are as follows for the key method for implanting:
Step I1: the encryption hard disk key K1 that dense tubular system (DTS) generates is imported into computer;
Step I2: calling TCM authentication interface to carry out authentication, and authentication executes step I3 after passing through, otherwise terminates;
Step I3: it calls TCM hash algorithm interface to calculate Hash to identity authenticating password, obtains authentication cryptographic Hash H1;
Step I4: using authentication cryptographic Hash H1 as encryption key, call TCM symmetric encipherment algorithm to encryption hard disk key K1
It is encrypted, obtains encrypted secret key K2;
Step I5: calling TCM hash algorithm to calculate encryption hard disk key K1 Hash, obtains encryption hard disk keyed hash value H2;
Step I6: call TCM memory interface by encrypted secret key K2 and encryption hard disk keyed hash value H2 store with it is non-volatile
Memory block;
Steps are as follows for the key loading method:
Step S1: prompt user inputs TCM identity authenticating password first, carries out authentication;
Step S2: authentication calls TCM hash algorithm that password cryptographic Hash H3 is calculated after passing through;
Step S3: the encrypted secret key K2 and encryption hard disk keyed hash value H2 of injection are read from the nonvolatile storage TCM;
Step S4: using password cryptographic Hash H3 as decruption key, the symmetrical decipherment algorithm of TCM is called to solve encrypted secret key K2
It is close, obtain key plain K3;
Step S5: calculating cryptographic Hash to encrypted secret key K2 and obtain cryptographic Hash H4, cryptographic Hash H4 and cryptographic Hash H4 is compared, if
It is equal, key plain K3 is loaded into encryption hard drive internal, otherwise prompts user's failure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811139767.7A CN109255231A (en) | 2018-09-28 | 2018-09-28 | A kind of encryption hard disk cryptographic key protection system and method based on trust computing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811139767.7A CN109255231A (en) | 2018-09-28 | 2018-09-28 | A kind of encryption hard disk cryptographic key protection system and method based on trust computing |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109255231A true CN109255231A (en) | 2019-01-22 |
Family
ID=65048610
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811139767.7A Pending CN109255231A (en) | 2018-09-28 | 2018-09-28 | A kind of encryption hard disk cryptographic key protection system and method based on trust computing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109255231A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109918918A (en) * | 2019-03-19 | 2019-06-21 | 联芸科技(杭州)有限公司 | A kind of credible accounting system implementation based on solid-state disk master control |
| CN110532791A (en) * | 2019-08-27 | 2019-12-03 | 湖南麒麟信安科技有限公司 | A kind of encryption and decryption method and system for movable storage medium |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070014416A1 (en) * | 2005-07-15 | 2007-01-18 | David Rivera | System and method for protecting against dictionary attacks on password-protected TPM keys |
| US20070168048A1 (en) * | 2005-09-21 | 2007-07-19 | Broadcom Corporation | Secure processor supporting multiple security functions |
| CN101794260A (en) * | 2010-03-11 | 2010-08-04 | 上海北大方正科技电脑系统有限公司 | Automatically imported method of encryption key for mobile storage device |
| CN102193876A (en) * | 2011-03-24 | 2011-09-21 | 北京思创银联科技股份有限公司 | Methods for encrypting and decrypting hard disk driver of personal finance service equipment |
| CN102236756A (en) * | 2011-05-09 | 2011-11-09 | 山东超越数控电子有限公司 | File encryption method based on TCM (trusted cryptography module) and USBkey |
| CN102646077A (en) * | 2012-03-28 | 2012-08-22 | 山东超越数控电子有限公司 | Method for full-disk encryption based on trusted cryptography module |
| CN103490895A (en) * | 2013-09-12 | 2014-01-01 | 北京斯庄格科技有限公司 | Industrial control identity authentication method and device with state cryptographic algorithms |
| CN104200156A (en) * | 2014-08-27 | 2014-12-10 | 山东超越数控电子有限公司 | Trusted cryptosystem based on Loongson processor |
| CN104639332A (en) * | 2015-02-25 | 2015-05-20 | 山东超越数控电子有限公司 | Protective method for solid-state disk encryption key |
| CN105046138A (en) * | 2015-07-13 | 2015-11-11 | 山东超越数控电子有限公司 | FT-processor based trust management system and method |
| CN105656864A (en) * | 2014-11-27 | 2016-06-08 | 航天恒星科技有限公司 | TCM-based key management system and management method |
| CN108491724A (en) * | 2018-03-13 | 2018-09-04 | 山东超越数控电子股份有限公司 | A kind of hardware based computer interface encryption device and method |
-
2018
- 2018-09-28 CN CN201811139767.7A patent/CN109255231A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070014416A1 (en) * | 2005-07-15 | 2007-01-18 | David Rivera | System and method for protecting against dictionary attacks on password-protected TPM keys |
| US20070168048A1 (en) * | 2005-09-21 | 2007-07-19 | Broadcom Corporation | Secure processor supporting multiple security functions |
| CN101794260A (en) * | 2010-03-11 | 2010-08-04 | 上海北大方正科技电脑系统有限公司 | Automatically imported method of encryption key for mobile storage device |
| CN102193876A (en) * | 2011-03-24 | 2011-09-21 | 北京思创银联科技股份有限公司 | Methods for encrypting and decrypting hard disk driver of personal finance service equipment |
| CN102236756A (en) * | 2011-05-09 | 2011-11-09 | 山东超越数控电子有限公司 | File encryption method based on TCM (trusted cryptography module) and USBkey |
| CN102646077A (en) * | 2012-03-28 | 2012-08-22 | 山东超越数控电子有限公司 | Method for full-disk encryption based on trusted cryptography module |
| CN103490895A (en) * | 2013-09-12 | 2014-01-01 | 北京斯庄格科技有限公司 | Industrial control identity authentication method and device with state cryptographic algorithms |
| CN104200156A (en) * | 2014-08-27 | 2014-12-10 | 山东超越数控电子有限公司 | Trusted cryptosystem based on Loongson processor |
| CN105656864A (en) * | 2014-11-27 | 2016-06-08 | 航天恒星科技有限公司 | TCM-based key management system and management method |
| CN104639332A (en) * | 2015-02-25 | 2015-05-20 | 山东超越数控电子有限公司 | Protective method for solid-state disk encryption key |
| CN105046138A (en) * | 2015-07-13 | 2015-11-11 | 山东超越数控电子有限公司 | FT-processor based trust management system and method |
| CN108491724A (en) * | 2018-03-13 | 2018-09-04 | 山东超越数控电子股份有限公司 | A kind of hardware based computer interface encryption device and method |
Non-Patent Citations (1)
| Title |
|---|
| 李新明 等: "可信计算机平台密钥管理", 《南京理工大学学报(自然科学版)》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109918918A (en) * | 2019-03-19 | 2019-06-21 | 联芸科技(杭州)有限公司 | A kind of credible accounting system implementation based on solid-state disk master control |
| CN110532791A (en) * | 2019-08-27 | 2019-12-03 | 湖南麒麟信安科技有限公司 | A kind of encryption and decryption method and system for movable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2965254B1 (en) | Systems and methods for maintaining integrity and secrecy in untrusted computing platforms | |
| US7802111B1 (en) | System and method for limiting exposure of cryptographic keys protected by a trusted platform module | |
| US8625802B2 (en) | Methods, devices, and media for secure key management in a non-secured, distributed, virtualized environment with applications to cloud-computing security and management | |
| CN103138939B (en) | Based on the key access times management method of credible platform module under cloud memory module | |
| US20220253538A1 (en) | Method and system for data security, validation, verification and provenance within independent computer systems and digital networks | |
| CN103701829B (en) | A kind of off-line resolves the method for DPAPI encryption data | |
| US20040098591A1 (en) | Secure hardware device authentication method | |
| CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
| US9215070B2 (en) | Method for the cryptographic protection of an application | |
| JP2016506641A (en) | Screen unlocking method, apparatus, terminal, program, and recording medium | |
| US20220014367A1 (en) | Decentralized computing systems and methods for performing actions using stored private data | |
| CN106533663B (en) | Data ciphering method, encryption method, apparatus and data decryption method, decryption method, apparatus | |
| CN110401538A (en) | Data ciphering method, system and terminal | |
| CN109347858A (en) | Cipher code protection method, auth method, device, equipment and storage medium | |
| CN103577769A (en) | File content safety management method and management system | |
| CN109255231A (en) | A kind of encryption hard disk cryptographic key protection system and method based on trust computing | |
| US11044105B2 (en) | System, method, and computer program product for sensitive data recovery in high security systems | |
| CN109474431B (en) | Client authentication method and computer readable storage medium | |
| CN100596058C (en) | System and method for managing credible calculating platform key authorization data | |
| US8499357B1 (en) | Signing a library file to verify a callback function | |
| CN105933117A (en) | Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage | |
| CN113326529A (en) | Decentralized architecture unifying method based on trusted computing | |
| US20160148021A1 (en) | Systems and Methods for Trading of Text based Data Representation | |
| WO2015154469A1 (en) | Database operation method and device | |
| US11706022B1 (en) | Method for trusted data decryption based on privacy-preserving computation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190122 |
|
| RJ01 | Rejection of invention patent application after publication |