CN110795727A - Starting control method for safety computer - Google Patents
Starting control method for safety computer Download PDFInfo
- Publication number
- CN110795727A CN110795727A CN201810867202.4A CN201810867202A CN110795727A CN 110795727 A CN110795727 A CN 110795727A CN 201810867202 A CN201810867202 A CN 201810867202A CN 110795727 A CN110795727 A CN 110795727A
- Authority
- CN
- China
- Prior art keywords
- hard disk
- secure
- disk
- user
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a starting control method of a safety computer, which comprises the following steps: step S1: after the host is powered on, waiting for unlocking the secure hard disk; step S2: if the safe hard disk is unlocked, starting a main operating system in the safe hard disk by the host, or continuing to wait for the unlocking operation of the safe hard disk to be completed; wherein, the step S1 further includes the following steps: step S11: after detecting the access of the secure USB flash disk, starting a secure operating system in the secure USB flash disk and running a combined encryption program under the operating system; step S12: finishing U disk authentication operation and user authentication operation under the control of the combined encryption program; step S13: after the U disk authentication and the user authentication are successful, an unlocking instruction is sent to the secure hard disk; step S14: and the safe hard disk unlocks the internal storage channel after acquiring the unlocking instruction and feeds back unlocking information to the host. By adopting the technical scheme of the invention, only after the U disk passes the authentication and the user authentication, the unique corresponding computer can be decrypted.
Description
Technical Field
The invention relates to the field of computer data security, in particular to a secure computer starting control method.
Background
With the continuous development of informatization, the data security problem becomes an important problem in the current society. For computer systems, data security can be divided into two aspects, namely identity authentication and storage data encryption. The identity authentication means that only a legal user has access and operation authority, and the illegal user is prevented from stealing data through accessing a computer. The storage data encryption refers to the security of data stored in a storage medium, and an illegal user can bypass a computer system and directly read the data in the storage medium by a scientific and technological means.
At present, in the identity authentication technology, a dialog box password authentication mode and a fingerprint identification authentication mode exist, the user identity comparison is carried out after an operating system is loaded in most of the modes, and the mode has the risk that the operating system is loaded, namely data in a hard disk is loaded, and a hacker can invade a computer through a Trojan horse program and a password cracking means. The identity authentication is also put in the power supply module, the power supply of the computer cannot be turned on before the identity authentication, and the mode can be broken by bypassing the power supply module or removing the hard disk.
The storage data encryption technology is mainly divided into software encryption and hardware encryption, the software encryption is to encrypt some data through encryption software, the method has the problems that all data cannot be encrypted, an operating system and software are in a non-encryption state, and the encryption and decryption speed of the software is not ideal. The hardware encryption is to set a hardware encryption and decryption module through a hard disk controller, encrypt the whole data stream, and the key problem of the storage data encryption technology is how to protect the security of the key.
In order to solve the technical problem, the chinese patent application CN 103886234 a discloses a computer based on a secure hard disk, which adopts an encrypted solid state disk, integrates fingerprint authentication and data encryption functions, i.e. associates an encryption key with a user identity, so that the computer has higher security. However, in this solution, the key and the user data are stored together on the solid state disk and the key is also stored through the storage medium, so that the security of storing the data is greatly reduced, and in an extreme case, data leakage may be caused by brute force to crack the memory. Meanwhile, the fingerprint identification technology is adopted as identity authentication of the solid state disk, and the technology has the obvious problems that only a user himself can access files stored in the hard disk, and the files can be edited and stored. However, in the case where only one user can access one storage device, many users need to store their data and files in a plurality of storage devices if they want to access their data. Therefore, the utilization of the equipment is greatly reduced.
Therefore, in view of the above-mentioned drawbacks, it is necessary to develop a practical solution to solve some of the drawbacks of the prior art.
Disclosure of Invention
In view of this, the present invention provides a method for controlling the starting of a secure computer, so as to greatly improve the security performance of data in the computer.
In order to overcome the defects in the prior art, the invention provides the following technical scheme:
a starting control method of a safety computer comprises a host and a safety U disk used for U disk authentication and user authentication of the host, wherein at least a safety hard disk is arranged in the host, and the safety hard disk adopts an encrypted solid state disk;
the method comprises the following steps:
step S1: after the host is powered on, waiting for unlocking the secure hard disk;
step S2: if the safe hard disk is unlocked, starting a main operating system in the safe hard disk by the host, or continuing to wait for the unlocking operation of the safe hard disk to be completed;
in step S1, the unlocking of the secure hard disk further includes the following steps:
step S11: after detecting the access of the secure USB flash disk, starting a secure operating system in the secure USB flash disk and running a combined encryption program under the operating system;
step S12: finishing U disk authentication operation and user authentication operation under the control of the combined encryption program;
step S13: after the U disk authentication and the user authentication are successful, an unlocking instruction is sent to the secure hard disk;
step S14: the safety hard disk unlocks an internal storage channel after acquiring an unlocking instruction and feeds back unlocking information to the host; the unlocking instruction further comprises a KEY KEY stored in the secure USB flash disk, and the secure hard disk acquires the KEY KEY and does not store the KEY KEY after shutdown; and the KEY KEY is used for data encryption and decryption operations in the secure hard disk.
As a preferred technical solution, the step S2 further includes the following steps:
step S21: the method comprises the steps that the safe hard disk detects an unlocking zone bit after acquiring a starting instruction sent by a host, and sets the unlocking zone bit after the unlocking operation of the safe hard disk is completed;
step S22: if the unlocking flag bit is set, the secure hard disk starts the internal main operating system, otherwise, the secure hard disk continues to wait for the completion of the unlocking operation of the secure hard disk;
step S23: and after the safe hard disk is unlocked, waiting for a storage instruction of the host.
Preferably, in step S23, the data written by the host to the secure hard disk is encrypted and stored in the secure hard disk, and the data read by the host from the secure hard disk is decrypted and then sent to the host.
As a preferred technical scheme, the secure hard disk adopts a volatile memory to store the KEY KEY and the unlocking zone bit.
As a preferred technical scheme, an energy storage capacitor is further arranged in the safety hard disk and used for providing short-time power supply for the safety hard disk.
As a preferred technical scheme, in step S12, after the authentication operation of the usb disk is successful, the user authentication operation is started;
the security U disk and the security hard disk respectively store one-to-one corresponding authentication codes; the U disk authentication operation is to judge whether the authentication codes in the secure U disk and the secure hard disk are matched and feed back authentication result information;
the user authentication operation is used for acquiring input user information after the U disk authentication is successful and matching the input user information with the user information stored in the safe U disk, and comprises the following steps:
the safety U disk starts a user login interface after acquiring the authentication success information;
receiving user information input by a user and matching the user information with user information in a user database in the secure USB flash disk, wherein if the user information is completely matched, the user authentication is successful, otherwise, the user authentication is failed;
and sending an unlocking instruction to the secure hard disk after the user authentication is successful.
As a preferred technical scheme, a user database at least comprises an administrator user and a common user, wherein the administrator user has the highest access authority and can set the information of the common user after logging in, and the common user can log in safely after the setting of the administrator user is successful;
the administrator user can also set authority information of a common user, and the authority information is used for limiting the operation authority of different users on the safe hard disk; the operation authority at least comprises read/write operation or read-only operation on the secure hard disk.
As a preferred technical scheme, a plurality of partitions are arranged in the secure hard disk, the permission information further includes bound partition information, and the partition information is used for binding a common user and a secure hard disk partition corresponding to the common user and having permission to access.
As a preferred technical scheme, the KEY KEY stored in the secure USB flash disk is randomly generated when a computer is initialized.
As a preferred technical scheme, the authentication code used for the USB flash disk authentication operation is randomly generated when a computer is initialized.
Compared with the prior art, the technical scheme provided by the invention forms a combined encryption system by the only matched U disk and the safe hard disk; compared with the prior art that identity authentication can be performed only under the own operating system, the invention can further improve the safety performance by operating the new operating system in the USB flash disk, and simultaneously increases the expandability, the complexity and the cost of the joint encryption system. The Linux system installed in the U disk is fast and convenient to operate, the security of data storage is improved by double identity authentication, and meanwhile, the key for encrypting and decrypting the data of the secure hard disk is stored in the secure U disk, so that various layers effectively prevent the illegal invasion or cracking of unauthorized persons; furthermore, the invention also provides a rapid and thorough data destruction function, so that the technical scheme of the invention has wide development prospect in individual or enterprise markets as well as special markets such as military, aviation, government, finance, public security and the like.
Drawings
FIG. 1 is a block diagram of a secure computer according to the present invention.
Fig. 2 is a schematic block diagram of a secure usb disk according to the present invention.
Fig. 3 is a schematic block diagram of a secure hard disk according to the present invention.
FIG. 4 is a schematic block diagram of a user management module according to the present invention.
Fig. 5 is a block diagram of a secure hard disk according to another embodiment of the present invention.
Fig. 6 is a block diagram of a secure hard disk according to still another embodiment of the present invention.
FIG. 7 is a block diagram of a secure computer according to another embodiment of the present invention.
FIG. 8 is a block flow diagram of a secure computer boot control method of the present invention.
Fig. 9 is a further flowchart of step S1 in the present invention.
The following specific embodiments will further illustrate the invention in conjunction with the above-described figures.
Detailed Description
The invention will be further explained with reference to the drawings.
In order to solve the defects of the prior art, the invention provides a starting control method of a safety computer, wherein the safety computer comprises a host and a safety U disk used for U disk authentication and user authentication of the host, at least a safety hard disk is arranged in the host, and the safety hard disk adopts an encryption solid state hard disk.
Referring to fig. 8, a flow chart of a secure computer startup control method according to the present invention is shown, which includes the following steps:
step S1: after the host is powered on, waiting for unlocking the secure hard disk;
step S2: and if the safe hard disk is unlocked, starting the main operating system in the safe hard disk by the host, and otherwise, continuously waiting for the unlocking operation of the safe hard disk to be completed.
Referring to fig. 9, which is a further flowchart of step S1 in the present invention, the unlocking of the secure hard disk further includes the following steps:
step S11: after detecting the access of the secure USB flash disk, starting a secure operating system in the secure USB flash disk and running a combined encryption program under the operating system;
step S12: finishing U disk authentication operation and user authentication operation under the control of the combined encryption program;
step S13: after the U disk authentication and the user authentication are successful, an unlocking instruction is sent to the secure hard disk;
step S14: the safety hard disk unlocks an internal storage channel after acquiring an unlocking instruction and feeds back unlocking information to the host; the unlocking instruction further comprises a KEY KEY stored in the secure USB flash disk, and the secure hard disk acquires the KEY KEY and does not store the KEY KEY after shutdown; and the KEY KEY is used for data encryption and decryption operations in the secure hard disk.
Further, the step S2 further includes the following steps:
step S21: the method comprises the steps that the safe hard disk detects an unlocking zone bit after acquiring a starting instruction sent by a host, and sets the unlocking zone bit after the unlocking operation of the safe hard disk is completed;
step S22: if the unlocking flag bit is set, the secure hard disk starts the internal main operating system, otherwise, the secure hard disk continues to wait for the completion of the unlocking operation of the secure hard disk;
step S23: and after the safe hard disk is unlocked, waiting for a storage instruction of the host.
In step S23, the data written by the host to the secure hard disk is encrypted and stored in the secure hard disk, and the data read by the host from the secure hard disk is decrypted and sent to the host.
By adopting the technical scheme, the authentication operation and the authentication are carried out under the operating system in the U disk, so that the safety performance of the computer is greatly improved; meanwhile, the safe operation of a plurality of users on the computer is realized by introducing a user authentication mode, and the safety performance of the computer is further improved by multiple identity authentications.
Meanwhile, the KEY KEY for encrypting and decrypting the data of the secure hard disk is stored in the secure U disk matched with the secure hard disk, the secure hard disk does not store the KEY KEY after shutdown, and the KEY KEY can be obtained again in the secure hard disk only after U disk authentication and user authentication; even if the memory is stolen by brute force of the hard disk, at most, only the encrypted data in the secure hard disk can be obtained without obtaining effective data information because the memory does not have a secret key.
In a preferred embodiment, the secure hard disk uses a non-volatile memory to store the KEY and the unlock flag bit, and when receiving a shutdown instruction sent by the host, the secure hard disk clears the information in the non-volatile memory.
Further, when the secure hard disk runs, the method also comprises a power failure detection step, and if the computer is in a power failure condition, the secure hard disk clears the storage KEY and the unlocking zone bit.
In addition, an energy storage capacitor is arranged in the secure hard disk, and when the computer is powered off, the energy storage capacitor supplies power to the secure hard disk for a short time, so that the secure hard disk has enough time to empty the information in the key storage module.
Further, when the computer is powered off, the safe hard disk starting timer is used for detecting the power-off time, and if the power-off time exceeds a preset threshold value, the safe hard disk clears the storage KEY and the unlocking zone bit. By adopting the mode, when the computer is restarted for a short time, the storage KEY KEY and the unlocking zone bit can be reserved for a short time, so that the restarting operation of a user in the using process is facilitated.
In a preferred embodiment, the secure hard disk uses a volatile memory to store the KEY and the unlock flag, and the information stored in the secure hard disk disappears after the system is powered down, so that the KEY will not be retained in the secure hard disk.
Furthermore, an energy storage capacitor is further arranged in the safety hard disk and used for supplying power to the safety hard disk for a short time. Because the energy storage capacitor can only supply power for a short time, the information in the nonvolatile memory in the secure hard disk disappears after power failure for a long time or shutdown, and when the secure hard disk is restarted again, the U disk authentication and the user authentication need to be carried out again on the secure hard disk. When the ordinary computer is restarted, the non-volatile memory is reserved for a short time due to the existence of the energy storage capacitor, the solid state disk can still record the state before restarting, and the unlocking mark and the KEY are also reserved, so that the operating system in the solid state disk can be directly started, and the U disk authentication and the user authentication do not need to be carried out again when the computer is restarted.
In a preferred embodiment, in step S12, after the usb disk authentication operation is successful, the user authentication operation is started;
the security U disk and the security hard disk respectively store one-to-one corresponding authentication codes; the U disk authentication operation is to judge whether the authentication codes in the secure U disk and the secure hard disk are matched and feed back authentication result information;
the user authentication operation is used for acquiring input user information after the U disk authentication is successful and matching the input user information with the user information stored in the safe U disk, and comprises the following steps:
the safety U disk starts a user login interface after acquiring the authentication success information;
receiving user information input by a user and matching the user information with user information in a user database in the secure USB flash disk, wherein if the user information is completely matched, the user authentication is successful, otherwise, the user authentication is failed;
and sending an unlocking instruction to the secure hard disk after the user authentication is successful.
In a preferred embodiment, the user database at least comprises an administrator user and a common user, wherein the administrator user has the highest access right and can set the information of the common user after logging in, and the common user can log in safely after the setting of the administrator user is successful;
the administrator user can also set authority information of a common user, and the authority information is used for limiting the operation authority of different users on the safe hard disk; the operation authority at least comprises read/write operation or read-only operation on the secure hard disk.
In a preferred embodiment, a plurality of partitions are set in the secure hard disk, the permission information further includes bound partition information, and the partition information is used for binding a common user and a corresponding secure hard disk partition with permission to access.
In a preferred embodiment, the KEY stored in the secure usb disk is randomly generated at the time of computer initialization.
In a preferred embodiment, the authentication code for the USB flash disk authentication operation is randomly generated at the initialization of the computer.
In a preferred embodiment, the administrator user login adopts a fingerprint authentication mode, and the ordinary user login adopts a mode of inputting an account number and a password.
In a preferred embodiment, the data transmission between the secure U disk and the secure hard disk is performed in an encryption mode.
In a preferred embodiment, the method further comprises a step of counting the number of times of user information matching failure, wherein the number of times of user information matching failure input by a current user exceeds a preset threshold, and the U disk sends a destruction instruction to the secure hard disk for destroying data in the secure hard disk.
Referring to fig. 1, a block diagram of a secure computer according to the present invention is shown, including a host and a secure usb disk for host authentication and user authentication, where the host is at least provided with a secure hard disk, and the secure hard disk is an encrypted solid-state hard disk, i.e., a built-in encryption control unit, and may be one or more integrated circuit chips or multiple circuit modules; after the U disk authentication and the user authentication are successful, the storage channel can be unlocked, otherwise, the storage data in the secure hard disk is in a full disk locking state; all data in all storage units are stored in a ciphertext mode, and only after the key is obtained, the data can be effectively accessed.
An operating system is arranged in the safe U disk, and the operating system is used for starting when the safe U disk is accessed into the host and completing U disk authentication operation and user authentication operation under the operation of the operating system;
the U disk authentication operation is used for judging whether the authentication codes in the safe U disk and the safe hard disk are matched and feeding back authentication result information; the USB flash disk authentication operation can be completed in a secure USB flash disk, a secure hard disk or a host.
The user authentication operation is used for acquiring input user information after the U disk authentication is successful and matching the input user information with the user information stored in the safe U disk;
the safety U disk sends an unlocking instruction to the safety hard disk after the U disk authentication and the user authentication are successful so as to be used for unlocking the storage channel of the safety hard disk; the unlocking instruction further comprises a KEY KEY stored in the secure USB flash disk, and the secure hard disk acquires the KEY KEY and does not store the KEY KEY after shutdown; and the KEY KEY is used for data encryption and decryption operations in the secure hard disk.
In the technical scheme, when the safe USB flash disk is accessed, the host starts the joint encryption software under the operation of the USB flash disk operating system, and under the control of the joint encryption software, the authentication operation and the user authentication of the starting control method of the safe computer are completed.
Meanwhile, the KEY KEY for encrypting and decrypting the data of the secure hard disk is stored in the secure U disk matched with the secure hard disk, the secure hard disk does not store the KEY KEY after shutdown, and the KEY KEY can be obtained again in the secure hard disk only after U disk authentication and user authentication; even if the memory is stolen by brute force of the hard disk, at most, only the encrypted data in the secure hard disk can be obtained without obtaining effective data information because the memory does not have a secret key. In a preferred embodiment, the secure hard disk stores the KEY in the non-volatile KEY storage module, and when receiving a shutdown instruction sent by the host, the secure hard disk clears the information in the KEY storage module. Or an energy storage capacitor is arranged in the secure hard disk, and when the computer is powered off, the energy storage capacitor supplies short-time power to the secure hard disk, so that the secure hard disk has enough time to empty the information in the key storage module.
In addition, the invention adopts USB flash disk authentication, user authentication and key split storage, and triple safety guarantee improves the safety of data storage, thereby effectively preventing illegal invasion or cracking of unauthorized persons in various layers.
Referring to fig. 2, a block diagram of a secure usb disk according to the present invention is shown, which at least includes a usb disk interface unit, a usb disk controller, a data storage unit, and a user management module; the USB flash disk interface unit is connected with the host and the USB flash disk controller and is used for realizing data communication between the USB flash disk controller and the outside; the USB flash disk controller is used for controlling the work of the safe USB flash disk, and at least comprises authentication, user authentication, KEY transmission and the like; the user management module is provided with an information storage unit, the information storage unit adopts a nonvolatile memory and at least comprises an authentication code, a user database and a KEY, and the authentication code is used for identifying the authentication code of the safe USB flash disk and is used for the authentication operation of the USB flash disk; the user database stores user information for user authentication operation; the KEY KEY is used for data encryption and decryption operations in the secure hard disk; the data storage unit stores an operating system for starting the operating system when the host detects the access of the secure USB flash disk.
Referring to fig. 3, which is a block diagram showing a structure of the secure hard disk of the present invention, the secure hard disk further includes a hard disk interface unit, a hardware encryption/decryption module, a data storage module, a key storage module, an authentication code storage unit, and a hard disk controller, wherein the hard disk interface unit is connected to the host and the hard disk controller, and is configured to implement data communication between the hard disk controller and the outside; the hard disk controller is the core of the secure hard disk, is used for controlling the work of the secure hard disk, and at least comprises authentication, unlocking a storage module, data storage, encryption and decryption operations and the like; the data storage module is used for storing data information, the KEY storage module is used for storing a KEY KEY sent by the secure USB flash disk, and the authentication code storage unit is used for storing an authentication code for identifying the secure hard disk; the hardware encryption and decryption module is used for carrying out encryption and decryption operations on the data.
In a preferred embodiment, the authentication operation of the U disk is implemented in a secure hard disk;
the hard disk controller acquires the authentication code sent by the secure USB flash disk through the hard disk interface unit, matches the authentication code in the authentication code storage unit and feeds back authentication result information to the secure USB flash disk, if the authentication code is consistent with the authentication code in the authentication code storage unit, the authentication is successful, otherwise the authentication fails. And the U disk controller receives the authentication result information, if the authentication is successful, the user authentication operation is started, otherwise, the authentication failure information is prompted.
In a preferred embodiment, the U disk authentication operation is implemented in a secure U disk;
the U disk controller obtains the authentication code sent by the secure hard disk through the U disk interface unit and matches the authentication code in the secure U disk, if the authentication code is consistent with the authentication code in the secure U disk, the authentication is successful, otherwise, the authentication is failed.
In a preferred embodiment, the U disk authentication operation is implemented in the host;
the host respectively obtains authentication codes in the secure USB flash disk and the secure hard disk, matches the authentication codes in the secure USB flash disk and the secure hard disk, and sends authentication success information to the USB flash disk controller if matching is successful, or else sends authentication failure information.
After the USB flash disk successfully authenticates, starting user authentication operation, wherein in a preferred embodiment, the user authentication operation is realized in a safe USB flash disk; after the authentication is successful, the U disk controller sends an instruction for starting user authentication operation to the user management module, and the user management module receives user information input by a user, matches the user information with a user database and returns user authentication result information to the U disk controller; and if the user authentication is successful, the U disk controller sends an unlocking instruction to the secure hard disk, wherein the unlocking instruction comprises a KEY KEY. Furthermore, the user management module opens a user authentication interface, and the received user information input by the user can be from an account password input by the user in the authentication interface; and the input module of the safety USB flash disk can be used.
The hard disk controller obtains an unlocking instruction sent by the U disk controller through a hard disk interface unit to open a storage channel of the data storage module, so that the host can perform storage operation on the safe hard disk, otherwise, the safe hard disk is in a full disk locking state, and the host cannot obtain any data information.
Meanwhile, the hard disk controller stores the received KEY KEY in the KEY storage module, so that the secure hard disk can encrypt and decrypt data to effectively store the data. In a preferred embodiment, the KEY storage module uses a volatile memory, and the information stored in the volatile memory disappears after the system is powered down, so that the KEY will not be retained in the secure hard disk.
Referring to fig. 4, a structural block diagram of the user management module is shown, which further includes a management unit, an identity information acquisition module, and a communication interface, where the communication interface is used for data communication with the U disk controller; the identity information acquisition module is used for acquiring user information and sending the user information to the management module, the management module is controlled by the U disk controller and is used for executing the user authentication operation or other operations, and preferably, the management module can be integrated in the U disk controller. In a preferred embodiment, the identity information acquisition module adopts a fingerprint identification module or key input, and the fingerprint identification module is used for login of an administrator user.
The management module receives and processes the user information of the identity information acquisition module, the information storage unit comprises a user database, the user database can comprise one user or a plurality of user information, and the information is the only identity information of the user entering the user identity authentication. The management module can enable the secure hard disk to enter a user registration and management mode, and a common user can register in the mode. For the security of users and data, the identity authentication, user registration and management modes are performed in the operating system environment running in the USB flash disk. Furthermore, the user database at least comprises an administrator user and a common user, wherein the administrator user is the first user set by the user during computer initialization or set by a manufacturer when leaving a factory, and the administrator user can modify the user when the user is used for the first time; the administrator user can set the information of the common user after logging in, and the common user can log in safely after the setting of the administrator user is successful. When the computer leaves the factory, the computer is in a non-lock state, the first user registration becomes an administrator user, and the subsequent user registration needs the login authentication of the first user, so that the user management safety is further ensured. The functions of user registration, matching, logout and the like are managed by the management module. The management module matches the obtained user information with the user database, if the matching is successful, the identity authentication is successful, and if the matching is failed, an alarm can be generated.
In a preferred embodiment, the administrator user further sets authority information of a common user, the U-disk controller sends an unlocking instruction to the secure hard disk, the U-disk controller further includes the authority information, and the secure hard disk defines operation authorities of different users to the secure hard disk according to the authority information. By adopting the technical scheme, user setting and multi-user login can be conveniently realized, and different users have different access rights.
In a preferred embodiment, the secure hard disk is provided with a plurality of partitions, each partition is respectively bound with different users, and only the partition bound with a common user can be displayed when the common user logs in; when the administrator user logs in, all the partitions can be displayed. Of course, the permission information sent to the secure hard disk also includes the bound partition information, and the secure hard disk displays the corresponding partition according to the partition information. By adopting the technical scheme, for common users, the data information in the secure hard disk is mutually independent, so that the access of multiple users to different partitions of a single storage device can be realized, and the efficiency of the storage device is greatly improved.
In the prior art, the key is usually factory set or input when a user initializes, which causes a certain potential safety hazard. In a preferred embodiment, the user management module further comprises a random number generator, connected to the management unit, for generating a random number as the KEY at initialization of the computer and storing the generated random number in the information storage unit. Since the key is randomly generated by the random number generator, anyone cannot know the specific value, thereby greatly improving the security performance.
Also, the random number generator is configured to generate a random number at initialization of the computer to be stored as an authentication code in the information storage unit, and the U-disk controller transmits the authentication code to the secure hard disk and stores the authentication code in the authentication code storage unit. By adopting the mode, the safety performance is improved, and meanwhile, the authentication code can be set when the computer is initialized, so that the safety U disks and the safety hard disks do not need to be bound one by one when leaving a factory, and any uninitialized safety U disks and safety hard disks can be successfully paired.
In the above technical solution, the initialization operations of the secure usb disk and the secure hard disk are performed in the joint encryption software running under the usb disk operating system, that is, the secure usb disk is preloaded with the boot operating system when it leaves the factory, and the joint encryption software is loaded in the boot operating system.
Generally, after the authentication of the U disk and the user authentication are successful, the secure hard disk unlocks a storage channel and starts an operating system in the secure hard disk. However, with the above technical solution, after the computer is powered off, the KEY in the secure hard disk will disappear, which improves the security performance, but the restart in each use process requires re-performing the usb disk authentication and the user authentication, which causes inconvenience in the use process of the user. In a preferred embodiment, the secure hard disk adopts a volatile memory, an energy storage capacitor is arranged, the volatile memory not only stores the KEY, but also stores an unlocking mark of the secure hard disk, the energy storage capacitor is used for providing short-time power supply for the secure hard disk, as the energy storage capacitor can only supply power for a short time, information in the non-volatile memory in the secure hard disk disappears after power failure for a long time or shutdown, and when the secure hard disk is restarted, the U disk authentication and the user authentication are required to be carried out again on the secure hard disk. When the ordinary computer is restarted, the non-volatile memory is reserved for a short time due to the existence of the energy storage capacitor, the solid state disk can still record the state before restarting, and the unlocking mark and the KEY are also reserved, so that the operating system in the solid state disk can be directly started without re-performing U disk authentication and user authentication.
In a preferred embodiment, the operating system in the secure usb disk is a Linux system, and is used to control the coordination of the modules in the secure usb disk and the secure hard disk.
In a preferred embodiment, the management module may set a retry number of user authentication, and if the retry number exceeds the set retry number, start a data destruction function to initialize data in the secure hard disk to an original state.
Referring to fig. 5, a schematic block diagram of another preferred embodiment of the secure hard disk according to the present invention is shown, where the secure hard disk further includes a destruction module, and the destruction module is configured to destroy data in the data storage module according to a destruction control instruction of the hard disk controller. The destruction control instruction can be generated according to user input information in a state of normally using the hard disk, or violent cracking input is detected during user authentication and is actively generated to prevent data information from being stolen; preferably, when the number of times of failed matching of the user information input by the user exceeds a preset threshold, the U-disk sends a destroy instruction to the secure hard disk for destroying data in the secure hard disk. The method is characterized in that the hard disk data and files are rapidly destroyed by customizing the error times of user names and passwords input by a user, and for physical destruction or logical destruction, the method is also set in a Linux system by an administrator and then the user selects the destruction by himself after starting the system.
The identity information acquisition module can adopt but is not limited to key passwords, biological information and the like; preferably, the identity information acquisition module adopts a fingerprint identification module and is used for acquiring user fingerprint information. In practical application, a common administrator user logs in a fingerprint authentication mode, and a common user logs in an account password input mode. The maximum number of continuous acquisition errors of the identity information can be set, and when the number of continuous acquisition errors exceeds the limited number, the safety U disk immediately executes a data destruction program.
In a preferred embodiment, the secure usb disk further includes an asymmetric encryption/decryption module, so that data transmission between the usb disk and the secure hard disk is performed in an encryption manner. Preferably, the asymmetric encryption and decryption module is internally provided with an asymmetric encryption algorithm for performing encryption and decryption operations on data in the usb disk, and may adopt an SM2 elliptic curve public key algorithm, the SM2 may generate two keys, namely a public key and a private key, encrypt data or files to be encrypted through the public key, and send the encrypted data or files to a secure hard disk (receiver) together with a private key, and the receiver may decrypt the public key through the private key, thereby obtaining effective information. Algorithms such as SM4, AES, etc. can be used, but are not limited to these.
In a preferred embodiment, the hardware encryption and decryption module is used for encrypting the data stream by using a symmetric encryption method, including but not limited to goose, DES, AES, and other encryption and decryption methods. The hardware encryption and decryption module key is sent to the hard disk controller by the safety U disk to be issued and acquired only after the U disk authentication and the user identity authentication are passed, and the controller completes initialization. The encryption key is a random number generated when the user registers and is stored in the secure U disk, and the user has no way to acquire the key.
In a preferred embodiment, the hard disk interface unit may be any one of IDE, PATA, SATA, PCIE, SAS, or USB, but is not limited thereto.
The data storage module is used for storing data and adopts a nonvolatile storage medium. Can be a FLASH technology based memory bank, including NAND FLASH chips, and NAND FLASH based memory banks such as eMMC, T cards, SD/MMC cards, etc. The data storage module stores data including system and user data, the data is encrypted by the encryption module and exists in a ciphertext form, and therefore the data is prevented from being directly acquired from the storage unit.
In a preferred embodiment, the data storage module in the secure usb disk is not only used to store the secure operating system, but also used to store data information, so that the secure usb disk can be used as an authentication usb disk of the secure hard disk, and can be used as a general usb disk to store data.
In a preferred embodiment, the secure USB disk is connected to a host or other embedded storage devices through a USB interface; but is not limited to USB2.0, USB3.0, etc.
Preferably, the secure usb flash disk is installed with a simple Linux system for controlling the coordination of the modules of the secure usb flash disk. The Linux system is operated in the safe U disk, is a system based on the minimum kernel, does not occupy too much storage space of the USB, and is efficient, convenient and fast.
Preferably, the system user management is to customize the functions in the Linux system according to different requirements of different users.
In a preferred embodiment, the secure U disk and the solid state disk are simultaneously applied to a host, the host starts the U disk after detecting that the U disk is inserted, and a Linux system on the U disk is set up; and under the operation of the USB flash disk Linux system, the combined encryption system sends an authentication instruction from Linux to the host, and the host sends a verification instruction to the secure hard disk to be matched with a preset authentication code. After the U disk authentication is successful, the combined encryption system feeds back information to the Linux system and starts the user to log in. And performing user security authentication in the Linux system, and after the user authentication is successful, the secure hard disk opens the storage channel and simultaneously the secure U disk sends a key for encrypting and decrypting the data of the secure hard disk to the secure hard disk.
By adopting the technical scheme, based on the secure U disk as the KEY of the encrypted solid state disk, under the condition that the authentication of the U disk or the authentication of a user are unsuccessful, the data in the secure hard disk are in the full disk encryption state, and any user and a system platform cannot acquire the data in the secure hard disk, so that only the encrypted data in the read-only state can be acquired, and effective data cannot be acquired even if the encrypted data is violently cracked. Only when the authentication of the secure USB flash disk and the user identity authentication pass, the secure hard disk opens a data storage channel and simultaneously acquires a KEY KEY in the USB flash disk as a KEY for data encryption and decryption, the encrypted data can be decrypted, and the user can access the effective content. According to the invention, by introducing the safe USB flash disk, a graphical interface can be added, the operation of a user is facilitated, and meanwhile, the safety performance of the safe hard disk is greatly improved.
Referring to fig. 6, a schematic block diagram of a secure hard disk according to another embodiment of the present invention is shown, which further includes a hash algorithm unit, and the authentication code stored in the secure hard disk is an encrypted authentication code encrypted by a hash algorithm. Each time of authentication operation, the authentication code sent by the secure USB flash disk is subjected to Hash encryption, and the obtained ciphertext is compared with the ciphertext in the secure hard disk, and the authentication of the USB flash disk can be passed only after verification; because the Hash encryption algorithm is irreversible, the encryption mechanism ensures that even if an illegal user reads the cipher text stored in the hard disk by adopting an illegal means in the starting state of the computer, the illegal user cannot obtain the correct authentication code by reversing the cipher text, thereby further improving the safety of data in the hard disk.
In a preferred embodiment, the first operating system and the second operating system are arranged in the secure hard disk, and the first operating system is loaded after the computer is started for authentication of the U disk, but only a specific unencrypted partition can be accessed. Only after the secure USB flash disk is accessed for USB flash disk authentication and user authentication, the second operating system can be started and loaded, and the second operating system is the operating system in the secure hard disk in the technical scheme. The above-mentioned secure usb disk, secure hard disk, and their combined application can also be applied to this embodiment.
Referring to fig. 7, which is a schematic block diagram illustrating another embodiment of the present invention, a normal hard disk and a secure hard disk are simultaneously installed in a computer, and when the computer is powered on, an operating system in the normal hard disk is loaded, so that a user can normally use the computer. And only after the USB flash disk is accessed for USB flash disk authentication and user authentication, the operating system of the secure hard disk can be loaded. The above-mentioned secure usb disk, secure hard disk, and their combined application can also be applied to this embodiment.
The above description of the embodiments is only intended to facilitate the understanding of the method of the invention and its core idea. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A starting control method of a safety computer is characterized in that the safety computer comprises a host and a safety U disk used for U disk authentication and user authentication of the host, wherein at least a safety hard disk is arranged in the host, and the safety hard disk adopts an encrypted solid state disk;
the method comprises the following steps:
step S1: after the host is powered on, waiting for unlocking the secure hard disk;
step S2: if the safe hard disk is unlocked, starting a main operating system in the safe hard disk by the host, or continuing to wait for the unlocking operation of the safe hard disk to be completed;
in step S1, the unlocking of the secure hard disk further includes the following steps:
step S11: after detecting the access of the secure USB flash disk, starting a secure operating system in the secure USB flash disk and running a combined encryption program under the operating system;
step S12: finishing U disk authentication operation and user authentication operation under the control of the combined encryption program;
step S13: after the U disk authentication and the user authentication are successful, an unlocking instruction is sent to the secure hard disk;
step S14: the safety hard disk unlocks an internal storage channel after acquiring an unlocking instruction and feeds back unlocking information to the host; the unlocking instruction further comprises a KEY KEY stored in the secure USB flash disk, and the secure hard disk acquires the KEY KEY and does not store the KEY KEY after shutdown; and the KEY KEY is used for data encryption and decryption operations in the secure hard disk.
2. The secure computer startup control method of claim 1, wherein step S2 further comprises the steps of:
step S21: the method comprises the steps that the safe hard disk detects an unlocking zone bit after acquiring a starting instruction sent by a host, and sets the unlocking zone bit after the unlocking operation of the safe hard disk is completed;
step S22: if the unlocking flag bit is set, the secure hard disk starts the internal main operating system, otherwise, the secure hard disk continues to wait for the completion of the unlocking operation of the secure hard disk;
step S23: and after the safe hard disk is unlocked, waiting for a storage instruction of the host.
3. The secure computer boot control method of claim 2, wherein in step S23, the data written by the host to the secure hard disk is encrypted and stored in the secure hard disk, and the data read by the host from the secure hard disk is decrypted and then sent to the host.
4. The secure computer boot control method of claim 1 or 2, wherein the secure hard disk uses a volatile memory to store the KEY and the unlock flag bit.
5. The secure computer boot control method of claim 4, wherein an energy storage capacitor is further disposed in the secure hard disk, and the energy storage capacitor is used to provide a short-time power supply for the secure hard disk.
6. The secure computer startup control method according to claim 1 or 2, wherein in step S12, the user authentication operation is started after the usb disk authentication operation is successful;
the security U disk and the security hard disk respectively store one-to-one corresponding authentication codes; the U disk authentication operation is to judge whether the authentication codes in the secure U disk and the secure hard disk are matched and feed back authentication result information;
the user authentication operation is used for acquiring input user information after the U disk authentication is successful and matching the input user information with the user information stored in the safe U disk, and comprises the following steps:
the safety U disk starts a user login interface after acquiring the authentication success information;
receiving user information input by a user and matching the user information with user information in a user database in the secure USB flash disk, wherein if the user information is completely matched, the user authentication is successful, otherwise, the user authentication is failed;
and sending an unlocking instruction to the secure hard disk after the user authentication is successful.
7. The secure computer boot control method of claim 6, wherein the user database includes at least an administrator user and a general user, the administrator user has the highest access right and can set the general user information after logging in, and the general user can log in securely after the administrator user sets the general user successfully;
the administrator user can also set authority information of a common user, and the authority information is used for limiting the operation authority of different users on the safe hard disk; the operation authority at least comprises read/write operation or read-only operation on the secure hard disk.
8. The secure computer boot control method of claim 7, wherein a plurality of partitions are disposed in the secure hard disk, the permission information further includes bound partition information, and the partition information is used to bind the general user and the corresponding secure hard disk partition having permission to access.
9. The secure computer boot control method of claim 1 or 2, wherein the KEY stored in the secure usb disk is randomly generated at the time of computer initialization.
10. A secure computer boot control method as claimed in claim 1 or 2, wherein the authentication code for the authentication operation of the usb disk is randomly generated at the time of computer initialization.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810867202.4A CN110795727A (en) | 2018-08-01 | 2018-08-01 | Starting control method for safety computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810867202.4A CN110795727A (en) | 2018-08-01 | 2018-08-01 | Starting control method for safety computer |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110795727A true CN110795727A (en) | 2020-02-14 |
Family
ID=69425675
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810867202.4A Withdrawn CN110795727A (en) | 2018-08-01 | 2018-08-01 | Starting control method for safety computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110795727A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112966276A (en) * | 2021-04-02 | 2021-06-15 | 杭州华澜微电子股份有限公司 | Method, device and medium for safely starting computer |
| CN113938278A (en) * | 2021-10-25 | 2022-01-14 | 北京计算机技术及应用研究所 | Key management and protection method for encrypted hard disk |
| CN114091084A (en) * | 2021-11-30 | 2022-02-25 | 成都三零嘉微电子有限公司 | Encryption storage control system and method based on multi-core processor safety solid state disk |
-
2018
- 2018-08-01 CN CN201810867202.4A patent/CN110795727A/en not_active Withdrawn
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112966276A (en) * | 2021-04-02 | 2021-06-15 | 杭州华澜微电子股份有限公司 | Method, device and medium for safely starting computer |
| CN113938278A (en) * | 2021-10-25 | 2022-01-14 | 北京计算机技术及应用研究所 | Key management and protection method for encrypted hard disk |
| CN113938278B (en) * | 2021-10-25 | 2024-03-15 | 北京计算机技术及应用研究所 | Key management and protection method for encrypted hard disk |
| CN114091084A (en) * | 2021-11-30 | 2022-02-25 | 成都三零嘉微电子有限公司 | Encryption storage control system and method based on multi-core processor safety solid state disk |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110795776A (en) | Safety hard disk | |
| CN103886234B (en) | A kind of fail-safe computer based on encryption hard disk and data security control method thereof | |
| US9240889B2 (en) | Method and system for secure data access among two devices | |
| KR101719381B1 (en) | Remote access control of storage devices | |
| US8555083B1 (en) | Systems and methods for protecting against unauthorized access of encrypted data during power-management modes | |
| US7899186B2 (en) | Key recovery in encrypting storage devices | |
| EP1953669A2 (en) | System and method of storage device data encryption and data access via a hardware key | |
| KR20080071528A (en) | System and method of storage device data encryption and data access | |
| CN101788959A (en) | Solid state hard disk secure encryption system | |
| WO2009009052A1 (en) | Memory data shredder | |
| CN108256302B (en) | Data security access method and device | |
| CN109190389A (en) | A kind of solid state hard disk data guard method based on USB flash disk authentication | |
| WO2018031372A1 (en) | Hardware-based software-resilient user privacy exploiting ephemeral data retention of volatile memory | |
| US10515022B2 (en) | Data center with data encryption and method for operating data center | |
| US20090187770A1 (en) | Data Security Including Real-Time Key Generation | |
| CN110795727A (en) | Starting control method for safety computer | |
| CN112083879B (en) | Physical partition isolation and hiding method for storage space of solid state disk | |
| CN109190365A (en) | A kind of solid state hard disk data protection system based on USB flash disk authentication | |
| CN110807186B (en) | Method, device, equipment and storage medium for safe storage of storage equipment | |
| CN109190364A (en) | A kind of safe U disc for solid state hard disk authentication | |
| JP4561213B2 (en) | Hard disk security management system and method thereof | |
| CN110795724A (en) | Safety computer | |
| CN101382974A (en) | Computer system and safety powering method | |
| KR20200082187A (en) | Secure usb dongle for usb memory without security | |
| US20240248993A1 (en) | Data protection method, data protection system and memory chip capable of protecting data with physical structure and data protection flow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20200214 |