Two-stage safe starting system and method for domestic computer
Technical Field
The invention relates to the field of computer security, in particular to a two-stage security starting system and method for a domestic computer.
Background
The USBKey is used for enhancing the system safety when the computer operating system is started, so that the operating system can run reliably, and the USBKey is widely applied. A security hole exists in a traditional operating system, and a user cannot determine whether a current system based on the USBKey is invaded by a virus program, so that the security shielding and the protection layer are broken through, and illegal access and malicious operation are performed. The traditional safety protection is based on a secret key and software, the protection is unreliable and the performance is unstable, and an illegal user can break through the protection layer through the bottom hardware of the BIOS to acquire the data information of the computer.
Disclosure of Invention
In order to solve the problems that the operating system has security leakage in the background technology and an illegal user breaks through a protective layer through the bottom hardware of the BIOS and obtains the data information of the computer, the invention provides a two-stage security starting system and a two-stage security starting method of a domestic computer.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
A two-stage safety starting system of a domestic computer comprises a USBKey and PMON firmware; the USBKey and the PMON firmware form two-stage safe starting of the domestic computer;
The first stage safety start is:
The USBKey is connected with the computer through a USB interface and is identified by the computer;
After the USBKey is connected with a computer, communication is carried out between the USBKey and the computer, and first-stage identity verification is carried out;
The PMON firmware reads and analyzes the content stored in the USBKey, the MAC address in the PMON firmware is compared with the MAC address in the USBKey, if the MAC address is matched with the MAC address in the USBKey, the user name is prompted to be input, and if the user name is input correctly, the password is prompted to be input;
the second stage of safe starting is as follows:
The first-stage identity verification is completed, PMON firmware is loaded, and a kylin operating system is started;
And the kylin operating system performs second-stage identity verification, the user interface layer prompts the user to input the password of the kylin operating system, after the user inputs the password of the operating system, the public key of the operating system and the private key of the USBKey respectively decrypt the password and then match, if the passwords are matched, the verification is judged to be successful, and the starting and login guidance are completed.
Wherein: the operation system and the USBKey adopt encrypted communication, namely: the manufacturer sets a public key for the operating system and sets a private key for the USBKey.
The working principle is as follows: inserting the USBKey into a computer through the USBKey and the PMON firmware, performing first-stage safe starting, detecting the USBKey by the PMON firmware, matching an MAC address in the PMON with an MAC address in the USBKey, prompting to input a user name if the MAC address is matched with the MAC address in the USBKey, prompting to input a password if the user name is input correctly, finishing the first-stage safe starting if the password is input correctly, loading the PMON firmware and starting an operating system; and performing second-stage safe starting, inputting a kylin operating system password, and if the password is successfully input, completing the second-stage safe starting.
Further, the PMON stores the MAC address and the login password of the computer.
Further, the USBKey stores the MAC address, the user name and the password of the computer.
Further, the USBKey is identified by a computer through a driving layer, and the driving layer is a USBKey driver meeting a USB protocol; the USBKey is communicated with the computer through a function realization layer, the function realization layer is a USBKey operation interface and is a protocol for communication between the computer and the USBKey; in the first-level identity authentication and the second-level identity authentication, prompt information is displayed through a user interface layer, and the user interface layer comprises a startup authentication interface and a trusted guide interface, namely an input user name and password interface during startup authentication and an input password interface after entering a kylin operating system.
A two-stage safe starting method of a domestic computer comprises the following steps:
s1, connecting a USBKey with a computer through a USB interface;
S2, performing first-stage identity verification, reading and analyzing content stored in the USBKey by using PMON firmware, comparing an MAC address in the PMON firmware with an MAC address in the USBKey, prompting to input a user name if the MAC address is matched with the MAC address in the USBKey, and prompting to input a password if the user name is correctly input;
s3, if the input password is correct, loading PMON firmware and starting a kylin operating system;
s4, performing second-level identity verification, and inputting a kylin operating system password;
s5, if the password is input correctly, starting is completed.
Further, if the PMON and the USBKey cannot be matched, prompting that no corresponding USBKey exists, waiting for the user to insert the USBKey, supporting hot plug in the process, and re-identifying according to a carriage return after the user inserts the USBKey.
Further, the number of times of error input of the user name and the password is 5, if the user name and the password are input for 5 times, an error message is prompted, and after waiting for a user to press the carriage return, the computer is powered off and closed; if the USBKey is used again to log in the computer, a security administrator is required to reset the computer MAC address, the user name and the password of the USBKey by using a special tool of a manufacturer.
Compared with the prior art, the invention has the following advantages and beneficial effects: the invention can ensure the safety of the system starting process from two stages, wherein the first stage is the safety verification of the USBKey equipment, and the second stage is the safety verification of the operating system. After the two-stage safety starting management and control system and the technology are used, the safety of the domestic computer system is improved, and stronger support is provided for users with high-level safety requirements.
Drawings
The accompanying drawings, which are included to provide a further understanding of embodiments of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application.
FIG. 1 is a block diagram of the principles of the present invention;
FIG. 2 is a start-up flow chart of the present invention.
Detailed Description
The following examples of the invention are set forth in connection with the accompanying drawings and the description thereof are merely illustrative of the invention and are not intended to be limiting.
Example 1
According to the figures 1 and 2, a two-stage safety starting system of a domestic computer comprises a USBKey and PMON firmware; the USBKey and the PMON firmware form two-stage safe starting of the domestic computer;
The first stage safety start is:
The USBKey is connected with the computer through a USB interface and is identified by the computer;
After the USBKey is connected with a computer, communication is carried out between the USBKey and the computer, and first-stage identity verification is carried out;
The PMON firmware reads and analyzes the content stored in the USBKey, the MAC address in the PMON firmware is compared with the MAC address in the USBKey, if the MAC address is matched with the MAC address in the USBKey, the user name is prompted to be input, and if the user name is input correctly, the password is prompted to be input;
the second stage of safe starting is as follows:
The first-stage identity verification is completed, PMON firmware is loaded, and a kylin operating system is started;
And the kylin operating system performs second-stage identity verification, the user interface layer prompts the user to input the password of the kylin operating system, after the user inputs the password of the operating system, the public key of the operating system and the private key of the USBKey respectively decrypt the password and then match, if the passwords are matched, the verification is judged to be successful, and the starting and login guidance are completed.
Wherein: the operation system and the USBKey adopt encrypted communication, namely: the manufacturer sets a public key for the operating system and sets a private key for the USBKey.
In this embodiment, the PMON stores the MAC address and the login password of the computer.
In this embodiment, the USBKey stores the MAC address, the user name and the password of the computer.
In this embodiment, the USB key is identified by the computer through a driving layer, where the driving layer is a USB key driver that meets the USB protocol; the USBKey is communicated with the computer through a function realization layer, the function realization layer is a USBKey operation interface and is a protocol for communication between the computer and the USBKey; in the first-level identity authentication and the second-level identity authentication, prompt information is displayed through a user interface layer, and the user interface layer comprises a startup authentication interface and a trusted guide interface, namely an input user name and password interface during startup authentication and an input password interface after entering a kylin operating system.
A two-stage safe starting method of a domestic computer comprises the following steps:
s1, connecting a USBKey with a computer through a USB interface;
S2, performing first-stage identity verification, reading and analyzing content stored in the USBKey by using PMON firmware, comparing an MAC address in the PMON firmware with an MAC address in the USBKey, prompting to input a user name if the MAC address is matched with the MAC address in the USBKey, and prompting to input a password if the user name is correctly input;
s3, if the input password is correct, loading PMON firmware and starting a kylin operating system;
s4, performing second-level identity verification, and inputting a kylin operating system password;
s5, if the password is input correctly, starting is completed.
In this embodiment, if the PMON and the USBKey cannot be matched, a prompt is given that there is no corresponding USBKey, and the user is waiting for inserting the USBKey, and this process supports hot plug, and the user performs recognition again according to the carriage return after inserting the USBKey.
In this embodiment, the number of times of error input of the user name and the password is 5 times, if the user name and the password are input for 5 times, an error message is prompted, and after waiting for the user to press the carriage return, the computer is powered off and turned off; if the USBKey is used again to log in the computer, a security administrator is required to reset the computer MAC address, the user name and the password of the USBKey by using a special tool of a manufacturer.
Before the system firmware PMON is booted, a user connects the USBKey device with a computer through a USB interface, and in the starting process, the PMON can search for the USBKey, then reads and analyzes the storage content of the USBKey, and compares the MAC address of the computer stored in the USBKey device with the MAC address of the computer stored in the PMON to see whether the USBKey device can be matched. If the user cannot match, prompting that no corresponding USBKey exists, waiting for the user to insert the correct USBKey, supporting hot plug in the process, and re-identifying according to carriage return after the user inserts the USBKey. If the user is matched, the user is prompted to input a user name, after the user name is correctly input, the user is prompted to input a password, the user name and the password in the process can only be input for 5 times in error, if the user inputs the password for 5 times, an error message is prompted, the USBKey can be locked, after the user presses the carriage return, the computer is powered down and closed, then the USBKey is used for logging in the computer, and a security administrator is required to reset the MAC address, the user name and the password of the computer in the USBKey by using a special system tool of a manufacturer. If the user name and the password are input correctly, loading PMON firmware and starting an operating system;
After the second-stage safe starting is carried out, the operating system is started, the password of the kylin operating system is prompted to be input, if the password is input incorrectly, an error prompt is generated, and the computer is powered down and closed; if the password is input correctly, starting and logging in the guide are completed.
In the starting process of the computer, the security of the domestic computer system is improved through two-stage safe starting, when a user wants to start the operating system, the first-stage safe starting is finished, the kylin operating system starts to be started, the password of the kylin operating system also needs to be input, and the starting and login guiding can be finished after the password is input correctly.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.