CN117744097A - Control device and method for system security access - Google Patents
Control device and method for system security access Download PDFInfo
- Publication number
- CN117744097A CN117744097A CN202311065427.5A CN202311065427A CN117744097A CN 117744097 A CN117744097 A CN 117744097A CN 202311065427 A CN202311065427 A CN 202311065427A CN 117744097 A CN117744097 A CN 117744097A
- Authority
- CN
- China
- Prior art keywords
- data
- solid state
- biological characteristic
- state disk
- disk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 239000007787 solid Substances 0.000 claims abstract description 66
- 238000005192 partition Methods 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 7
- 238000000605 extraction Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 7
- 238000005336 cracking Methods 0.000 abstract description 2
- 238000011084 recovery Methods 0.000 abstract description 2
- 238000012795 verification Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 6
- 241001391944 Commicarpus scandens Species 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000001815 facial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
Abstract
The invention provides a control device and a method for system security access, wherein the device comprises the following components: the solid state disk is pre-stored with the biological characteristic template data of the user and provides a biological characteristic identification interface; the UEFI system is provided with a biological characteristic recognition unit, acquires biological characteristic data to be verified, and compares the biological characteristic data to be verified with biological characteristic template data stored in advance by a user through a biological characteristic recognition interface; after the comparison is consistent, the UEFI decrypts the data on the encrypted hard disk and loads the operating system on the disk. According to the scheme, a biological characteristic recognition technology is combined, a biological characteristic recognition function of an encrypted hard disk is called in a UEFI system to authenticate and unlock the encrypted system disk, and the operating system is loaded after identity authentication is completed through biological characteristic recognition before a computer enters the operating system. The method realizes hardware encryption based on the solid state disk control chip, can prevent violent cracking and password guessing, has the functions of data recovery and the like, and has higher encryption degree, more stability and smaller influence on performance compared with software encryption.
Description
Technical Field
The application belongs to the technical field of information security, and particularly relates to a control device and method for system security access.
Background
The rapid development of computer technology and internet communication technology brings great convenience to people, and meanwhile, the characteristics of extremely high information value, sharing, timeliness, transmission speed and the like make people more and more pay attention to the information security problem. Information security problems caused by computer systems such as data leakage, hacking, intrusion and the like are becoming more and more important for security and confidentiality of data. As data processing and storage equipment, computer security is an important component of information security, and in the current computer security, an operating system is easy to break and log in, so that the whole system enters an 'un-arming' state. Prior art protection of systems typically employs a hard disk to machine binding strategy, which may result in machine corruption and failure to access the hard disk data. In addition, the existing starting password only solves the problem of system use right, but does not solve the problem of hard disk data encryption. The problem of system use limitation is solved under the condition that the technology of hard disk encryption cannot perform data encryption and decryption processing on the system disk. The hard disk password generally adopts a text password, and the problems that the password is difficult to remember, the password is easy to leak due to frequent input and the like are also existed.
Disclosure of Invention
In view of the foregoing problems in the prior art, a first aspect of the present invention proposes a control device for secure access of a system, including: the solid state disk is pre-stored with the biological characteristic template data of the user and provides a biological characteristic identification interface; UEFI (Unified Extensible Firmware Interface) system, configured with a biometric identification unit, for obtaining biometric data to be verified, and comparing the biometric data to be verified with biometric template data of the user through a biometric identification interface; after the comparison is consistent, the UEFI decrypts the data on the solid state disk and loads the operating system on the disk.
The device integrates the protection of an operating system with the UEFI, invokes a biological feature recognition function in the UEFI for verification, unlocks a hard disk through biological features on the UEFI when the computer is started, and loads the disk operating system after unlocking. The operating system is loaded after the identity authentication is completed before the computer enters the operating system, so that the problem of information security of data leakage caused by the fact that the biometric feature recognition is usually called at the operating system level and is easy to break and invade or the authentication check is carried out by disassembling and coiling is solved.
Preferably, the solid state disk is further provided with a main control chip configured to encrypt data written into the solid state disk and decrypt the data before the UEFI loads an operating system on the solid state disk. The data encryption and decryption are realized by the solid state disk control chip and are not dependent on the system and software of the host, so that the system and the method can still be used across machines under the condition of hard disk data encryption.
Preferably, the encryption chip is further configured to encrypt data in the solid state disk after the system is closed.
Preferably, the encryption process employs at least one cryptographic or quotient algorithm process.
Preferably, the solid state disk is divided into a plurality of partitions, and encryption processing is carried out on at least one partition.
Preferably, the apparatus further comprises a biometric sensor configured to collect biometric information.
Preferably, the biometric information includes at least one of fingerprint information, face information, iris information, palm print information, and voice information.
Preferably, the main control chip is also configured for extraction, storage and comparison of biometric information.
Preferably, the device is further configured with a text recognition unit, and after the text recognition unit is matched with a text password stored in advance by a user, the UEFI loads an operating system on the solid state disk.
A second aspect of the present invention proposes a control method for system security access, comprising the steps of: acquiring biological characteristic template data of a user stored in advance in a solid state disk; acquiring biological characteristic data to be verified, and comparing the biological characteristic data to be verified with biological characteristic template data of a user; after the comparison is consistent, decrypting the data on the solid state disk and loading the operating system on the disk.
Preferably, the data written in the solid state disk are encrypted, and the data are decrypted after the operating system on the solid state disk is loaded and before the data are read.
The system security access control device and the method provided by the invention combine the biological characteristic recognition technology, encrypt and store biological characteristic template data through the security encryption solid state disk, realize the biological characteristic recognition function through the solid state disk main control chip computing power, provide a biological characteristic recognition identity verification interface, call the biological characteristic recognition function of the encryption hard disk in UEFI to authenticate and unlock the encryption system disk, and load the operation system after completing the identity authentication before the computer enters the operation system. Meanwhile, the encrypted solid state disk is decrypted in the starting process, and the operating system can be started after the encrypted solid state disk passes the authentication, so that not only is the user data protected, but also the system starting right of the user is protected. The method realizes hardware encryption based on the solid state disk control chip, can prevent violent cracking and password guessing, has the functions of data recovery and the like, and has higher encryption degree, more stability and smaller influence on performance compared with software encryption.
Drawings
The accompanying drawings assist in a further understanding of the present application. The elements of the drawings are not necessarily to scale relative to each other. For convenience of description, only parts related to the related invention are shown in the drawings.
FIG. 1 is a schematic diagram of a control device for system security access according to an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating password status flow of a secure encrypted solid state disk according to an embodiment of the present invention;
FIG. 3 is a flowchart of a UEFI unlocking secure encrypted solid state disk in another embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating steps of a control method for system security access according to another embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention.
The invention provides a system security access control method for realizing biological feature identification authentication based on a security encryption solid state disk. Biometric technology is used as a means of identification to allow a user to unlock a device using fingerprint, facial or iris information for authentication by a unique biometric identifier. The biological characteristics have uniqueness and stability, are attached to a human body, are not easy to forge and imitate, and a user can simply and reliably carry out identity verification by means of biological characteristic identification, so that people can be identified without worrying about the condition of forgetting passwords.
Fig. 1 is a schematic structural diagram of a control device 100 for system security access according to an embodiment of the present invention, where the device 100 is disposed in a system supporting UEFI (Unified Extensible Firmware Interface) biometric unlocking of an encrypted hard disk, and includes:
the solid state disk 110 stores biometric template data of a user in advance and provides a biometric identification interface. The solid state disk 110 is a secure encrypted solid state disk, specifically, data is dynamically encrypted and decrypted by the main control chip 111, and the main control chip 111 is responsible for encrypting the data before the data is written into the NAND flash memory and decrypting the data before the data is read. The encryption process does not need the participation of a host CPU, and the host CPU can be ensured not to cause performance loss due to data encryption. Compared with the conventional method that the biological characteristic template is stored on the sensor, the method and the device store the biological characteristic template data in the solid state disk, and can avoid the situation that the biological characteristic template data are lost due to equipment replacement.
In a specific embodiment, the solid state disk is encrypted in a partitioning mode. When the hard disk partition password is set, the password and one random number inside are calculated to obtain a Hash value through a cryptographic algorithm, and the Hash value is stored. The national cipher algorithm is the national cipher algorithm identified by the national cipher bureau, and comprises SM3, SM4 and the like. In the embodiment, the hardware in the chip is used for completing the calculation of the cryptographic algorithm, and the software layer cannot be changed. When verifying the password, only the hash value generated by the correct password can verify the correct password.
In a preferred embodiment, a plurality of partitions are supported to be created, each partition of the disk is selectively encrypted, and up to 8 namespaces (namespaces) of the partitions and partition encryption and decryption management can be supported. The partition with the password is authenticated, namely, the partition enters a lock disk state, and the lock disk state is set to be incapable of performing read-write operation.
Fig. 2 is a schematic diagram of password state flow of the secure encrypted solid state disk in the present embodiment. As shown in fig. 2, in the lock state, a common user can unlock through an authentication password, and before authentication is successful, the lock state is maintained for 1-4 times of Power-on and Power-off (Power Cycle) or continuous authentication failure, if the continuous authentication fails for 5 times, the lock state is entered, and the lock waiting time is set to be 10 minutes; if the continuous verification fails 10 times, the disk is permanently locked, and the data of the partition cannot be accessed any more, so that the password is prevented from being broken in an exhaustion mode and the like. When a user forgets a certain partition password in the use process, the password of the partition can be removed through the password of an administrator, and the read-write operation can be performed on the partition after the password is removed, or the password is reset. Aiming at the scene with higher data confidentiality, the data stored in the solid state disk can be completely destroyed by a one-key soft destruction function, all hard disk partitions are erased within 20 seconds, the data cannot be recovered, and the safety of the data is ensured.
In the preferred embodiment, the applied chip supports national standard SM2 firmware verification and national standard SM4 data encryption. The chip firmware is encrypted through an SM2 public key cryptographic algorithm, the correctness of the firmware is verified before the solid state disk is online through a firmware signature verification technology, the firmware is prevented from being tampered, and the safety of the chip firmware is protected. And encrypting the full-disk data of the solid state disk by using an SM4 block cipher algorithm, and providing efficient cipher operation and encryption and decryption service for data encryption. The chip is used for realizing the safety protection of the firmware and the data, reducing the dependence on software, providing higher performance and throughput and preventing data leakage, tampering or unauthorized access.
The UEFI system 120 is configured with a biometric identification unit 121, acquires biometric data to be verified, and compares the biometric data to be verified with biometric template data of a user through a biometric identification interface; and after the comparison is consistent, loading an operating system on the solid state disk by the UEFI.
The biometric sensor 130 is configured to collect biometric information, and may specifically include at least one of fingerprint information, face information, iris information, palm print information, and voice information. In a preferred embodiment, the entry and management of biometric data is provided in the UEFI configuration interface, the biometric data is extracted from the biometric information collected by the biometric sensor and saved as a biometric template for comparison. The biometric templates are stored encrypted on the biometric storage space 112 of the secure encrypted solid state disk.
In the system starting process, the UEFI system detects whether a UEFI (Unified Extensible Firmware Interface) -mode biological feature sensor drive is loaded or not, a biological feature recognition unit is controlled according to a judging result, and after the biological feature sensor is detected, a biological feature recognition function of the UEFI is started; the biological characteristic sensor and the computer send and receive information based on a communication protocol, and biological characteristic data input by the biological characteristic sensor are identified and verified through a biological characteristic identification function of the UEFI. And when the UEFI performs biological feature recognition, acquiring biological feature data in real time, comparing the biological feature data with a biological feature template in a biological feature template database on the safe encrypted solid state disk, judging whether the biological feature templates are matched or not, and outputting a verification result. After verification, the UEFI unlocks the safe encrypted solid state disk in the disk locking state, and an operating system on the safe encrypted solid state disk is loaded after unlocking, so that system starting is completed. The safe encrypted solid state disk cannot be read and written before being unlocked, and an operating system on the disk cannot be started.
In another embodiment, the method for performing password authentication on the secure encrypted solid state disk by using the UEFI specifically includes: and the UEFI detects whether the starting item is a safe encrypted solid state disk in the starting item checking process, and after the safe encrypted solid state disk is detected, the password authentication function of the UEFI is started, and the encrypted hard disk is unlocked through the password authentication function of the UEFI.
In a preferred embodiment, the setting and management of encrypted hard disk passwords is provided in the UEFI configuration interface. Setting an administrator password and a user password of the encrypted hard disk, wherein the user password is set to support two forms of text passwords and biological characteristic passwords. After setting the text password, biological feature recognition can be started and biological feature data can be set; and automatically closing the biological characteristic recognition function after deleting the text password.
Fig. 3 is a flowchart of UEFI unlocking a secure encrypted solid state disk in this embodiment, where biometric comparison is a component configured in the encrypted hard disk master. After the UEFI detects the secure encrypted solid state disk in the process of checking the startup item, checking whether the password state of the disk is a disk locking state. When the encrypted hard disk is in a locked state, whether the biological feature recognition is started or not is detected, if the biological feature recognition is started, the unlocking is performed through the biological feature, and when the biological feature recognition is not started, the unlocking is performed through the text password. The biological characteristic unlocking comprises the steps of collecting biological characteristic data, comparing the biological characteristic data with a biological characteristic template, and automatically switching to a text password mode after continuous verification fails for more than 5 times if the biological characteristic authentication is achieved by unlocking an encrypted hard disk through a text password on UEFI; when the number of continuous verification failures of the text password reaches 5, the unlocking is not allowed to be retried, and only the unlocking of the disk or the system closing can be skipped. After the unlocking authentication of the encrypted hard disk is passed, the data on the encrypted hard disk is decrypted and an operating system on the disk is started. When the password state of the encrypted hard disk is the password-free state, the operating system on the encrypted hard disk is directly started. When the encrypted hard disk cannot be unlocked due to forgetting of the user password, the user password can be removed through the administrator password, and then the user password is set through the UEFI configuration interface again.
Through the device, the user needs to carry out identity verification before loading the operating system on the secure encrypted solid state disk, and the user can access the secure encrypted solid state disk after the user passes the identity verification, so that the problem of insufficient identity authentication security of the conventional computer system is solved, and the starting security is ensured. The hardware encryption method is invisible to the user, cannot be closed, has higher data security, and basically does not influence the operation performance of the host. The biological characteristic unlocking is convenient and quick, the hard disk unlocking can be realized through fingerprint information, facial information and the like, a user is not required to memorize and input a complex password, meanwhile, the biological characteristic has uniqueness, is difficult to simulate and forge, and has higher safety than a text password. The hard disk authentication is bound with the biological characteristics of the user, an attacker must have equipment and biological identification information at the same time, and access rights are difficult to obtain without the knowledge of staff. The biological characteristic template data is encrypted and stored in a special storage space on the safe encrypted solid state disk, and the hard disk can continue to use the biological identification function along with a user even if the computer or the sensor equipment is replaced. The encryption function cannot be manually closed, even if the hard disk is disassembled to other machines and accessed by a non-startup disk mode, the identity authentication process cannot be bypassed, and the stolen data is difficult to crack.
FIG. 4 is a schematic diagram of steps of a control method for system security access in another embodiment, which specifically includes:
s1, acquiring user biological feature template data pre-stored in a solid state disk;
s2, acquiring biological characteristic data to be verified, and comparing the biological characteristic data to be verified with biological characteristic template data of a user;
s3, after the comparison is consistent, decrypting the data on the solid state disk and loading an operating system on the disk.
In the preferred embodiment, the NVMe protocol is adopted to communicate with the host, the cryptographic algorithm is integrated, the cryptographic operation is realized through the main control cryptographic chip, the encryption and the firmware verification are carried out through the China business code standard, the encryption processing is carried out on the data written into the solid state disk, and the decryption processing is carried out on the data after the operating system on the solid state disk is loaded and before the data is read.
The above embodiment provides a system security access control method for implementing biometric authentication based on a secure encrypted solid state disk, which combines a user, the secure encrypted solid state disk and a computer in a manner of combining the secure encrypted solid state disk with UEFI unlocking, wherein the secure encrypted solid state disk is used as a system disk, data encryption processing is performed through a main control chip, the UEFI invokes a biometric interface of the encrypted hard disk in a computer starting process, the system disk is unlocked by using user biometric data, and data on the disk is decrypted and an operating system is started after unlocking. The encrypted hard disk provides a reliable encrypted storage space for storing the biometric template data and provides a biometric identification interface. The scheme solves the problem of data encryption on the system disk, solves the problem of identity authentication of system startup, solves the problem of cross-machine use of the hard disk, and can meet the requirement of system security access in the fields and industries with higher data security requirements.
While the present application has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the application as defined by the appended claims.
Claims (11)
1. A control device for secure access to a system, comprising:
the solid state disk is pre-stored with the biological characteristic template data of the user and provides a biological characteristic identification interface;
the UEFI system is configured with a biological feature recognition unit, acquires biological feature data to be verified, and compares the biological feature data to be verified with biological feature template data stored in advance by a user through the biological feature recognition interface;
after the comparison is consistent, the UEFI system decrypts the data on the solid state disk and loads an operating system on the disk.
2. The control device for system security access according to claim 1, wherein the solid state disk is further provided with a main control chip configured to encrypt data written into the solid state disk and decrypt the data before the UEFI system loads an operating system on the solid state disk.
3. The control device for system security access according to claim 2, wherein the encryption chip is further configured to encrypt data in the solid state disk after system shutdown.
4. A control device for secure access to a system according to claim 2 or 3, wherein the encryption process is performed using at least one cryptographic algorithm.
5. A control device for system security access according to claim 2 or 3, wherein the solid state disk is divided into a plurality of partitions, and the encryption processing is performed on at least one partition.
6. The apparatus for system secure access of claim 2, further comprising a biometric sensor configured to collect biometric information.
7. The control device for system security access according to claim 6, wherein the biometric information includes at least one of fingerprint information, face information, iris information, palm print information, voice information.
8. The control device for system security access of claim 6, wherein the master control chip is further configured for extraction, storage and comparison of the biometric information.
9. The control device for system security access according to claim 1, further comprising a text password identification unit, wherein the UEFI system loads the operating system on the solid state disk after matching with a text password stored in advance by a user.
10. A control method for secure access to a system, comprising the steps of:
acquiring user biological characteristic template data pre-stored in a solid state disk;
acquiring biological characteristic data to be verified, and comparing the biological characteristic data to be verified with biological characteristic template data of a user;
and after the comparison is consistent, decrypting the data on the solid state disk and loading an operating system on the disk.
11. The method for controlling system security access according to claim 10, wherein the data written in the solid state disk is encrypted and decrypted before the operating system on the solid state disk is loaded.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311065427.5A CN117744097A (en) | 2023-08-23 | 2023-08-23 | Control device and method for system security access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311065427.5A CN117744097A (en) | 2023-08-23 | 2023-08-23 | Control device and method for system security access |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117744097A true CN117744097A (en) | 2024-03-22 |
Family
ID=90251443
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311065427.5A Pending CN117744097A (en) | 2023-08-23 | 2023-08-23 | Control device and method for system security access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117744097A (en) |
-
2023
- 2023-08-23 CN CN202311065427.5A patent/CN117744097A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10680808B2 (en) | 1:N biometric authentication, encryption, signature system | |
| JP4562464B2 (en) | Information processing device | |
| KR101270230B1 (en) | Data security system | |
| US8572392B2 (en) | Access authentication method, information processing unit, and computer product | |
| US7174463B2 (en) | Method and system for preboot user authentication | |
| US20130159699A1 (en) | Password Recovery Service | |
| US20070237366A1 (en) | Secure biometric processing system and method of use | |
| US20040117636A1 (en) | System, method and apparatus for secure two-tier backup and retrieval of authentication information | |
| US20080072066A1 (en) | Method and apparatus for authenticating applications to secure services | |
| US20090031408A1 (en) | Integrity protected smart card transaction | |
| CN105243314B (en) | A kind of security system and its application method based on USB key | |
| CN103886234A (en) | Safety computer based on encrypted hard disk and data safety control method of safety computer | |
| CN203746071U (en) | Security computer based on encrypted hard disc | |
| US20070226514A1 (en) | Secure biometric processing system and method of use | |
| TW201635186A (en) | System and method for computing device with improved firmware service security using credential-derived encryption key | |
| JP2000353204A (en) | Electronic data managing device and method and recording medium | |
| JP2016531508A (en) | Data secure storage | |
| CN108256302B (en) | Data security access method and device | |
| CN109190389A (en) | A kind of solid state hard disk data guard method based on USB flash disk authentication | |
| EP2192513B1 (en) | Authentication using stored biometric data | |
| CN110795776A (en) | Safety hard disk | |
| JP2010165323A (en) | Biometric authentication method and system | |
| US20070226515A1 (en) | Secure biometric processing system and method of use | |
| US20070079134A1 (en) | System and method for securing a computer | |
| CN1331015C (en) | Computer security startup method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |