JP2008009981A - Method and device for realizing protection of starting computer - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To especially provide a method and a device for realizing protection of starting computer in an information safety field. <P>SOLUTION: The method includes processes for verifying user status based on information safety device by a self-written program after a computer is started up by a user in order to solve the safety problem in a protection method of starting computer. This invention simultaneously provides the device for realizing protection of starting computer and consists of an initialization system module, a program verification module and the information safety device. This invention performs safe and reliable protection of the starting computer upon realizing banding between a physical status and a digital status of the user by verifying user state information by a USB Key to establish legal status of the user in opening. Simultaneously, difficulty that difference exists when accessing a USB by using different chip sets by different computers by utilizing a characteristics that compatibility of a simple OS is successful. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to the field of information security, and more particularly, to a method and apparatus for realizing startup protection of a computer using a USB key.

  Currently, in normal startup mode, when a user starts up a computer, a startup protection method often used is to check the user's identity by requiring the user to enter a password. ing.

  Since the user password is set by the user himself and is known only to the user himself / herself, if the password can be correctly input, the computer recognizes that the user is the user of this computer. However, many users use their own birthdays or phone numbers as passwords to remember their passwords. These meaningful strings tend to be guessed by others. Also, taking note of the password where you think it's safe is also a security risk and can easily lead to password leakage. If the hard disk is moved to a computer without a password, the contents can be replaced so that the system can start up normally. For this reason, the user name / password method is a risky identification method in terms of security.

  Generally, the computer can recognize only the digital status of the user, and all rights granted to the user are rights granted to the user digital identity. The real world we live in is the physical world that exists, and each person has a unique physical status. How to ensure that an operator operating with a digital identity is the rightful owner of this digital identity, i.e. ensuring that the physical identity of the operator corresponds to the digital identity. It has become an important issue.

  In addition, in a method in which different computers use different chipsets to access USB, a difference occurs, that is, there is a defect in compatibility. Therefore, it is necessary to use one technique to cover this difference.

With the above, the problems of the existing technology are:
1. There is a security risk and the password is leaked.
2. There is no guarantee for the operator's physical and digital banding,
It is.

  SUMMARY OF THE INVENTION In order to solve the safety risk inherent in the computer activation protection method of the existing technology, an object of the present invention is to provide a method and apparatus for realizing activation protection of a computer.

The present invention provides a method for realizing startup protection of a computer, said method comprising the following steps:
Install a new MBR program and a simple OS on your hard disk and perform the following steps:
Step A: When the user starts the computer, the motherboard BIOS self-boots and then passes control to the new MBR program;
Step B: After executing the new MBR program, hand over control of the system to the simple OS;
Procedure C: The simple OS is related to information safety equipment, and the information safety equipment verifies the user identity. If the verification succeeds, the activation protection is completed; conversely, if the verification fails, the computer enters an abnormal processing state.

Installing a new MBR program and a simple OS on the hard disk specifically includes the following steps:
Step A ': Cut the original MBR program on the computer hard disk and place it in the designated area of the hard disk;
Procedure B ': Place the newly developed MBR program in the MBR area of the hard disk;
Step C ': Put the simple OS in another specified area of the hard disk.

The user identity verification specifically includes the following steps:
Procedure C1: Check whether the user has inserted the information safety equipment, and if the information safety equipment has been inserted, execute the procedure C2. Otherwise, perform step C3;
Procedure C2: Verify whether the user identity is valid using the information safety equipment. If it is valid, execute procedure C4. Otherwise, perform step C5;
Procedure C3: Presents the user to insert the information safety equipment and returns to Procedure C1;
Step C4: User successfully validates identity and computer continues to boot normally;
Procedure C5: It is determined whether the number of user verification failures has reached a set value during this activation. If the set value is reached, the computer enters an abnormal handling state; otherwise, return to procedure C2.

  The information safety facility is a USB key.

A specific method for verifying whether the user identity in the procedure C2 is valid includes, but is not limited to, the following method:
Verify that the PIN code entered by the user is valid;
Verify that the user's physiological characteristics are valid;
Verify that the data security equipment provided by the user has valid data;
Verify that the information security equipment provided by the user has a valid hardware serial number;
Send some data to the information safety equipment, perform the calculation, and verify that the result of the calculation is valid.

  The normal startup of the computer in step C4 means that the simple OS passes the system control to the original MBR program, or skips the original MBR program command and directly transfers the control to the next program command.

The present invention provides an apparatus that simultaneously realizes startup protection of a computer. The apparatus includes a system initialization module, a verification program module and an information safety facility;
The system initialization module cuts the original MBR program on the computer hard disk, places it in a designated area of the hard disk, places the newly developed MBR program in the MBR area of the hard disk, and places the simple OS in another designated area of the hard disk. Used for that. At the same time, it is also used to set up the relevant information of the USB Key and associate it with the verification program module;
The verification program module is associated with the installed USB Key, and is used for verification of the user identity and data restoration in combination with the transfer of control, information safety equipment;
The information safety equipment is used to verify the user's identity.

The specific verification method of the user status in the verification program is not limited including the following methods:
Verify that the PIN code entered by the user is valid;
Verify that the user's physiological characteristics are valid;
Verify that the data security equipment provided by the user has valid data;
Verify that the information security equipment provided by the user has a valid hardware serial number;
Send some data to the information safety equipment, perform the calculation, and verify that the result of the calculation is valid.

  In this activation protection device, the information safety equipment is a USB key.

The beneficial effects brought about by the present invention are as follows:
Using USB Key, the user identity information is verified, and the user's physical identity and digital identity are banded to protect the startup of the computer. At the same time, using the feature that the simple OS has good compatibility, we solved the problem that there was a difference when accessing the USB brought about by different computers using different chipsets.

  The present invention will now be further described with reference to the drawings and specific examples, but is not limited to the present invention.

  The present invention provides a method and apparatus for implementing computer startup protection. This method and apparatus realizes startup protection of a computer by writing a specific MBR program and a simple OS on a hard disk, and verifying a legitimate identity for the user using a USB key. At the same time, it took advantage of the good compatibility of the simple OS to overcome the difficulties that existed when accessing USB, which was caused by different computers using different chipsets.

For a better understanding of the present invention, the terms associated with the present invention are specifically interpreted as follows:
BIOS (Basic Input / Output System): The general name is ROM-BIOS, which is an abbreviation for Read Only memory basic input / output system. In fact, it is the program that provides the lowest level and direct hardware control to a computer embedded in a computer, and is also a “converter” or interface (although it is just a program) between hardware and software, Responsible for resolving immediate hardware requirements and operating the hardware in response to specific software requirements. The BIOS chip is a rectangular or square chip on the main board. The BIOS has a system self-boot load program that installs the DOS system by running the boot program in the relative 0 track 0 sector of the disk in memory after running the self test successfully; Since it directly interacts with system hardware resources, it supports certain types of hardware systems. Since each hardware system is different, there are different types of BIOS.

  MBR (Main Boot Record): The first sector of the hard disk (the first sector of the 0th cylinder and the 0th track), the main boot program, the main partition table, and the end mark "55AA" Saved. Used to hand over system control to some OS installed on the computer when the computer boots from the hard disk. When starting up the computer, first test the hardware equipment by BIOS, that is, BIOS self-test, after successful test, enter the self-startup program, and main boot from the 0th cylinder 0th track first sector of the disk Read the record into the specified area of memory, then transfer control to the program command in the MBR. The self-booting means that after the BIOS completes the self-test, the MBR on the hard disk is read and stored in the memory. All program commands in MBR are loaded into memory before the OS and function. In general, the main functions of the MBR program command are as follows: check if the hard disk partition table is complete; search the partition table for the partition marked as bootable; the first logical sector of the bootable partition Capture contents to memory; pass system control to memory address captured in previous step.

  Linux (registered trademark): Unix (registered trademark) OS that can be freely used and distributed freely, multi-user, multi-task, multi-thread and multi-CPU based on POSIX (Portable Operating System Interface for UNIX) It is a real-time OS that supports Linux can run the main tool software, applications and network protocols of UNIX. Supports 32-bit and 64-bit hardware. Linux is a multi-user network OS that inherits the design philosophy centered on the UNIX network and has stable performance. Linux is mainly used in computers based on Intel® x86 series CPUs. Since Linux has open source code, tailoring can be tailored to your needs, and the size of a tailored Linux system can be smaller than 1MB.

  FreeBSD: A freely available UNIX system running on the Intel platform. It is available for free from the Internet. High reliability, good network performance, high safety, strong versatility. Applications created on the UNIX OS can be compiled and run on the FreeBSD platform with little or no modification to the source code. FreeBSD, like Linux, belongs to open source software, but has a copyright agreement that is more open than the Linux contract. FreeBSD allows third-party commercial companies to develop their own copyrighted application software on the FreeBSD platform or to modify the FreeBSD system itself without having to publish the source code.

  Identity verification based on USB Key: USB Key is one of the hardware equipment of USB interface, which can store user encryption key or digital certificate with built-in single chip or smart card, and encryption with built-in USB Key. Uses algorithms to verify user identity. Currently, the two main uses of USB Keys are for software copyright protection, and for USB security media on the Internet and identification signs. ID authentication based on USB Key is a convenient, safe and economical ID authentication technology that has been developed in recent years, adopting a strong double-factor authentication mode that combines software and hardware, making it safe and easy to use We were able to solve the problem of both. Each USB Key hardware implements a double-factor authentication function by having user PIN (Personal Indentity Number) protection.

As shown in FIG. 1, the present invention provides a method for realizing startup protection of a computer, which method includes the following steps:
After the user boots the computer and the motherboard BIOS self-boots, the control is transferred to the new MBR program, and the control is transferred to the simple OS by the new MBR. The simple OS starts the program and verifies the user's identity using the information safety equipment in relation to the information safety equipment. If the verification is successful, the activation protection is completed. Conversely, if verification fails, the computer enters an abnormal processing state. In this embodiment, the information security equipment is a USB key as an example (a floppy disk or a CD may be used).

The specific procedure is as follows:
Step 101: Using the installation tool program, cut the original MBR program on the computer hard disk and move it to the specified area on the hard disk. The designated area here may be an arbitrary area other than the MBR area of the hard disk.

  Step 102: The newly developed MBR program is put in the MBR area of the hard disk. When this new MBR program is executed, the simple OS can be read automatically.

  Step 103: Use the installation tool program to put the simple OS in another specified area of the hard disk. The designated area here may be an arbitrary area different from the area where the original MBR of the hard disk is moved.

  Among them, the simple OS is an open source system, and the necessary simple OS can be created by using the source code placement tool to remove unnecessary modules from the original OS and recompile. Such a simple OS can solve the problem that the original OS is not universally compatible with USB, and its specific functions can be compiled by itself if necessary. The main functions of the simple OS of the present embodiment are to recognize an arbitrary USB, achieve the purpose of universal use of all USBs, and can be operated with a USB key to verify the user's identity. Specifically, the simple OS may be a tailored Linux system or a tailored FreeBSD system. A specific program command is entered in advance in this simple OS, and the USB equipment can be accessed by the specific program during system operation.

Steps 101 to 103 are system initialization processes. After completing the system initialization, the computer activation protection method implementation process is specifically as follows:
Step 104: When the user starts the computer, the motherboard BIOS self-boots and then passes control to the new MBR program.

Step 105: After executing the new MBR program, transfer control of the system to the simple OS;
Step 106: The simple OS activates a certain program and verifies the user identity using the USB key in association with the USB key. If the verification succeeds, the activation protection is completed; conversely, if the verification fails, the computer enters an abnormal processing state.

As shown in Fig. 2, the simple OS and USB Key interact with each other, and the user identification process is specifically as follows:
Step 201: The simple OS is executed to check whether the user has inserted the information safety equipment. If the USB key is inserted, the step 202 is executed. Otherwise, step 203 is executed.
Step 202: Verify whether the user identity is valid using the USB key. If it is valid, step 204 is executed. Otherwise, perform step 205; specific verification methods here are not limited, including the following methods:
1) Verify whether the PIN code entered by the user can be successfully verified by USB Key;
2) Verify that the user's physiological characteristics can be successfully verified by USB Key, such as fingerprint, voice, visual retina, etc .;
3) Verify that the USB key provided by the user has valid data. This legitimate data includes user identity related information and digital certificates;
4) Verify that the USB key provided by the user has a valid hardware serial number;
5) Send some data to the information safety equipment and perform the calculation, and verify whether the result of the calculation is the expected result.

  Step 203: Presents the user to insert the USB Key, and returns to Step 201.

  Step 204: The user succeeds in the identification verification, and the computer continues to start normally. That is, the simple OS passes the system control to the original MBR program, or skips the original MBR program command and directly passes control to the next program command, ie, the target to which the original MBR is to give control (for example, startup) Screen). In this process, there is a possibility that the data is decrypted and restored.

  Step 205: It is determined whether or not the number of times of user verification failure has reached a set value during the current activation. If the set value is reached, execute step 206; otherwise, return to step 202 and verify the identity again.

  Step 206: The number of user verifications already exceeds the set value, and the program enters an abnormal processing state.

  This process was realized jointly by executing the program with a simple OS and combining it with the USB Key.

As shown in FIG. 3, the present invention provides an apparatus that simultaneously realizes start-up protection of a computer. The apparatus includes a system initialization module, a verification program module and an information safety facility;
The system initialization module cuts the original MBR program on the computer hard disk, places it in the designated area of the hard disk, places the newly developed MBR program in the MBR area of the hard disk, and places the simple OS in another designated area of the hard disk. Used for that. At the same time, it is also used to set up the relevant information of the USB Key and associate it with the verification program module;
The verification program module is associated with the installed USB key, and is used for verification of the user identity and data restoration in combination with the transfer of control, information safety equipment;
The information safety equipment is used to verify the user's identity.

The specific verification method of the user status in the verification program is not limited including the following methods:
Verify that the PIN code entered by the user is valid;
Verify that the user's physiological characteristics are valid;
Verify that there is legitimate data in the information security facility provided by the user; this legitimate data includes user identity related information, digital certificates, etc .;
Verify that the information security equipment provided by the user has a valid hardware serial number;
Send some data to the information safety equipment, perform the calculation, and verify that the result of the calculation is valid.

  In the device, the information safety facility is a USB key.

  If the technical solution of the present invention is used, the user's identity information is stored in the USB Key, the validity of the user identity is verified using the USB Key, the user's physical identity and digital identity banding are performed, It became impossible for someone else to guess the password of a legitimate user, and the startup protection of the computer was realized.

  At the same time, by taking advantage of the good compatibility of the simple OS, we solved the problem that there was a difference when accessing a fake USB by different computers using different chipsets.

  The embodiment described above is only one of the specific modes of implementation selected by the present invention, and normal changes and replacements made by the general engineer in the field within the scope of the technical plan of the present invention are not possible. And within the protection scope of the present invention.

The flowchart of the method which implement | achieves the starting protection of the computer which this invention provides. The flowchart of the method of verifying a user identity using USB Key which this invention provides. 1 is a schematic diagram of an apparatus for realizing start protection of a computer provided by the present invention.

Claims (9)

A method to protect the startup of a computer by installing a new MBR program and a simple OS on the hard disk,
When the user boots the computer, after the motherboard BIOS self-boots, the procedure A to transfer control to the new MBR program,
After executing the new MBR program, the procedure B for transferring the control of the system to the simple OS, and
The simple OS is related to information safety equipment, the information safety equipment verifies the user identity, completes the startup protection if the verification is successful, and conversely if the verification fails, the computer enters the abnormal processing state C A method for realizing start-up protection of a computer, comprising: In the procedure to install a new MBR program and simple OS on the hard disk,
Cut out the original MBR program on the computer hard disk and place it in the specified area of the hard disk,
Procedure B 'for putting the newly developed MBR program into the MBR area of the hard disk,
Procedure C 'to put the simple OS into another specified area of the hard disk,
The method of realizing startup protection of a computer according to claim 1, comprising: In the user identity verification procedure,
Inspecting whether the user has inserted the information safety equipment, if the information safety equipment has been inserted, execute the procedure C2, otherwise, execute the procedure C3,
Verify whether the user identity is valid using the information safety equipment, if it is valid, perform the procedure C4, otherwise, perform the procedure C2,
Presenting the user to insert the information safety equipment, the procedure C3 to return to the procedure C1, and
Step C4, where the user succeeds in identity verification and the computer continues to boot normally,
It is determined whether the number of user verification failures has reached the set value at the start of this time, and when the set value is reached, the computer enters the abnormal processing state, otherwise, the procedure C5 returns to the procedure C2, and
A method for realizing start-up protection of a computer according to claim 1 or 2.   4. The method for realizing startup protection of a computer according to claim 3, wherein the information safety equipment is a USB key. In the method of verifying whether the user identity in the procedure C2 is valid,
A procedure to verify that the PIN code entered by the user is valid;
A procedure for verifying that the user's physiological characteristics are valid;
A procedure for verifying that the information safety equipment provided by the user has legitimate data;
A procedure to verify that the information security equipment provided by the user has a valid hardware serial number;
A procedure to send some data to the information safety equipment, perform the calculation, and verify whether the result of the calculation is valid,
4. The method for realizing start-up protection of a computer according to claim 3, further comprising:   That the computer in the procedure C4 continues to start normally is a step in which the simple OS passes the system control to the original MBR program, or directly transfers the control to the next program command by skipping the original MBR program command. 4. A method for realizing startup protection of a computer according to claim 3. A device for realizing start-up protection of a computer,
Cut the original MBR program on the computer hard disk, place it in the specified area of the hard disk, put the newly developed MBR program in the MBR area of the hard disk, put the simple OS in another specified area of the hard disk, A system initialization module that installs information and associates it with a verification program module;
A verification program module that is associated with the installed USB Key, used for verification of the user's identity and data restoration in combination with the transfer of control, information safety equipment,
Information safety equipment used to verify user identity,
An apparatus for realizing startup protection of a computer, comprising: A specific verification method for user identity in the verification program,
A procedure to verify that the PIN code entered by the user is valid;
A procedure for verifying that the user's physiological characteristics are valid;
A procedure for verifying that the information safety equipment provided by the user has legitimate data;
A procedure to verify that the information security equipment provided by the user has a valid hardware serial number;
A procedure to send some data to the information safety equipment, perform the calculation, and verify whether the result of the calculation is valid,
8. The apparatus for realizing startup protection of a computer according to claim 7, further comprising:   9. The apparatus according to claim 7, wherein the information safety equipment is a USB key.