Credible safety computer

A safe computer and safe technology, applied in the computer field, can solve the problems of functional limitations, emergency destruction of key data without integration, low coupling degree, etc., to achieve the effect of increasing difficulty and solving real-time encrypted storage problems

Inactive Publication Date: 2008-12-17
706 INST SECOND RES INST OF CHINAAEROSPACE SCI & IND
0 Cites 29 Cited by

AI-Extracted Technical Summary

Problems solved by technology

However, these trusted computers have the following deficiencies: the transmission rate of the TPM security chip based on the LPC bus is low, and it is impossible to realize real-time encrypted storage of large files; Information computing services; hard disk and other storage media have a low degree of coupling with the BIOS system; the emergency destruction function of key data is not integrated, which cannot prevent the leakage and theft o...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Abstract

The invention discloses a reliable and safe computer, which comprises an IC card reader (4), and further comprises a safe main board platform (5), a safe hard disk (7), a safe U disk (8), an operating system security isolation module (12) and a user management module (13) which are connected in sequence. When the reliable and safe computer is started, an SOPC security chip drive unit (17), a safe hard disk authentication unit(14), a BIOS level user identification authentication unit (14), a BIOS level hardware integrity measuring unit (18), a BIOS level I/O interface control unit (16) and an operating system security loading unit(19) in a safe enhanced BIOS system (11) are loaded in sequence. After the safe enhanced BIOS system (11) finishes starting, each security control unit in the operating system security isolation module (12) is loaded. The reliable and safe computer can know, manage and control the security state of the entire system.

Application Domain

Technology Topic

Security enhancementCard reader +11

Image

  • Credible safety computer
  • Credible safety computer
  • Credible safety computer

Examples

  • Experimental program(1)

Example Embodiment

[0019] A trusted and secure computer, including a monitor 1, a keyboard 2, a mouse 3, an IC card reader 4, and also includes a secure motherboard platform 5, a secure hard disk 7, a secure U disk 8, a secure electronic lock 9, and a dedicated self-destruct key 10 , Operating system security isolation module 12 and user management module 13, where the security motherboard platform 5 includes SOPC security chip 6 and security enhanced BIOS system 11, security enhanced BIOS system 11 includes a secure hard disk authentication unit 14, a BIOS-level user identity authentication unit 15. BIOS-level I/O interface control unit 16, SOPC security chip drive unit 17, BIOS-level hardware integrity measurement unit 18, and operating system security loading unit 19, operating system security isolation module 12 includes user identity authentication unit 20, hardware resources The control unit 21, the software resource control unit 22, the safety network communication unit 23, and the system quick recovery unit 25.
[0020] The display 1, keyboard 2, mouse 3, IC card reader 4, secure hard disk 7, secure U disk 8, and operating system security isolation module 12 are connected to the secure motherboard platform 5, and the secure electronic lock 9 and the dedicated self-destruct key 10 are respectively connected It is connected to the secure hard disk 7 through the USB interface, the user management module 13 is connected to the operating system security isolation module 12, the SOPC security chip 6 in the secure motherboard platform 5 is connected to the security enhanced BIOS system 11; in the security enhanced BIOS system 11, BIOS The output end of the user identity authentication unit 15 is connected to the BIOS-level I/O interface control unit 16, the BIOS-level hardware integrity measurement unit 18, and the operating system security loading unit 19, and the input ends of the BIOS-level user identity authentication unit 15 are respectively connected to The SOPC security chip drive unit 17 is connected to the secure hard disk authentication unit 14; in the operating system security isolation module 12, the output of the system security audit unit 24 is respectively connected to the hardware resource control unit 21, the software resource control unit 22, and the secure network communication unit 23 The output ends of the user identity authentication unit 20 are respectively connected to the hardware resource control unit 21, the software resource control unit 22, the secure network communication unit 23, and the system quick recovery unit 25.
[0021] When the SOPC security chip 6 works, it provides protected key generation, processing and storage based on a hardware encryption/decryption engine and a random number generator. The key length is 2048 bits; at the same time, it stores system security policies and audit logs.
[0022] When the secure hard disk 7 works, it needs to authenticate the secure electronic lock 9 connected to it and respond to specific commands of the secure BIOS. After the authentication is passed, the work key stored in the secure electronic lock 9 is transmitted to the encryption and transcoding storage module in the secure hard disk 7. After that, the plaintext data accessed by the host will be automatically stored in the 2.5-inch hard disk embedded in the secure hard disk 7 in the form of ciphertext. Once the secure hard disk 7 is powered on and the dedicated self-destruct key 10 is inserted, or the outer shell of the secure hard disk 7 is opened in an offline state, the embedded encryption algorithm and stored key data will be automatically destroyed.
[0023] When the secure U disk 8 is working, it first authenticates the TF card attached to its outside. After the authentication is passed, it automatically reads the work key stored in the TF card, and protects the data accessed by the host through the encryption and transcoding storage circuit , And stored in the secure U disk 8; in an emergency, press the destruction switch on the back of the secure U disk 8 through the small metal key attached to the secure U disk 8 to quickly destroy all the data and encryption algorithms stored in the secure U disk 8.
[0024]After the computer is powered on, the security-enhanced BIOS system 11 first calls the secure hard disk authentication unit 14 to perform legality authentication on the secure hard disk 7. The secure hard disk authentication unit 14 sends an authentication command to the secure hard disk 7; the secure hard disk 7 feeds back device information; the secure hard disk authentication unit 14 judges whether it is a legal secure hard disk 7 based on the feedback information. If the secure hard disk 7 is legal, the execution continues, otherwise the system hangs Up.
[0025] After the secure hard disk 7 is authenticated, the BIOS-level user identity authentication unit 15 will cooperate with the secure hard disk 7 to complete the identity authentication of the current user. The user’s identity authentication medium is an IC card, and the user authority is divided into two types: ordinary users and administrators. The BIOS-level user authentication unit 15 starts and waits for the user to insert the IC card; the BIOS-level user authentication unit 15 judges whether the inserted IC card is legal, and continues execution when the IC card is legal, otherwise the system hangs; prompts the user to enter the user name and PIN code; The user name and PIN code entered by the user are converted into data and sent to the secure hard disk 7. The secure hard disk 7 compares and authenticates the user information with the user information stored in the secure hard disk 7 to determine whether it is a legitimate user, and if so, based on the user name Query and feed back the user's I/O interface control information, otherwise the secure hard disk 7 feeds back the user's invalid information and prohibits data reading and writing operations.
[0026] After the identity authentication is passed, the BIOS-level hardware integrity measurement unit 18 measures the integrity of key hardware such as optical drives and network cards. The measurement is performed by comparing the device information of the current key hardware of the system with the device information pre-configured in the SOPC security chip 6. The key hardware After abnormality or replacement, the system automatically hangs, and the administrator needs to re-authenticate.
[0027] After the integrity measurement is passed, the BIOS-level I/O interface control unit 16 will enable or disable the corresponding network interface, USB interface, serial port, parallel port, optical drive, PCI device, PCI-E device and other I/O interfaces. The administrator All I/O interfaces can be used.
[0028] After the I/O interface control is completed, the operating system security loading unit 19 controls the loading and booting of the operating system; when the currently logged-in user is an ordinary user, it directly boots the operating system pre-installed in the secure hard disk 7, thereby shielding users from operating through WINDOWS PE Software such as the system destroys the trusted and secure computer or steals files and data on the system; when the current user is an administrator user, the operating system in the secure hard disk 7 or CD is loaded according to the boot sequence set in CMOS.
[0029] After the execution of each security control unit of the security-enhanced BIOS system 11 is completed, the operating system-level user identity authentication unit 20 is loaded, and the logged-in user identity is authenticated based on "IC card + user PIN". The authentication principle is the same as the BIOS-level user identity authentication unit 15 is the same.
[0030] Load the hardware resource control unit 21, and enable or disable printers and USB interface devices connected to the system according to the user's authority information.
[0031] Load the software resource control unit 22, intercept all software resource access commands, and control specific files and programs in the system according to user authority information. If it is read-only permission, it will only respond correctly to read commands, and return error status information for commands such as delete, write, and rename; if it is access permission, it will return error status information for all commands; by default , The user can perform any operations on files and programs.
[0032] Load the secure network communication unit 23, and implement network data packet filtering processing based on the IP address and host hardware platform information. For the sent data packet, if the destination address of the IP address field does not allow access, the data packet is discarded, otherwise the hardware platform information of the local system is added to the IP option field of the sent data packet and passed to the lower layer; for the received data packet, The source address of the IP address field of the data packet is extracted and the hardware platform information of the host is judged. If access is not allowed, the data packet is discarded, otherwise the received data packet is passed to the upper layer.
[0033] During the use of the operating system, when the user pulls out the IC card, the system automatically locks and closes all USB ports at the same time. When the user reinserts the IC card, he needs to enter the PIN code to log in again.
[0034] After the implementation of the above steps is completed, the trusted and safe computer system starts and runs successfully.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Similar technology patents

Method for realizing block cipher multiple S-boxes for resisting differential power attack

ActiveCN107204841AIncrease attack difficultyIncrease the difficultyEncryption apparatus with shift registers/memoriesCryptographic attack countermeasuresDifferential methodData processing
Owner:ENG UNIV OF THE CHINESE PEOPLES ARMED POLICE FORCE

Classification and recommendation of technical efficacy words

Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products