Search

CN-121997339-A - Host computer safe starting-up system and method based on intelligent finger ring and firmware layer control

CN121997339ACN 121997339 ACN121997339 ACN 121997339ACN-121997339-A

Abstract

The invention discloses a host computer safe starting-up system and a method based on intelligent ring and firmware layer control, relating to the technical field of computer information safety and firmware safety, wherein the system comprises an intelligent ring terminal, a first key fragment and a private key; the system comprises a BIOS/UEFI firmware authentication module, an operating system login authentication module, a public key storage module, a user authentication module and a session key, wherein the BIOS/UEFI firmware authentication module is used for carrying out first authentication with the intelligent ring terminal when the system is started and determining whether the system is allowed to be started according to a first authentication result, the first authentication is carried out based on a first key fragment and a second key fragment, the operating system login authentication module is used for storing a public key and carrying out second authentication with the intelligent ring terminal and determining whether a user can enter the system according to a second authentication result, and the second authentication is carried out based on a private key, the public key and the session key. The intelligent finger ring is cooperated with the host firmware to realize dual authentication of firmware layer authentication and operating system layer authentication when the host is started, and the intelligent finger ring is suitable for scenes with high requirements on host security, such as government, finance, enterprise terminals and the like.

Inventors

  • NIE QIBIAO
  • DAI MIN
  • GONG YIMING
  • YE XING

Assignees

  • 大连九锁网络有限公司

Dates

Publication Date
20260508
Application Date
20260126

Claims (10)

  1. 1. A host computer security start-up system based on intelligent ring and firmware layer control, which is characterized by comprising: the intelligent ring terminal is used for storing the first key fragment and the private key; The system comprises a BIOS/UEFI firmware authentication module, a host security storage module, a session key generation module, a first authentication module and a second authentication module, wherein the BIOS/UEFI firmware authentication module is used for carrying out first authentication with the intelligent finger ring terminal when the system is started and determining whether the system is allowed to be started according to a first authentication result; The operating system logs in the authentication module, is loaded after the system is started, is used for storing a public key, is matched with the intelligent ring terminal to carry out second authentication, and determines whether a user can enter the system according to a second authentication result, wherein the second authentication is carried out based on the private key, the public key and the session key.
  2. 2. The system for securely booting a host based on intelligent finger ring and firmware layer control of claim 1 wherein the host secure storage module is implemented by a trusted platform module TPM built in the host.
  3. 3. The system for secure booting a host based on intelligent finger ring and firmware layer control of claim 1 wherein the first authentication comprises: the BIOS/UEFI firmware authentication module generates a first random challenge and sends the first random challenge to the intelligent ring terminal; the intelligent ring terminal calculates a first check value by using the first random challenge and the first key fragment; The BIOS/UEFI firmware authentication module invokes the host security storage module, and calculates a second check value by using the first random challenge and a second key fragment stored in the host security storage module; The BIOS/UEFI firmware authentication module splices the first check value and the second check value and executes hash operation to obtain a third check value; The BIOS/UEFI firmware authentication module judges whether the third check value is consistent with the reference check value, if so, the system is allowed to be started continuously through the firmware layer authentication; the second authentication includes: the operating system authentication module generates a second random challenge and sends the second random challenge to the intelligent ring terminal; the intelligent ring terminal calls a private key to sign a second random challenge, and returns a signature result; the operation system authentication module verifies the signature result by using the public key to confirm the identity of the finger ring; the operating system authentication module generates a random number and sends the random number to the intelligent ring terminal; the intelligent ring terminal calls a session key generated by a secure storage module, encrypts the random number by using the session key to obtain a ciphertext, and returns the ciphertext to an operating system authentication module; The operating system authentication module decrypts the ciphertext by using the session key to obtain a decrypted random number; if the decrypted random number is the same as the generated random number, the authentication of the operating system layer is successful, and the user is allowed to log in the operating system.
  4. 4. The host secure boot system based on intelligent finger ring and firmware layer control according to claim 1, wherein the intelligent finger ring terminal ensures key security through a built-in SE secure chip.
  5. 5. The host computer safe starting-up method based on the intelligent finger ring and the firmware layer control is characterized by applying the host computer safe starting-up system based on the intelligent finger ring and the firmware layer control as claimed in any one of claims 1-4, wherein the method comprises the following steps: after the host is electrified, the BIOS/UEFI firmware authentication module and the intelligent finger ring terminal perform first authentication, wherein the first authentication comprises: the BIOS/UEFI firmware authentication module generates a first random challenge and sends the first random challenge to the intelligent ring terminal; the intelligent ring terminal calculates a first check value by using the first random challenge and the first key fragment; The BIOS/UEFI firmware authentication module invokes the host security storage module, and calculates a second check value by using the first random challenge and a second key fragment stored in the host security storage module; the BIOS/UEFI firmware authentication module splices the first check value and the second check value, and performs hash operation with the second key fragment to obtain a third check value; The BIOS/UEFI firmware authentication module judges whether the third check value is consistent with the reference check value, if so, the system is allowed to be started continuously through the firmware layer authentication; If the first authentication passes, the operation system logs in an authentication module and the intelligent ring terminal to perform second authentication, wherein the second authentication comprises the following steps: the operating system authentication module generates a second random challenge and sends the second random challenge to the intelligent ring terminal; the intelligent ring terminal calls a private key to sign a second random challenge, and returns a signature result; the operation system authentication module verifies the signature result by using the public key to confirm the identity of the finger ring; the operating system authentication module generates a random number and sends the random number to the intelligent ring terminal; the intelligent ring terminal calls a session key generated by a secure storage module, encrypts the random number by using the session key to obtain a ciphertext, and returns the ciphertext to an operating system authentication module; The operating system authentication module decrypts the ciphertext by using the session key to obtain a decrypted random number; if the decrypted random number is the same as the generated random number, the authentication of the operating system layer is successful, and the user is allowed to log in the operating system.
  6. 6. The method for secure boot-up of a host based on intelligent finger ring and firmware layer control of claim 5, wherein the calculating a first check value using a first random challenge and a first key fragment comprises: R1'=HMAC-SHA256(R1,Kb1); Wherein R1' represents a first verification value, R1 represents a first random challenge, kb1 represents a first key fragment, and HMAC-SHA256 is a key-based message authentication algorithm; Calculating a second verification value by using the first random challenge and a second key fragment stored in the host secure storage module, including: R1''=HMAC SHA256(R1,Kb2); where R1'' represents a second check value, R1 represents a first random challenge, and Kb2 represents a second key fragment.
  7. 7. The method for secure boot-up of a host based on intelligent finger ring and firmware layer control of claim 6, wherein splicing the first check value and the second check value and performing hash operation with the second key segment to obtain a third check value, comprises: CheckVal=HMAC-SHA256(R1'|| R1'',Kb2); Wherein, the I represents byte concatenation operation, and CheckVal represents a third check value.
  8. 8. The method for secure boot-up of a host based on smart ring and firmware layer control of claim 7, wherein generating a session key based on the first key fragment and the second key fragment comprises: Ky=HKDF(R1_combined,Kb1||Kb2); where Ky represents the session key that is generated only at run-time, r1_combined represents the salt value, HKDF is an HMAC-based key derivation function.
  9. 9. The method for securely booting a host based on intelligent ring and firmware layer control of claim 5 further comprising binding the user's intelligent ring to the host device prior to host secure boot authentication, comprising: after receiving a binding request initiated by an administrator or a user to an operating system end in a trusted environment, the firmware end reads and calculates a TPM platform integrity measurement value and returns the TPM platform integrity measurement value to the operating system end; the operating system end detects the new intelligent ring access, reads the ring serial number of the new intelligent ring access and records the new intelligent ring access in the context of the binding flow; after receiving the random challenge value, the intelligent ring terminal signs the random challenge value by using a private key in the ring, calculates a first partial check value for the random challenge value by using a first key fragment stored in the ring, and returns the first partial check value to the operating system terminal; The operating system end sends the signature and the partial verification value returned by the intelligent ring to the firmware end to request the firmware to participate in verification; The firmware end calculates a second partial check value by using the second key fragment and checks the second partial check value with the first partial check value combination provided by the ring; The operating system side generates a binding record after receiving a successful verification result, stores the binding record to the local and synchronizes policy parameters to an enterprise/local policy library; after the data is written into the firmware end, the binding completion confirmation information is returned to the operating system end, and the operating system end prompts successful binding of an administrator/user according to the binding completion confirmation information.
  10. 10. The method for securely booting a host based on intelligent ring and firmware layer control of claim 9 wherein unbinding the user's intelligent ring and host device comprises: The method comprises the steps that an operating system side triggers secondary confirmation after receiving an unbinding ring request initiated by an administrator, wherein the unbinding ring request comprises a user ID to be unbinding and a ring serial number; after the secondary confirmation is passed, the operating system end initiates a unbinding request to the firmware end, and the ring serial number to be unbinding is designated; After receiving the unbinding request, the firmware end unbinding the ring serial number to be unbinding, clearing the reference check value related to the ring serial number to be unbinding, setting the binding completion mark as False, and returning the unbinding completion to the operating system end; after receiving the firmware unbinding confirmation, the operating system terminal deletes the stored user ID, the ring serial number to be unbinding and the binding relation between the public key, updates the local binding database, marks the binding state as being logged off; The operating system side returns the unbinding result to the administrator and prompts that unbinding is completed.

Description

Host computer safe starting-up system and method based on intelligent finger ring and firmware layer control Technical Field The invention relates to the technical field of computer information security and firmware security, in particular to a host security starting-up system and method based on intelligent finger ring and firmware layer control. Background The host startup authentication technology is a core link in the field of computer security, and is used for ensuring the legitimacy of equipment startup authority. Conventional host power-on authentication uses a firmware password, a power-on password, or performs account password authentication only when the operating system layer logs in. These approaches have the disadvantage of being easily attacked by a bypass (e.g., mobile hard disk cross-machine startup, system image replication, offline cracking, etc.). Meanwhile, the method cannot prevent the device from being started in an unauthorized environment, and cannot achieve binding of a specific user and a specific host through a firmware layer. Disclosure of Invention In view of this, the invention provides a host security starting-up system and method based on intelligent finger ring and firmware layer control, which utilizes intelligent wearable equipment (intelligent finger ring) and host firmware (BIOS/UEFI) to cooperate to realize dual authentication of "firmware layer authentication+operating system layer authentication" for host starting-up, and is suitable for scenes with higher requirements on host security, such as government, finance, enterprise terminals, etc. For this purpose, the invention provides the following technical scheme: in one aspect, the present invention provides a host secure boot system based on intelligent finger ring and firmware layer control, comprising: the intelligent ring terminal is used for storing the first key fragment and the private key; The system comprises a BIOS/UEFI firmware authentication module, a host security storage module, a session key generation module, a first authentication module and a second authentication module, wherein the BIOS/UEFI firmware authentication module is used for carrying out first authentication with the intelligent finger ring terminal when the system is started and determining whether the system is allowed to be started according to a first authentication result; The operating system logs in the authentication module, is loaded after the system is started, is used for storing a public key, is matched with the intelligent ring terminal to carry out second authentication, and determines whether a user can enter the system according to a second authentication result, wherein the second authentication is carried out based on the private key, the public key and the session key. Further, the host secure storage module is realized through a trusted platform module TPM arranged in the host. Further, the first authentication includes: the BIOS/UEFI firmware authentication module generates a first random challenge and sends the first random challenge to the intelligent ring terminal; the intelligent ring terminal calculates a first check value by using the first random challenge and the first key fragment; The BIOS/UEFI firmware authentication module invokes the host security storage module, and calculates a second check value by using the first random challenge and a second key fragment stored in the host security storage module; The BIOS/UEFI firmware authentication module splices the first check value and the second check value and executes hash operation to obtain a third check value; The BIOS/UEFI firmware authentication module judges whether the third check value is consistent with the reference check value, if so, the system is allowed to be started continuously through the firmware layer authentication; the second authentication includes: the operating system authentication module generates a second random challenge and sends the second random challenge to the intelligent ring terminal; the intelligent ring terminal calls a private key to sign a second random challenge, and returns a signature result; the operation system authentication module verifies the signature result by using the public key to confirm the identity of the finger ring; the operating system authentication module generates a random number and sends the random number to the intelligent ring terminal; the intelligent ring terminal calls a session key generated by a secure storage module, encrypts the random number by using the session key to obtain a ciphertext, and returns the ciphertext to an operating system authentication module; The operating system authentication module decrypts the ciphertext by using the session key to obtain a decrypted random number; if the decrypted random number is the same as the generated random number, the authentication of the operating system layer is successful, and the user is allowed to log in the operating system. Further,