Search

US-12625943-B2 - USB peripheral authentication method, embedded system, and storage medium

US12625943B2US 12625943 B2US12625943 B2US 12625943B2US-12625943-B2

Abstract

USB device authentication, and in particular to a USB peripheral authentication method, an embedded system, and a storage medium. The method includes: verifying a user identity, and accessing a USB device authentication credential generation program of a legitimate user; acquiring USB device ID information, embedded system ID information, and a salt value generated by a random number generator; associating the information by means of a secure unit, using the information as an input, generating a key pair, and issuing a self-signed certificate; placing the information into a storage area of the secure unit, and returning the self-signed certificate and the salt value to the USB device or the user; and when the USB device is accessed, verifying whether the information matches, if yes, activating a USB communication function, or otherwise, disabling the communication function of the USB device.

Inventors

  • Zhixin CHEN
  • Caihui ZHANG

Assignees

  • HUIZHOU DESAY SV INTELLIGENT TRANSPORTATION TECHNOLOGICAL INSTITUTE CO., LTD

Dates

Publication Date
20260512
Application Date
20230925
Priority Date
20221117

Claims (14)

  1. 1 . A Universal Serial Bus (USB) peripheral authentication method, characterized in that the method is applied to an embedded system which comprises a security unit, a storage unit and a processor, and the method comprises: verifying an identity of a user and accessing a USB device authentication credential generation program for a legitimate user; acquiring identity (ID) information of a USB device, ID information of the embedded system, and a salt value generated by a random number generator; associating the ID information of the USB device, the ID information of the embedded system, and the salt value generated by the random number generator through the security unit, and using same as an input for generating a key pair and issuing a self-signed certificate; inserting the ID information of the USB device, the ID information of the embedded system, the salt value, and the key pair in a storage area of the security unit, and returning the self-signed certificate and the salt value to the USB device or the user; when the USB device is accessed, verifying whether the self-signed certificate and the salt value of the USB device or the user match the information in the storage area of the security unit; if yes, activating a USB communication function; otherwise, disabling the communication function of the USB device.
  2. 2 . The USB peripheral authentication method according to claim 1 , characterized in that after the step of accessing the USB device authentication credential generation program for the legitimate user, the method further comprises: checking whether the accessed USB device has a storage function; if the USB device has the storage function, after generating the key pair and issuing the self-signed certificate, storing the self-signed certificate and the salt value in a hidden partition of the USB device, and calling, during verification, the self-signed certificate and the salt value in the hidden partition of the USB device for verification; and if the USB device does not have the storage function, setting a password after reading the USB device, returning the salt value to the user after the salt value is generated, storing the self-signed certificate in the storage area of the security unit, and reading, during verification, the password and the salt value entered by the user for verification.
  3. 3 . The USB peripheral authentication method according to claim 2 , wherein the step of calling the self-signed certificate and the salt value in the hidden partition of the USB device for verification comprises: calling the salt value and the self-signed certificate in the hidden partition of the USB device, and searching for the key pair in the storage area of the security unit according to the salt value; verifying the self-signed certificate through the key pair obtained by searching to determine whether the information of the self-signed certificate matches the information in the storage area of the security unit; if yes, activating the communication function of the USB device; otherwise, disabling the communication of the USB device.
  4. 4 . The USB peripheral authentication method according to claim 2 , characterized in that the step of setting the password after reading the USB device comprises: prompting the user to enter the password through a human-computer interaction interface; receiving the password through a security keyboard of the security unit, calculating a hash value of the password in the security unit and storing same; and using the hash value of the password as one of the inputs to generate the key pair and issue the self-signed certificate.
  5. 5 . The USB peripheral authentication method according to claim 4 , characterized in that the step of reading, during verification, the password and the salt value entered by the user for verification specifically comprises: prompting the user to input the salt value through the human-computer interaction interface; acquiring a key according to the input salt value, and extracting a password hash value and verification information from the self-signed certificate through the key; prompting the user to enter the password through the human-computer interaction interface; calculating the hash value of the input password and comparing same with the password hash value in the self-signed certificate; if the two hash values are consistent, determining whether the information of the self-signed certificate matches the information in the storage area of the security unit; if yes, activating the communication function of the USB device; otherwise, disabling the communication of the USB device.
  6. 6 . The USB peripheral authentication method according to claim 1 , characterized in that the step of acquiring ID information of the USB device, ID information of the embedded system, and the salt value generated by the random number generator comprises: reading the ID information of the USB device; acquiring the ID information of the embedded system; and generating a random number through the random number generator of the security unit as the salt value.
  7. 7 . The USB peripheral authentication method according to claim 1 , characterized in that: the ID information of the USB device comprises a device ID and a manufacturer ID, and the ID information of the embedded system comprises a manufacturer ID, a model ID and a processor ID.
  8. 8 . The USB peripheral authentication method according to claim 1 , characterized in that the security unit comprises one of Trusted Execution Environment (TEE) and Secure Element (SE).
  9. 9 . A non-transitory storage medium, characterized in that the non-transitory storage medium has a computer program stored thereon, and the computer program, when executed by a processor, implements a Universal Serial Bus (USB) peripheral authentication method as follows: verifying an identity of a user and accessing a USB device authentication credential generation program for a legitimate user; acquiring identity (ID) information of a USB device, ID information of the embedded system, and a salt value generated by a random number generator; associating the ID information of the USB device, the ID information of the embedded system, and the salt value generated by the random number generator through the security unit, and using same as an input for generating a key pair and issuing a self-signed certificate; inserting the ID information of the USB device, the ID information of the embedded system, the salt value, and the key pair in a storage area of the security unit, and returning the self-signed certificate and the salt value to the USB device or the user; when the USB device is accessed, verifying whether the self-signed certificate and the salt value of the USB device or the user match the information in the storage area of the security unit; if yes, activating a USB communication function; otherwise, disabling the communication function of the USB device.
  10. 10 . The non-transitory storage medium according to claim 9 , characterized in that after the step of accessing the USB device authentication credential generation program for the legitimate user, the method further comprises: checking whether the accessed USB device has a storage function; if the USB device has the storage function, after generating the key pair and issuing the self-signed certificate, storing the self-signed certificate and the salt value in a hidden partition of the USB device, and calling, during verification, the self-signed certificate and the salt value in the hidden partition of the USB device for verification; and if the USB device does not have the storage function, setting a password after reading the USB device, returning the salt value to the user after the salt value is generated, storing the self-signed certificate in the storage area of the security unit, and reading, during verification, the password and the salt value entered by the user for verification.
  11. 11 . The non-transitory storage medium according to claim 10 , wherein the step of calling the self-signed certificate and the salt value in the hidden partition of the USB device for verification comprises: calling the salt value and the self-signed certificate in the hidden partition of the USB device, and searching for the key pair in the storage area of the security unit according to the salt value; verifying the self-signed certificate through the key pair obtained by searching to determine whether the information of the self-signed certificate matches the information in the storage area of the security unit; if yes, activating the communication function of the USB device; otherwise, disabling the communication of the USB device.
  12. 12 . The non-transitory storage medium according to claim 10 , characterized in that the step of setting the password after reading the USB device comprises: prompting the user to enter the password through a human-computer interaction interface; receiving the password through a security keyboard of the security unit, calculating a hash value of the password in the security unit and storing same; and using the hash value of the password as one of the inputs to generate the key pair and issue the self-signed certificate.
  13. 13 . The non-transitory storage medium according to claim 12 , characterized in that the step of reading, during verification, the password and the salt value entered by the user for verification specifically comprises: prompting the user to input the salt value through the human-computer interaction interface; acquiring a key according to the input salt value, and extracting a password hash value and verification information from the self-signed certificate through the key; prompting the user to enter the password through the human-computer interaction interface; calculating the hash value of the input password and comparing same with the password hash value in the self-signed certificate; if the two hash values are consistent, determining whether the information of the self-signed certificate matches the information in the storage area of the security unit; if yes, activating the communication function of the USB device; otherwise, disabling the communication of the USB device.
  14. 14 . The non-transitory storage medium according to claim 9 , characterized in that the step of acquiring ID information of the USB device, ID information of the embedded system, and the salt value generated by the random number generator comprises: reading the ID information of the USB device; acquiring the ID information of the embedded system; and generating a random number through the random number generator of the security unit as the salt value.

Description

TECHNICAL FIELD The present invention relates to the technical field of USB device authentication, in particular to a USB peripheral authentication method, an embedded system, and a storage medium. BACKGROUND OF THE INVENTION In embedded systems, such as in-vehicle infotainment (IVI) products of automotive electronics, it is necessary to provide universal serial bus (USB) interfaces and corresponding connection functions externally, and users can connect USB flash drives, USB HID (a USB communication protocol), mobile phones and other devices thereto to use USB multimedia playback, IVI games, mobile phone interconnection and other functions, so as to get a rich smart cabin experience. However, there are natural defects in the security of the USB protocol, and any USB device can enumerate itself into any type of USB device to achieve the corresponding functions as long as the device is in accordance with the definition of the USB protocol. For example, firmware can enumerate itself into a USB keyboard via a customized USB disk, and after the keyboard has access to the embedded system, malicious codes can be accessed or downloaded to a machine by typing a link to a malicious website through the keyboard. A USB charger can also be enumerated as a USB transmission device to steal the data of the system. This kind of attack based on modification of USB device firmware cannot be identified by security protection measures such as anti-virus software, and the use of USB peripherals in current embedded systems has security risks. BRIEF SUMMARY OF THE INVENTION In order to solve the technical problem that in a current embedded system, a USB peripheral is prone to being enumerated as a USB transmission device and stealing the data of the system, the present invention provides a USB peripheral authentication method, an embedded system, and a storage medium. In order to solve the above-mentioned technical problems, the present invention adopts the following technical solutions. A USB peripheral authentication method is applied to an embedded system. The system includes a security unit, a storage unit and a processor. The method includes: verifying an identity of a user and accessing a USB device authentication credential generation program for a legitimate user;acquiring ID information of a USB device, ID information of the embedded system, and a salt value generated by a random number generator;associating the ID information of the USB device, the ID information of the embedded system, and the salt value generated by the random number generator through the security unit, and using same as an input for generating a key pair and issuing a self-signed certificate;inserting the ID information of the USB device, the ID information of the embedded system, the salt value, and the key pair in a storage area of the security unit, and returning the self-signed certificate and the salt value to the USB device or the user;when the USB device is accessed, verifying whether the self-signed certificate and the salt value of the USB device or the user match the information in the storage area of the security unit; if yes, activating a USB communication function; otherwise, disabling the communication function of the USB device. Further, after the accessing a USB device authentication credential generation program for a legitimate user, the method further includes: checking whether the accessed USB device has a storage function;if the USB device has the storage function, after generating the key pair and issuing the self-signed certificate, storing the self-signed certificate and the salt value in a hidden partition of the USB device, and calling, during verification, the self-signed certificate and the salt value in the hidden partition of the USB device for verification; andif the USB device does not have the storage function, setting a password after reading the USB device, returning the salt value to the user after the salt value is generated, storing the self-signed certificate in the storage area of the security unit, and reading, during verification, the password and the salt value entered by the user for verification. Further, the calling the self-signed certificate and the salt value in the hidden partition of the USB device for verification includes: calling the salt value and the self-signed certificate in the hidden partition of the USB device, and searching for the key pair in the storage area of the security unit according to the salt value;verifying the self-signed certificate through the key pair obtained by searching to determine whether the information of the self-signed certificate matches the information in the storage area of the security unit;if yes, activating the communication function of the USB device; otherwise, disabling the communication of the USB device. Further, the setting a password after reading the USB device includes: prompting the user to enter the password through the human-computer interaction in