Two-stage safe starting system and method for domestic computer
Technical Field
The invention relates to the field of computer security, in particular to a two-stage security starting system and a two-stage security starting method for a domestic computer.
Background
The USBKey enhances the system safety when the computer operating system is started, realizes the reliable operation of the operating system, and is widely applied. A traditional operating system has security holes, and a user cannot determine whether the current system based on the USBKey is invaded by a virus program, so that security shielding and a protective layer are broken through, and illegal access and malicious operation are performed. The traditional safety protection is based on a secret key and software, the protection is unreliable and the performance is unstable, and an illegal user can break through the protection layer through BIOS bottom hardware to obtain the data information of the computer.
Disclosure of Invention
In order to solve the problems that the operating system is leaked safely and an illegal user can break through a protective layer and obtain data information of a computer through BIOS bottom hardware in the background technology, the invention provides a two-stage safe starting system and a two-stage safe starting method for a domestic computer.
In order to achieve the purpose, the invention adopts the following technical scheme:
a two-stage safe starting system of a domestic computer comprises a USBKey and a PMON firmware; the USBKey and the PMON firmware form two-stage safe starting of a domestic computer;
the first level of safe startup is as follows:
the USBKey is connected with the computer through a USB interface and is identified by the computer;
after the USBKey is connected with the computer, the USBKey is communicated with the computer to carry out first-level identity authentication;
the PMON firmware reads and analyzes the content stored in the USBKey, the MAC address in the PMON firmware is compared with the MAC address in the USBKey, if the MAC address in the PMON firmware is matched with the MAC address in the USBKey, the user name is prompted to be input, and if the user name is input correctly, the password is prompted to be input;
the second level of safe start-up is:
after the first-level identity authentication is finished, loading PMON firmware and starting an kylin operating system;
the kylin operating system carries out second-level identity authentication, the user interface layer prompts to input the kylin operating system password, after the user inputs the operating system password, the public key of the operating system and the private key of the USBKey respectively decrypt the password and then match the password, if the password is matched, the authentication is judged to be successful, and starting and login guiding are completed.
Wherein: the operating system and the USBKey adopt encrypted communication, namely: the manufacturer sets a public key for the operating system and a private key for the USBKey.
The working principle is as follows: inserting the USBKey into a computer through the USBKey and PMON firmware to perform first-level safety starting, detecting the USBKey by the PMON firmware, matching an MAC address in the PMON with an MAC address in the USBKey, prompting to input a user name if the USBKey is matched, prompting to input a password if the user name is input correctly, and finishing first-level safety starting, loading the PMON firmware and starting an operating system if the password is input correctly; and performing secondary safety starting, inputting the kylin operating system password, and finishing the secondary safety starting if the password is successfully input.
Further, the PMON stores the MAC address and the login password of the computer.
Further, the USBKey stores the MAC address, the user name and the password of the computer.
Furthermore, the USBKey is identified by the computer through a driving layer, and the driving layer is a USBKey driver meeting the USB protocol; the USBKey is communicated with a computer through a function realization layer, wherein the function realization layer is a USBKey operation interface and is a protocol for communication between the computer and the USBKey; in the first-stage identity authentication and the second-stage identity authentication, prompt information is displayed through a user interface layer, and the user interface layer comprises a starting authentication interface and a trusted boot interface, namely a user name and password input interface during starting authentication and a password input interface after entering an kylin operating system.
A two-stage safe starting method for a domestic computer comprises the following steps:
s1, connecting the USBKey with a computer through a USB interface;
s2, performing first-level identity authentication, reading and analyzing the content stored in the USBKey by the PMON firmware, comparing the MAC address in the PMON firmware with the MAC address in the USBKey, prompting to input a user name if the MAC address in the PMON firmware is matched with the MAC address in the USBKey, and prompting to input a password if the user name is correctly input;
s3, if the password is input correctly, loading the PMON firmware and starting the kylin operating system;
s4, performing second-level identity authentication, and inputting a kylin operating system password;
and S5, if the password is correctly input, finishing the starting.
Furthermore, if the PMON cannot be matched with the USBKey, the fact that no corresponding USBKey exists is prompted, and when a user inserts the USBKey, the process supports hot plug, and the user inserts the USBKey and then returns to the car to re-identify the USBKey.
Further, the number of times of wrong input of the user name and the password is 5, if the user name and the password are input for 5 times, an error message is prompted, and after the user presses to enter the car, the computer is powered off; if the USBKey is used for logging in the computer again, a security administrator needs to use a special tool of a manufacturer to reset the MAC address, the user name and the password of the USBKey.
Compared with the prior art, the invention has the following advantages and beneficial effects: the method can ensure the safety of the system starting process from two levels, wherein the first level is used for verifying the safety of the USBKey equipment, and the second level is used for verifying the safety of the operating system. After the two-stage safety starting control system and the two-stage safety starting control technology are used, the safety of a domestic computer system is improved, and powerful support is provided for users with high-level safety requirements.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention.
FIG. 1 is a schematic block diagram of the components of the present invention;
FIG. 2 is a start-up flow chart of the present invention.
Detailed Description
The embodiments of the present invention will be described with reference to the accompanying drawings, and the exemplary embodiments and descriptions thereof are only for the purpose of illustrating the present invention and are not to be construed as limiting the present invention.
Example 1
According to the fig. 1 and 2, a two-level security boot system of a localization computer comprises a usb key and a PMON firmware; the USBKey and the PMON firmware form two-stage safe starting of a domestic computer;
the first level of safe startup is as follows:
the USBKey is connected with the computer through a USB interface and is identified by the computer;
after the USBKey is connected with the computer, the USBKey is communicated with the computer to carry out first-level identity authentication;
the PMON firmware reads and analyzes the content stored in the USBKey, the MAC address in the PMON firmware is compared with the MAC address in the USBKey, if the MAC address in the PMON firmware is matched with the MAC address in the USBKey, the user name is prompted to be input, and if the user name is input correctly, the password is prompted to be input;
the second level of safe start-up is:
after the first-level identity authentication is finished, loading PMON firmware and starting an kylin operating system;
the kylin operating system carries out second-level identity authentication, the user interface layer prompts to input the kylin operating system password, after the user inputs the operating system password, the public key of the operating system and the private key of the USBKey respectively decrypt the password and then match the password, if the password is matched, the authentication is judged to be successful, and starting and login guiding are completed.
Wherein: the operating system and the USBKey adopt encrypted communication, namely: the manufacturer sets a public key for the operating system and a private key for the USBKey.
In this embodiment, the PMON stores the MAC address and the login password of the computer.
In this embodiment, the usb key stores the MAC address, the user name, and the password of the computer.
In the embodiment, the USBKey is identified by a computer through a driving layer, and the driving layer is a USBKey driver meeting a USB protocol; the USBKey is communicated with a computer through a function realization layer, wherein the function realization layer is a USBKey operation interface and is a protocol for communication between the computer and the USBKey; in the first-stage identity authentication and the second-stage identity authentication, prompt information is displayed through a user interface layer, and the user interface layer comprises a starting authentication interface and a trusted boot interface, namely a user name and password input interface during starting authentication and a password input interface after entering an kylin operating system.
A two-stage safe starting method for a domestic computer comprises the following steps:
s1, connecting the USBKey with a computer through a USB interface;
s2, performing first-level identity authentication, reading and analyzing the content stored in the USBKey by the PMON firmware, comparing the MAC address in the PMON firmware with the MAC address in the USBKey, prompting to input a user name if the MAC address in the PMON firmware is matched with the MAC address in the USBKey, and prompting to input a password if the user name is correctly input;
s3, if the password is input correctly, loading the PMON firmware and starting the kylin operating system;
s4, performing second-level identity authentication, and inputting a kylin operating system password;
and S5, if the password is correctly input, finishing the starting.
In this embodiment, if the PMON and the USBKey cannot be matched, it is prompted that there is no corresponding USBKey, and when the user inserts the USBKey, the process supports hot plug, and the user inserts the USBKey and then performs re-identification by returning.
In the embodiment, the wrong input times of the user name and the password are 5 times, if the input times of the user name and the password are all wrong, an error message is prompted, and after the user presses to enter the car, the computer is powered off; if the USBKey is used for logging in the computer again, a security administrator needs to use a special tool of a manufacturer to reset the MAC address, the user name and the password of the USBKey.
The embodiment of the invention carries out first-level safe start, before the boot start of the system firmware PMON, a user firstly connects the USBKey equipment and the computer through a USB interface, in the starting process, the PMON searches for the USBKey, then reads and analyzes the storage content of the USBKey, compares the MAC address of the computer stored in the USBKey equipment with the MAC address of the computer stored in the PMON, and judges whether the USBKey equipment and the computer MAC address can be matched. And if the USBKey cannot be matched, prompting that no corresponding USBKey exists, waiting for a user to insert a correct USBKey, supporting hot plug in the process, and re-identifying the user by returning after the user inserts the USBKey. If the user name and the password are matched, prompting the user to input the user name, prompting the user to input the password after the user name is input correctly, wherein the user name and the password in the process can be input only by mistake for 5 times, if the user name and the password are input by mistake for 5 times, prompting an error message, locking the USBKey, waiting for the user to press and return, turning off the computer in a power-down mode, then logging in the computer by using the USBKey, and needing a security manager to reset the MAC address, the user name and the password of the computer in the USBKey by using a special system tool of a manufacturer. If the user name and the password are correctly input, loading PMON firmware and starting an operating system;
performing secondary safety starting, prompting to input the password of the kylin operating system after the operating system is started, and if the password is input wrongly, giving an error prompt, and performing power failure shutdown on the computer; if the password is correctly input, the starting is finished, and the login and the guidance are carried out.
In the process of starting the computer, the safety of a domestic computer system is improved through two-stage safe starting, when a user needs to start an operating system, the first-stage safe starting is completed firstly, the kylin operating system is started, the password of the kylin operating system needs to be input, and starting and login guiding can be completed only after the password is input correctly.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.