基于Ukey和LiveOS的硬盘加密和安全认证系统
本文选题:硬盘加密 + Ukey ; 参考:《杭州电子科技大学》2017年硕士论文
【摘要】:随着信息化时代的到来,计算机被广泛使用,存储在计算机硬盘中的数据也呈几何级数般增长,数据的存储安全性显得越来越重要。硬盘加密仍然是目前保护硬盘数据的主要趋势和手段。当前针对硬盘的软件加密方案安全性不高且性能较低;加密卡、FPGA等硬件加密方案性能较高,但缺乏安全可靠的身份认证方案和必要的密钥安全恢复机制;基于BIOS的认证方案安全性较高,但导致硬盘只能工作在定制的BIOS环境下,通用性大大降低。在这种背景之下,本文针对台式机和笔记本电脑等个人计算机系统,提出并实现了一种新的硬盘加密和安全认证系统,该系统基于Ukey和LiveOS,在整体安全性、性能、易用性和通用性上优于现有解决方案。硬件方案上,采用集成了硬件加密引擎的固态硬盘(SSD)主控芯片,实现对硬盘数据的实时加解密,同时将加解密密钥存储在Ukey之中,实现密钥和加密引擎的分离。只有唯一与加密SSD配对的Ukey才能解密硬盘并启动盘内系统。软件方案上,通过对Linux内核的裁剪和编译,对initrd文件系统的定制以及对引导程序的配置,定制出了一个基于Linux内核的LiveOS系统,该系统随Ukey启动,为加密SSD与Ukey的安全配对、认证和密钥传递提供了一个安全且通用的软件环境。加密硬盘和Ukey的配对及认证方案是整个硬盘加密和安全认证系统的核心所在,本文通过交换国密SM2算法公钥实现加密硬盘和Ukey的一一配对,通过设置PIN码保障Ukey使用安全,同时基于挑战响应式认证实现加密硬盘对Ukey的认证,通过与硬盘主控固件程序配合消除了重放攻击的可能。最后提出了一种双因子认证的密钥安全恢复方案。根据整个安全认证方案的需求,设计了针对Ukey和加密SSD主控芯片的API接口,该接口基于Linux SCSI协议,最后将认证程序与LiveOS结合实现完整的硬盘加密及安全认证。最后,在搭建的PC应用环境上,测试了整个硬盘加密和安全认证系统的可行性,对比了硬盘加密和非加密状态下的读写性能,并从固件、密钥、LiveOS三个层面详细分析了系统的安全性。总的来说,本文提出的基于Ukey和LiveOS的硬盘加密和安全认证系统达到了预期效果,具有很高的实用价值。
[Abstract]:With the arrival of the information age, the computer is widely used, and the data stored in the hard disk of the computer is growing in geometric progression. The security of data storage is becoming more and more important. Hard disk encryption is still the main trend and means to protect hard disk data. The current software encryption scheme for hard disk is not high security and low performance, encryption card FPGA and other hardware encryption scheme performance is high, but the lack of secure and reliable identity authentication scheme and the necessary key security recovery mechanism; The security of the authentication scheme based on BIOS is high, but the hard disk can only work in the customized BIOS environment, and the universality is greatly reduced. Under this background, this paper proposes and implements a new hard disk encryption and security authentication system for personal computer systems such as desktop computers and notebook computers. The system is based on Ukey and Live OS, and has overall security and performance. Ease of use and versatility are superior to existing solutions. In the hardware scheme, the solid-state hard disk (SSD) master chip which integrates the hardware encryption engine is used to realize the real-time encryption and decryption of the hard disk data. At the same time, the encryption and decryption key is stored in the Ukey to realize the separation of the key and the encryption engine. Only the Ukey that matches the encrypted SSD can decrypt the hard disk and boot the disk system. In the software scheme, by tailoring and compiling the Linux kernel, customizing the initrd file system and configuring the boot program, a LiveOS system based on the Linux kernel is customized. The system starts with Ukey and matches the encrypted SSD and Ukey safely. Authentication and key delivery provide a secure and universal software environment. The pairing and authentication scheme of encrypted hard disk and Ukey is the core of the whole hard disk encryption and security authentication system. In this paper, the encrypted hard disk and Ukey are matched one by exchanging the national secret SM2 algorithm public key, and the use security of Ukey is guaranteed by setting PIN code. At the same time, the Ukey authentication of encrypted hard disk is realized based on the challenge response authentication, and the possibility of replay attack is eliminated by cooperating with the harddisk master firmware program. Finally, a key security recovery scheme based on double factor authentication is proposed. According to the requirements of the whole security authentication scheme, the API interface for Ukey and encrypted SSD master control chip is designed. The interface is based on Linux SCSI protocol. Finally, the authentication program is combined with LiveOS to realize the complete encryption and security authentication of hard disk. Finally, in the PC application environment, the feasibility of the whole hard disk encryption and security authentication system is tested, and the read and write performance in the state of hard disk encryption and non-encryption is compared, and the firmware is used. The security of the system is analyzed in detail at three levels. In general, the proposed hard disk encryption and security authentication system based on Ukey and LiveOS has achieved the desired results and has high practical value.
【学位授予单位】:杭州电子科技大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP333
【参考文献】
相关期刊论文 前10条
1 Qianying Zhang;Shijun Zhao;Yu Qin;Dengguo Feng;;Formal analysis of TPM2.0 key management APIs[J];Chinese Science Bulletin;2014年32期
2 陈柯;刘中山;李航;;一种基于Linux Live USB的启动优化研究[J];工业控制计算机;2014年10期
3 徐萍;;浅析Windows7系统下的BitLocker驱动器加密[J];计算机光盘软件与应用;2013年17期
4 李成东;徐飞;;一种基于USBKEY的文件保险箱设计与实现[J];软件;2013年05期
5 ;U盾,网银安全的卫士[J];中国防伪报道;2013年04期
6 解双建;原亮;谢方方;;DES算法原理及其FPGA实现[J];计算机技术与发展;2011年07期
7 师俊芳;李小将;李新明;;基于TPM的安全操作系统的设计研究[J];装备指挥技术学院学报;2009年05期
8 于晓锋;朱红;;解析Initramfs机制在嵌入式Linux系统中的应用[J];软件导刊;2008年07期
9 史芳丽,周亚莉;Linux系统中虚拟文件系统内核机制研究[J];陕西师范大学学报(自然科学版);2005年01期
10 许先斌,彭润年,王慧星;Linux下SCSI API研究及应用[J];微型机与应用;2004年04期
相关博士学位论文 前1条
1 杨波;密码学Hash函数的设计和应用研究[D];北京邮电大学;2008年
相关硕士学位论文 前10条
1 张永建;RSA算法和SM2算法的研究[D];江西理工大学;2015年
2 颜世骏;Koblitz椭圆曲线离散对数问题的计算[D];中山大学;2015年
3 关少华;基于无线UKey的分段式文件加密系统研究与实现[D];西安电子科技大学;2014年
4 李鹏飞;Linux内核编译机制分析以及优化研究[D];西安电子科技大学;2014年
5 石陶;分组密码算法SMS4的安全性分析[D];山东大学;2013年
6 尹燕伟;邮件加密的USBKEY终端实现[D];华南理工大学;2012年
7 孙瑜;基于FPGA的数据加解密系统设计[D];大连海事大学;2010年
8 曹U,
本文编号:1809854
本文链接:https://www.wllwen.com/kejilunwen/jisuanjikexuelunwen/1809854.html
