[go: up one dir, main page]

CN106161024A - A kind of USB device authentic authentication method of USB control chip level and system thereof - Google Patents

A kind of USB device authentic authentication method of USB control chip level and system thereof Download PDF

Info

Publication number
CN106161024A
CN106161024A CN201510156573.8A CN201510156573A CN106161024A CN 106161024 A CN106161024 A CN 106161024A CN 201510156573 A CN201510156573 A CN 201510156573A CN 106161024 A CN106161024 A CN 106161024A
Authority
CN
China
Prior art keywords
usb
main control
control chip
chip
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510156573.8A
Other languages
Chinese (zh)
Other versions
CN106161024B (en
Inventor
刘锋
李健航
陆驿
石晶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Softtek Computer Co ltd
Tongfang Co Ltd
Original Assignee
Tongfang Computer Co Ltd
Tongfang Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tongfang Computer Co Ltd, Tongfang Co Ltd filed Critical Tongfang Computer Co Ltd
Priority to CN201510156573.8A priority Critical patent/CN106161024B/en
Publication of CN106161024A publication Critical patent/CN106161024A/en
Application granted granted Critical
Publication of CN106161024B publication Critical patent/CN106161024B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

A kind of USB device authentic authentication method of USB control chip level and system thereof, relate to field of information security technology.USB device authentic authentication system of the present invention is generated management system, USB main control chip safety management system and USB device authentic authentication system by Third Party Authentication authentication management system, USB main control chip device certificate and forms.Compared with the existing technology, integrated use asymmetric cryptographic technique of the present invention and authentic authentication technology, the master controller of usb host and the main control chip of USB device are carried out safety and strengthens transformation, and by third party testing agency, USB main control chip is authenticated empowerment management, realize the usb host authentic authentication to USB device, reach to stop the purpose of all assault patterns attempted with USB control chip firmware as intermediary, thus build computer system and the trust computing of USB device system and communication environment.

Description

一种USB控制芯片级的USB设备可信认证方法及其系统A trusted authentication method and system for USB device at USB control chip level

技术领域 technical field

本发明涉及信息安全技术领域,特别是USB控制芯片级的USB设备可信认证方法及其系统。 The invention relates to the technical field of information security, in particular to a trusted authentication method and system for a USB device at the USB control chip level.

背景技术 Background technique

USB (Universal Serial Bus)是用来连接计算机与外围装置之间的总线,其随插即用(Plug and Play)的功能,使其不须经过复杂的安装即可任意将外围设备连结、配置、使用及移除。而由于USB的弹性与容易使用,使得支持USB的外围装置包括鼠标、键盘、喇叭、调制解调器、扫描机等各种不同的产品逐年增加。时至今日,USB接口已成为自COM port(串行端口)以后,计算机上最成功的外围连接接口,相关的产品也以每年超过30%的增幅进入市场。 USB (Universal Serial Bus) is a bus used to connect computers and peripheral devices. Its plug-and-play (Plug and Play) function enables it to connect, configure, and use and removal. Due to the flexibility and ease of use of USB, the number of peripheral devices supporting USB, including mice, keyboards, speakers, modems, and scanners, has increased year by year. Today, the USB interface has become the most successful peripheral connection interface on computers since the COM port (serial port), and related products have also entered the market with an annual growth rate of more than 30%.

移动存储介质(简称U盘)作为最广泛使用的USB设备,具有体积小、容量大、携带方便的特点,是信息交换的一种便捷介质。为了便于生产和售后维护,U盘主控芯片均向合作伙伴提供了量产工具,用于定义产品功能和技术参数,以及通过软件修复产品售后所出现的问题。但是,U盘主控芯片本身的固件则属于芯片厂家秘密,并不开放,类似做法在USB的其他外围设备产品中也同样采用。 As the most widely used USB device, mobile storage media (U disk for short) has the characteristics of small size, large capacity, and easy portability, and is a convenient medium for information exchange. In order to facilitate production and after-sales maintenance, the U disk master chip provides mass production tools to partners, which are used to define product functions and technical parameters, and to fix problems that occur after sales of products through software. However, the firmware of the U disk main control chip itself is a secret of the chip manufacturer and is not open. Similar methods are also adopted in other USB peripheral products.

通过对USB主控芯片固件的原理分析和逆向工程,黑客组织发现了被称为“BADUSB”的安全缺陷,使得计算机可以自行修改U盘主控芯片的固件,从而可以通过主控芯片对其插入的计算机系统进行攻击;主控芯片固件也可以主动攻击计算机系统,使其成为攻击传播的一个链条,形成了一条“计算机—>多个U盘—>更多计算机”的指数扩散感染模型,从而引发了对移动存储介质如何进行安全管理的思考。 Through the principle analysis and reverse engineering of the firmware of the USB main control chip, the hacker organization discovered a security flaw called "BADUSB", which allows the computer to modify the firmware of the main control chip of the U disk by itself, so that it can be inserted through the main control chip. The main control chip firmware can also actively attack the computer system, making it a chain of attack propagation, forming an exponential spread infection model of "computer -> multiple U disks -> more computers", thus It triggers the thinking on how to carry out security management on mobile storage media.

现有技术中,由于计算机、操作系统体系和USB协议的设计缺陷,导致目前无法通过软件手段对上述攻击方法进行防御,对全球的计算机系统,包括工业和国家基础设施的自控系统,都构成了迫在眉睫的严重威胁。 In the prior art, due to the design flaws of the computer, operating system system and USB protocol, it is currently impossible to defend the above-mentioned attack methods through software means, which constitutes a serious threat to the global computer system, including the automatic control system of industry and national infrastructure. An imminent and serious threat.

发明内容 Contents of the invention

针对上述现有技术中存在的问题,本发明的目的是提供一种USB控制芯片级的USB设备可信认证方法及其系统。它综合运用非对称密码技术和可信认证技术,对USB主机的主控制器和USB设备的主控芯片进行安全性增强改造,并通过第三方检测机构对USB主控芯片进行认证授权管理,实现USB主机对USB设备的可信认证,达到阻止所有试图以USB控制芯片固件为中介的黑客攻击模式的目的,从而构建计算机系统和USB设备系统的可信计算和通讯环境。 Aiming at the above-mentioned problems in the prior art, the object of the present invention is to provide a trusted authentication method and system for a USB device at the USB control chip level. It comprehensively uses asymmetric cryptography technology and trusted authentication technology to enhance the security of the main controller of the USB host and the main control chip of the USB device, and conduct authentication and authorization management on the USB main control chip through a third-party testing agency to realize The trusted authentication of the USB device by the USB host achieves the purpose of preventing all hacker attack modes that try to use the USB control chip firmware as an intermediary, thereby constructing a trusted computing and communication environment for the computer system and the USB device system.

为了实现上述发明目的,本发明的技术方案以如下方式实现: In order to achieve the above-mentioned purpose of the invention, the technical solution of the present invention is realized in the following manner:

一种USB控制芯片级的USB设备可信认证方法,它使用包括由第三方认证授权管理系统、USB主控芯片设备证书生成管理系统、USB主控芯片安全管理系统和USB设备可信认证系统组成的可信认证系统。其中第三方芯片检测机构使用的第三方认证授权管理系统由授权管理器、授权密码算法模块和USB主控芯片设备证书签发管理器组成,授权密码算法模块中包含哈希算法、数字签名算法和数字验签算法。USB主控芯片生产厂商使用的USB主控芯片设备证书生成管理系统由系统密码算法模块和芯片设备证书生成器组成,系统密码算法模块中包含哈希算法和数字签名算法。内置于USB设备USB主控芯片的USB主控芯片安全管理系统由芯片安全存储单元、芯片密码算法硬件模块、安全自检ROM引导程序和安全验证管理固件程序组成,芯片密码算法硬件模块包含哈希算法和数字验签算法。USB主机端的USB设备可信认证系统由USB主控芯片认证管理器、密钥安全存储单元和认证密码算法模块组成,认证密码算法模块中包含数字验签算法。其主要实施步骤为: A trusted authentication method for USB devices at the USB control chip level, which consists of a third-party authentication and authorization management system, a USB main control chip device certificate generation management system, a USB main control chip security management system, and a USB device trusted authentication system trusted authentication system. Among them, the third-party certification and authorization management system used by the third-party chip testing agency consists of an authorization manager, an authorization cryptographic algorithm module, and a USB master chip device certificate issuance manager. The authorized cryptographic algorithm module includes hash algorithms, digital signature algorithms and digital signature algorithms. Signature verification algorithm. The USB master chip device certificate generation management system used by the USB master chip manufacturer is composed of a system cryptographic algorithm module and a chip device certificate generator. The system cryptographic algorithm module includes a hash algorithm and a digital signature algorithm. The USB main control chip security management system built into the USB main control chip of the USB device consists of a chip security storage unit, a chip cryptographic algorithm hardware module, a security self-test ROM boot program, and a security verification management firmware program. The chip cryptographic algorithm hardware module includes a hash Algorithms and digital signature verification algorithms. The USB device trusted authentication system on the USB host side is composed of a USB main control chip authentication manager, a key security storage unit and an authentication cryptographic algorithm module, and the authentication cryptographic algorithm module includes a digital signature verification algorithm. Its main implementation steps are:

11 )系统授权:) system authorization:

① 第三方认证授权管理系统中的授权管理器为USB设备可信认证系统提供第三方认证公钥,并存储固化到USB设备可信认证系统的密钥安全存储单元中。 ① The authorization manager in the third-party authentication and authorization management system provides the third-party authentication public key for the USB device trusted authentication system, and stores and solidifies it into the key security storage unit of the USB device trusted authentication system.

② 第三方认证授权管理系统中的授权管理器为USB主控芯片安全管理系统提供第三方认证公钥,并存储固化到USB主控芯片安全管理系统的芯片安全存储单元中。 ② The authorization manager in the third-party authentication and authorization management system provides the third-party authentication public key for the USB main control chip security management system, and stores and solidifies it in the chip security storage unit of the USB main control chip security management system.

) USBUSB 主控芯片设备证书生成、签发与存储固化:Master chip device certificate generation, issuance and storage curing:

①USB主控芯片设备证书生成管理系统的芯片设备证书生成器使用系统密码算法模块中的哈希算法对USB主控芯片中的USB主控芯片固件全部或者部分数据进行哈希处理,生成USB主控芯片固件数字摘要,并使用芯片设备私钥和系统密码算法模块中的数字签名算法生成USB主控芯片固件数字摘要的数字签名。将USB主控芯片标识、USB设备类型说明、芯片设备公钥、USB主控芯片固件数字摘要以及USB主控芯片固件数字摘要的数字签名信息打包生成与USB主控安全芯片对应的芯片设备证书体,芯片设备证书体将被提供给第三方认证授权管理系统。 ①USB main control chip device certificate generation The chip device certificate generator of the management system uses the hash algorithm in the system password algorithm module to hash all or part of the data of the USB main control chip firmware in the USB main control chip to generate a USB main control chip. Chip firmware digital digest, and use the chip device private key and the digital signature algorithm in the system cryptographic algorithm module to generate a digital signature of the USB master chip firmware digital digest. Package the USB main control chip identification, USB device type description, chip device public key, USB main control chip firmware digital summary, and the digital signature information of the USB main control chip firmware digital summary to generate a chip device certificate body corresponding to the USB main control security chip , the chip device certificate body will be provided to the third-party authentication and authorization management system.

②第三方认证授权管理系统中的USB主控芯片设备证书签发管理器使用芯片设备证书体中的芯片设备公钥和授权密码算法模块中的数字验签算法验证芯片设备证书体中的USB主控芯片固件数字摘要的数字签名,确认USB主控芯片固件数字摘要的合法性和完整性;如通过数字签名验证,使用授权密码算法模块中的哈希算法对USB主控芯片固件全部或部分数据进行哈希处理,生成USB主控芯片固件数字摘要。将该USB主控芯片固件数字摘要与芯片设备证书体中的USB主控芯片固件数字摘要进行比对,如果数据一致,则使用第三方签名私钥和授权密码算法模块中的数字签名算法生成芯片设备证书体的数字签名,并将芯片设备证书体和芯片设备证书体的数字签名打包生成USB主控芯片设备证书。 ②The USB master chip device certificate issuance manager in the third-party authentication and authorization management system uses the chip device public key in the chip device certificate body and the digital signature verification algorithm in the authorized cryptographic algorithm module to verify the USB master control in the chip device certificate body. The digital signature of the digital digest of the chip firmware confirms the legitimacy and integrity of the digital digest of the USB main control chip firmware; if the digital signature is verified, use the hash algorithm in the authorized cryptographic algorithm module to perform all or part of the data of the USB main control chip firmware Hash processing to generate a digital summary of the USB master chip firmware. Compare the digital digest of the USB main control chip firmware with the digital digest of the USB main control chip firmware in the chip device certificate body. If the data is consistent, use the third-party signature private key and the digital signature algorithm in the authorized cryptographic algorithm module to generate the chip The digital signature of the device certificate body, and package the chip device certificate body and the digital signature of the chip device certificate body to generate a USB master chip device certificate.

③USB主控芯片设备证书将被存储固化在USB主控芯片安全管理系统的芯片安全存储单元中。 ③The USB main control chip device certificate will be stored and solidified in the chip security storage unit of the USB main control chip security management system.

) USBUSB 主控芯片的安全自检:Security self-test of the main control chip:

①USB设备经USB总线连接到USB主机,实现USB设备上电后,USB主控芯片开始执行USB主控芯片安全管理系统的安全自检ROM引导程序。 ①The USB device is connected to the USB host through the USB bus. After the USB device is powered on, the USB master chip starts to execute the safety self-test ROM boot program of the USB master chip security management system.

②安全自检ROM引导程序使用芯片安全存储单元中的第三方认证公钥和芯片密码算法硬件模块中的数字验签算法验证芯片安全存储单元中的USB主控芯片设备证书的数字签名,确认USB主控芯片设备证书的合法性和完整性。如未通过数字签名验证,USB设备将被阻止与USB主机进行通信连接。 ②Security self-test ROM boot program uses the third-party authentication public key in the chip security storage unit and the digital signature verification algorithm in the chip cryptographic algorithm hardware module to verify the digital signature of the USB master chip device certificate in the chip security storage unit, and confirm the USB The legitimacy and integrity of the master chip device certificate. If the digital signature is not verified, the USB device will be blocked from communicating with the USB host.

③安全自检ROM引导程序使用USB主控芯片设备证书中的芯片设备公钥和芯片密码算法硬件模块中的数字验签算法验证USB主控芯片设备证书中的USB主控芯片固件数字摘要的数字签名,确认USB主控芯片固件数字摘要的合法性和完整性。如未通过数字签名验证,USB设备将阻止与USB主机进行通信连接。 ③Security self-test ROM boot program uses the chip device public key in the USB master chip device certificate and the digital signature verification algorithm in the chip cryptographic algorithm hardware module to verify the number of the USB master chip firmware digital digest in the USB master chip device certificate Signature to confirm the legitimacy and integrity of the digital digest of the USB master chip firmware. If the digital signature is not verified, the USB device will prevent communication with the USB host.

④安全自检ROM引导程序使用芯片密码算法硬件模块中的哈希算法对USB主控芯片固件全部或者部分数据进行哈希处理,得到USB主控芯片固件数字摘要。将该数字摘要与USB主控芯片设备证书中的USB主控芯片固件数字摘要进行比对,如果数据一致,确认USB主控芯片固件数据未被篡改。如果数据不一致,USB设备将被阻止与USB主机进行通信连接。 ④The security self-check ROM boot program uses the hash algorithm in the chip cryptographic algorithm hardware module to perform hash processing on all or part of the data of the USB main control chip firmware, and obtains the digital summary of the USB main control chip firmware. Compare the digital summary with the digital summary of the USB main control chip firmware in the USB main control chip device certificate. If the data is consistent, it is confirmed that the USB main control chip firmware data has not been tampered with. If the data is inconsistent, the USB device will be blocked from communicating with the USB host.

⑤USB设备与USB主机建立通信连接后,USB主控芯片将执行USB主控芯片安全管理系统的安全验证管理固件程序,配合USB主机对USB设备的可信认证。 ⑤ After the USB device establishes a communication connection with the USB host, the USB main control chip will execute the security verification management firmware program of the USB main control chip security management system, and cooperate with the trusted authentication of the USB device by the USB host.

) USBUSB 主控芯片的可信认证:Trusted certification of the main control chip:

①USB主机检测到USB设备后,建立通信连接,USB设备可信认证系统的USB主控芯片认证管理器与USB主控芯片安全管理系统的安全验证管理固件程序进行会话通讯,获取USB主控芯片设备证书,并使用密钥安全存储单元中第三方认证公钥和认证密码算法模块中的数字验签算法验证USB主控芯片设备证书的数字签名,确认USB主控芯片设备证书的合法性和完整性。如未通过数字签名验证,直接断开USB主机与USB设备的通信连接。 ① After the USB host detects the USB device, a communication connection is established, and the USB main control chip authentication manager of the USB device trusted authentication system communicates with the security verification management firmware program of the USB main control chip security management system to obtain the USB main control chip device Certificate, and use the third-party authentication public key in the key security storage unit and the digital signature verification algorithm in the authentication cryptographic algorithm module to verify the digital signature of the USB master chip device certificate, and confirm the legitimacy and integrity of the USB master chip device certificate . If the digital signature verification is not passed, directly disconnect the communication connection between the USB host and the USB device.

②USB设备可信认证系统的USB主控芯片认证管理器开始USB设备枚举过程,从USB主控芯片获取USB设备类型声明,将该USB设备类型声明与USB主控芯片设备证书中的设备类型说明进行比对。如果设备类型一致,则继续USB设备的枚举过程;如类型不一致,直接断开USB主机与USB设备的通信连接。 ②The USB main control chip authentication manager of the USB device trusted authentication system starts the USB device enumeration process, obtains the USB device type declaration from the USB main control chip, and combines the USB device type declaration with the device type description in the USB main control chip device certificate Compare. If the device types are consistent, continue the enumeration process of the USB device; if the types are inconsistent, directly disconnect the communication connection between the USB host and the USB device.

在上述USB控制芯片级的USB设备可信认证方法中,所述的USB设备可信认证系统的密钥安全存储单元和USB主控芯片安全管理系统的芯片安全存储单元均是指芯片内由芯片烧录工具一次性写入数据后受芯片保护的防篡改的存储单元。 In the above-mentioned trusted authentication method for USB devices at the USB control chip level, the key security storage unit of the USB device trusted authentication system and the chip security storage unit of the USB master chip security management A tamper-proof storage unit protected by a chip after the programming tool writes data once.

在上述USB控制芯片级的USB设备可信认证方法中,所述第三方认证公钥和第三方签名私钥是由第三方认证授权管理系统A管理,用于USB主控芯片设备证书的数字签名和验签;所述的芯片设备私钥和芯片设备公钥是由USB主控芯片生产厂商所有和管理,用于对USB主控芯片固件进行数字签名和验签,与USB主控芯片没有一一对应关系。 In the above-mentioned trusted authentication method for USB devices at the USB control chip level, the third-party authentication public key and the third-party signature private key are managed by the third-party authentication authorization management system A, and are used for the digital signature of the USB master chip device certificate and signature verification; the chip device private key and chip device public key are owned and managed by the USB master chip manufacturer, and are used to digitally sign and verify the USB master chip firmware. One-to-one correspondence.

在上述USB控制芯片级的USB设备可信认证方法中,所述USB主控芯片标识是由USB主控芯片的型号和USB主控芯片固件版本号构成的标识,与USB主控芯片设备证书一一对应。 In the USB device trustworthy authentication method at the USB control chip level above, the USB main control chip identification is an identification formed by the model of the USB main control chip and the firmware version number of the USB main control chip, and is the same as the USB main control chip device certificate. One to one correspondence.

一种USB控制芯片级的USB设备可信认证系统,其结构特点是,它由第三方认证授权管理系统、USB主控芯片设备证书生成管理系统、USB主控芯片安全管理系统和USB设备可信认证系统组成。所述第三方认证授权管理系统由授权管理器、授权密码算法模块和USB主控芯片设备证书签发管理器组成,授权密码算法模块中包含哈希算法、数字签名算法和数字验签算法。所述USB主控芯片设备证书生成管理系统由系统密码算法模块和芯片设备证书生成器组成,系统密码算法模块中包含哈希算法和数字签名算法。所述的USB主控芯片安全管理系统由芯片安全存储单元、芯片密码算法硬件模块、安全自检ROM引导程序和安全验证管理固件程序组成, 芯片密码算法硬件模块包含硬件实现的哈希算法和数字验签算法。所述的USB设备可信认证系统由USB主控芯片认证管理器、密钥安全存储单元和认证密码算法模块组成,认证密码算法模块中包含数字验签算法。第三方认证授权管理系统是第三方芯片检测机构使用的系统,完成对USB主控芯片安全管理系统和USB设备可信认证系统的认证授权功能。USB主控芯片设备证书生成管理系统是USB主控芯片生产厂商使用的系统,完成USB主控芯片证书的生成和管理工作。USB主控芯片安全管理系统内置于USB设备的USB主控芯片中,完成USB设备的主控芯片级安全自检和安全验证功能。USB设备可信认证系统内置于USB主机控制器中或由独立芯片实现,完成USB主机对USB设备的可信认证和安全使用验证功能。 A trusted authentication system for USB devices at the USB control chip level. Authentication system composition. The third-party authentication and authorization management system is composed of an authorization manager, an authorization cryptographic algorithm module and a USB main control chip device certificate issuing manager, and the authorized cryptographic algorithm module includes a hash algorithm, a digital signature algorithm and a digital signature verification algorithm. The USB main control chip device certificate generation management system is composed of a system cryptographic algorithm module and a chip device certificate generator, and the system cryptographic algorithm module includes a hash algorithm and a digital signature algorithm. The USB main control chip security management system is composed of a chip security storage unit, a chip cryptographic algorithm hardware module, a security self-inspection ROM boot program, and a security verification management firmware program. The chip cryptographic algorithm hardware module includes a hash algorithm implemented by hardware and a digital Signature verification algorithm. The USB device trusted authentication system is composed of a USB main control chip authentication manager, a key security storage unit and an authentication cryptographic algorithm module, and the authentication cryptographic algorithm module includes a digital signature verification algorithm. The third-party authentication and authorization management system is a system used by third-party chip testing agencies, and completes the authentication and authorization functions of the USB main control chip security management system and the USB device trusted authentication system. The USB main control chip device certificate generation management system is a system used by USB main control chip manufacturers to complete the generation and management of USB main control chip certificates. The USB main control chip security management system is built in the USB main control chip of the USB device, and completes the main control chip level security self-check and security verification functions of the USB device. The USB device trusted authentication system is built in the USB host controller or implemented by an independent chip, and completes the trusted authentication and safe use verification functions of the USB host to the USB device.

本发明由于采用了上述的方法和结构,一方面对USB设备的主控芯片进行芯片级的安全改造,在与USB主机建立通信连接之前增加USB主控芯片的安全自检功能,保证USB主控芯片自身安全;另一方面,对USB主机的主控制器进行安全改造或增加独立芯片,在USB主机枚举USB设备之前增加USB主机对USB设备的可信认证功能,确保接入主机的USB设备是安全可信的。同时,通过第三方检测机构对USB主控芯片进行可信认证管理,实现USB主机对USB设备的可信认证,认证未通过的USB设备被拒绝与主机连接。本发明为信息及网络系统防御以USB为介质的攻击提供了一种USB控制芯片级的USB设备可信认证技术,从而解决了因计算机、操作系统体系和USB协议设计缺陷而导致的无法通过软件手段防御以USB为介质的攻击问题。本发明采用非对称密码技术实现了对USB主控芯片的授权管理和可信认证,并通过增加USB主控芯片的安全自检,从芯片层实现了USB设备的自身安全,为USB设备的可信认证提供了可靠的技术保证。 Due to the adoption of the above method and structure, the present invention, on the one hand, carries out chip-level security transformation on the main control chip of the USB device. The chip itself is safe; on the other hand, carry out security transformation on the main controller of the USB host or add an independent chip, and increase the trusted authentication function of the USB host to the USB device before the USB host enumerates the USB device to ensure that the USB device connected to the host It is safe and reliable. At the same time, the trusted authentication management of the USB main control chip is carried out by a third-party testing agency to realize the trusted authentication of the USB host to the USB device, and the USB device that fails the authentication is refused to connect to the host. The invention provides a USB control chip-level trusted authentication technology for USB devices for information and network systems to defend against attacks using USB as a medium, thereby solving the problem of failure to pass software due to design defects in computers, operating system systems, and USB protocols. Means to defend against attacks using USB as the medium. The invention adopts the asymmetric encryption technology to realize the authorization management and trusted authentication of the USB main control chip, and by increasing the security self-check of the USB main control chip, the self-security of the USB device is realized from the chip layer, which is the reliable security of the USB device. Letter certification provides a reliable technical guarantee.

下面结合附图和具体实施方式对本发明作进一步说明。 The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments.

附图说明 Description of drawings

图1为本发明系统的原理结构图; Fig. 1 is the schematic structural diagram of the system of the present invention;

图2为本发明方法中USB主机和USB设备的系统授权处理示意图; Fig. 2 is a schematic diagram of system authorization processing of USB host and USB device in the method of the present invention;

图3为本发明方法中USB主控芯片设备证书生成、签发与存储固化处理示意图; Fig. 3 is a schematic diagram of USB main control chip device certificate generation, issuance and storage solidification processing in the method of the present invention;

图4为图3中USB主控芯片设备证书生成系统流程图; Fig. 4 is a flow chart of the system for generating the certificate of the USB master control chip device in Fig. 3;

图5为本发明方法中USB主控芯片的安全自检处理系统流程图; Fig. 5 is the flow chart of the safety self-inspection processing system of USB main control chip in the method of the present invention;

图6为本发明方法中USB主机对USB主控芯片的可信认证处理系统流程图。 FIG. 6 is a flow chart of the trusted authentication processing system of the USB host to the USB main control chip in the method of the present invention.

具体实施方式 detailed description

参看图1至图3,实现USB控制芯片级的USB设备可信认证方法的系统由第三方认证授权管理系统A、USB主控芯片设备证书生成管理系统B、USB主控芯片安全管理系统C和USB设备可信认证系统D组成。 Referring to Fig. 1 to Fig. 3, the system realizing the trusted authentication method of USB device at the USB control chip level is composed of a third-party authentication authorization management system A, a USB main control chip device certificate generation management system B, a USB main control chip security management system C and Composition of trusted authentication system D for USB devices.

第三方认证授权管理系统A是第三方芯片检测机构使用的系统,它由授权管理器1、授权密码算法模块2和USB主控芯片设备证书签发管理器3组成,授权密码算法模块2中包含哈希算法、数字签名算法和数字验签算法,完成对统USB主控芯片安全管理系统C和USB设备可信认证系D的认证授权功能。第三方认证授权管理系统A一方面通过第三方认证公钥13的授权使用,实现对USB主机和USB设备的授权管理,另一方面,通过对USB主控芯片进行安全检测以及对待签的芯片设备证书体14进行数字签名,生成USB主控芯片设备证书15,实现USB主控芯片设备证书15的签发。 The third-party authentication and authorization management system A is a system used by third-party chip testing institutions. It is composed of an authorization manager 1, an authorized cryptographic algorithm module 2, and a USB master chip device certificate issuance manager 3. The authorized cryptographic algorithm module 2 includes a Greek algorithm, digital signature algorithm and digital signature verification algorithm to complete the authentication and authorization functions of the USB master chip security management system C and the USB device trusted authentication system D. On the one hand, the third-party authentication and authorization management system A implements the authorization management of the USB host and USB devices through the authorized use of the third-party authentication public key 13; The certificate body 14 is digitally signed to generate a USB main control chip device certificate 15 to realize the issuance of the USB main control chip device certificate 15 .

USB主控芯片设备证书生成管理系统B是USB主控芯片生产厂商使用的系统,它由系统密码算法模块4和芯片设备证书生成器5组成,系统密码算法模块4中包含哈希算法和数字签名算法,完成USB主控芯片设备证书的生成和管理工作。 USB main control chip device certificate generation management system B is a system used by USB main control chip manufacturers. It consists of a system cryptographic algorithm module 4 and a chip device certificate generator 5. The system cryptographic algorithm module 4 includes hash algorithms and digital signatures Algorithm to complete the generation and management of USB master chip device certificates.

USB主控芯片安全管理系统C内置于USB设备的USB主控芯片,由芯片安全存储单元6、芯片密码算法硬件模块7、安全自检ROM引导程序8和安全验证管理固件程序9组成,芯片密码算法硬件模块7包含硬件实现的哈希算法和数字验签算法,完成USB设备主控芯片的安全自检和安全验证功能。 The USB main control chip safety management system C is built into the USB main control chip of the USB device, and is composed of a chip safe storage unit 6, a chip password algorithm hardware module 7, a safety self-check ROM boot program 8 and a safety verification management firmware program 9, and the chip password The algorithm hardware module 7 includes a hash algorithm and a digital signature verification algorithm realized by hardware, and completes the safety self-check and safety verification functions of the USB device main control chip.

USB设备可信认证系统D内置于USB主机控制器或由独立芯片实现,由USB主控芯片认证管理器10、密钥安全存储单元11和认证密码算法模块12组成,认证密码算法模块12中包含数字验签算法,完成USB主机对USB设备的可信认证和安全使用验证功能。 The USB device trusted authentication system D is built into the USB host controller or realized by an independent chip, and is composed of a USB master chip authentication manager 10, a key security storage unit 11 and an authentication cryptographic algorithm module 12. The authentication cryptographic algorithm module 12 includes The digital signature verification algorithm completes the trusted authentication and safe use verification functions of the USB host to the USB device.

本发明的USB主控芯片设备证书15上包含有USB主控芯片固件数字摘要及其数字签名,为实现整个系统的可信认证提供重要支持。 The USB main control chip device certificate 15 of the present invention includes the digital abstract of the firmware of the USB main control chip and its digital signature, which provides important support for realizing the credible authentication of the entire system.

参看图1至图6,本发明方法使用时的步骤为: Referring to Fig. 1 to Fig. 6, the step when the inventive method uses is:

11 )系统授权:) system authorization:

① 第三方认证授权管理系统A中的授权管理器1为USB设备可信认证系统D提供第三方认证公钥13,并存储固化到USB设备可信认证系统D的密钥安全存储单元11中,实现USB设备可信认证系统D的认证授权。 ① The authorization manager 1 in the third-party authentication and authorization management system A provides the third-party authentication public key 13 for the USB device trusted authentication system D, and stores and solidifies it into the key security storage unit 11 of the USB device trusted authentication system D, Realize the authentication and authorization of the USB device trusted authentication system D.

② 第三方认证授权管理系统A中的授权管理器1为USB主控芯片安全管理系统C提供第三方认证公钥13,并存储固化到USB主控芯片安全管理系统C的芯片安全存储单元6中,实现USB设备的认证授权。 ② The authorization manager 1 in the third-party authentication and authorization management system A provides the third-party authentication public key 13 for the USB main control chip security management system C, and stores and solidifies it in the chip security storage unit 6 of the USB main control chip security management system C , to implement the authentication and authorization of the USB device.

) USBUSB 主控芯片设备证书生成、签发与存储固化:Master chip device certificate generation, issuance and storage curing:

①USB主控芯片设备证书生成管理系统B的芯片设备证书生成器5使用系统密码算法模块4中的哈希算法对USB主控芯片中的USB主控芯片固件全部或部分数据进行哈希处理,生成USB主控芯片固件数字摘要,并使用芯片设备私钥和系统密码算法模块4中的数字签名算法生成USB主控芯片固件数字摘要的数字签名。将USB主控芯片标识、USB设备类型说明、芯片设备公钥、USB主控芯片固件数字摘要以及固件数字摘要的数字签名信息打包生成与USB主控安全芯片对应的芯片设备证书体14。芯片设备证书体14将被提供给第三方认证授权管理系统A。 ① USB main control chip device certificate generation The chip device certificate generator 5 of management system B uses the hash algorithm in the system cryptographic algorithm module 4 to perform hash processing on all or part of the data of the USB main control chip firmware in the USB main control chip to generate USB master control chip firmware digital digest, and use the chip device private key and the digital signature algorithm in the system cryptographic algorithm module 4 to generate the digital signature of the USB master control chip firmware digital digest. Pack the USB main control chip identification, USB device type description, chip device public key, USB main control chip firmware digital digest, and digital signature information of the firmware digital digest to generate a chip device certificate body 14 corresponding to the USB main control security chip. The chip device certificate body 14 will be provided to the third-party authentication authorization management system A.

②第三方认证授权管理系统A中的USB主控芯片设备证书签发管理器3使用芯片设备证书体14中的芯片设备公钥和授权密码算法模块2中的数字验签算法验证芯片设备证书体14中的USB主控芯片固件数字摘要的数字签名,确认USB主控芯片固件数字摘要的合法性和完整性;如通过数字签名验证,使用授权密码算法模块2中的哈希算法对USB主控芯片固件全部或部分数据进行哈希处理,生成USB主控芯片固件数字摘要,将该数字摘要与芯片设备证书体14中的USB主控芯片固件数字摘要进行比对,如果数据一致,则使用第三方签名私钥和授权密码算法模块2中的数字签名算法生成芯片设备证书体14的数字签名,并将芯片设备证书体14和数字签名打包生成USB主控芯片设备证书15。 ②The USB main control chip device certificate issuance manager 3 in the third-party authentication and authorization management system A uses the chip device public key in the chip device certificate body 14 and the digital signature verification algorithm in the authorized cryptographic algorithm module 2 to verify the chip device certificate body 14 The digital signature of the digital summary of the USB main control chip firmware in the USB main control chip confirms the legitimacy and integrity of the digital summary of the USB main control chip firmware; Perform hash processing on all or part of the firmware data to generate a digital summary of the USB main control chip firmware, compare the digital summary with the digital summary of the USB main control chip firmware in the chip device certificate body 14, and if the data are consistent, use a third-party The signature private key and the digital signature algorithm in the authorized cryptographic algorithm module 2 generate the digital signature of the chip device certificate body 14, and package the chip device certificate body 14 and the digital signature to generate the USB master chip device certificate 15.

③USB主控芯片设备证书15将被存储固化在USB主控芯片安全管理系统D的芯片安全存储单元6中。 ③ The USB main control chip device certificate 15 will be stored and solidified in the chip security storage unit 6 of the USB main control chip security management system D.

) USBUSB 主控芯片的安全自检:Security self-test of the main control chip:

①USB设备经USB总线连接USB主机,实现USB设备上电后,USB主控芯片开始执行USB主控芯片安全管理系统C的安全自检ROM引导程序8; ①The USB device is connected to the USB host via the USB bus, and after the USB device is powered on, the USB main control chip starts to execute the safety self-test ROM boot program 8 of the USB main control chip safety management system C;

②安全自检ROM引导程序8使用芯片安全存储单元6中第三方认证公钥13和芯片密码算法硬件模块7中的数字验签算法验证芯片安全存储单元6中USB主控芯片设备证书15的数字签名,确认芯片设备证书的合法性和完整性;如未通过数字签名验证,USB设备将被阻止与USB主机进行通信连接; ②Security self-inspection ROM boot program 8 uses the third-party authentication public key 13 in the chip security storage unit 6 and the digital signature verification algorithm in the chip cryptographic algorithm hardware module 7 to verify the number of the USB main control chip device certificate 15 in the chip security storage unit 6 Signature to confirm the legitimacy and integrity of the chip device certificate; if it fails to pass the digital signature verification, the USB device will be blocked from communicating with the USB host;

③安全自检ROM引导程序8使用USB主控芯片设备证书15中的芯片设备公钥和芯片密码算法硬件模块7中的数字验签算法验证USB主控芯片设备证书15中的USB主控芯片固件数字摘要的数字签名,确认USB主控芯片固件数字摘要的合法性和完整性;如未通过数字签名验证,USB设备将被阻止与USB主机进行通信连接; ③Security self-check ROM boot program 8 uses the chip device public key in the USB master chip device certificate 15 and the digital signature verification algorithm in the chip cryptographic algorithm hardware module 7 to verify the USB master chip firmware in the USB master chip device certificate 15 The digital signature of the digital digest confirms the legitimacy and integrity of the digital digest of the USB master chip firmware; if it fails to pass the digital signature verification, the USB device will be blocked from communicating with the USB host;

④安全自检ROM引导程序8使用芯片密码算法硬件模块7中的哈希算法对USB主控芯片固件全部或部分数据进行哈希处理,得到USB主控芯片固件数字摘要;将该数字摘要与USB主控芯片设备证书15中的USB主控芯片固件数字摘要进行比对,如果数据一致,确认USB主控芯片固件数据未被篡改;如果数据不一致,USB设备将被阻止与USB主机进行通信连接; 4. The security self-check ROM boot program 8 uses the hash algorithm in the chip cryptographic algorithm hardware module 7 to carry out hash processing to all or part of the data of the USB main control chip firmware to obtain a digital summary of the USB main control chip firmware; combine the digital summary with the USB Compare the digital summary of the USB main control chip firmware in the main control chip device certificate 15. If the data is consistent, it is confirmed that the firmware data of the USB main control chip has not been tampered with; if the data is inconsistent, the USB device will be prevented from communicating with the USB host;

⑤USB设备与USB主机建立通信连接后,USB主控芯片将执行USB主控芯片安全管理系统C的安全验证管理固件程序9,配合USB主机对USB设备的可信认证。 ⑤ After the USB device establishes a communication connection with the USB host, the USB main control chip will execute the security verification management firmware program 9 of the USB main control chip security management system C, and cooperate with the trusted authentication of the USB device by the USB host.

) USBUSB 主控芯片的可信认证:Trusted certification of the main control chip:

①USB主机检测到USB设备后,建立通信连接,USB设备可信认证系统D的USB主控芯片认证管理器10与 USB主控芯片安全管理系统C的安全验证管理固件程序9进行会话通讯,获取USB主控芯片设备证书15;并使用密钥安全存储单元11中的第三方认证公钥13和认证密码算法模块12中的数字验签算法验证USB主控芯片设备证书15的数字签名,确认芯片设备证书15的合法性和完整性;如未通过数字签名验证,直接断开USB主机与USB设备的通信连接。 ① After the USB host detects the USB device, a communication connection is established, and the USB main control chip authentication manager 10 of the USB device trusted authentication system D communicates with the security verification management firmware program 9 of the USB main control chip security management system C to obtain the USB Master control chip device certificate 15; and use the third-party authentication public key 13 in the key security storage unit 11 and the digital signature verification algorithm in the authentication cryptographic algorithm module 12 to verify the digital signature of the USB master chip device certificate 15, confirm the chip device The legality and integrity of the certificate 15; if it fails to pass the digital signature verification, directly disconnect the communication connection between the USB host and the USB device.

②USB设备可信认证统D的USB主控芯片认证管理器10开始USB设备枚举过程,从USB主控芯片获取USB设备类型声明,将该USB设备类型声明与USB主控芯片设备证书15中的设备类型说明进行比对;如果设备类型一致,则继续USB设备的正常枚举过程;如设备类型不一致,直接断开USB主机与USB设备的通信连接。 2. The USB main control chip authentication manager 10 of the USB device trusted authentication system D starts the USB device enumeration process, obtains the USB device type declaration from the USB main control chip, and matches the USB device type declaration with the USB main control chip device certificate 15. Compare the device type descriptions; if the device types are consistent, continue the normal enumeration process of the USB device; if the device types are inconsistent, directly disconnect the communication connection between the USB host and the USB device.

Claims (5)

1.一种USB控制芯片级的USB设备可信认证方法,它使用包括由第三方认证授权管理系统(A)、USB主控芯片设备证书生成管理系统(B)、USB主控芯片安全管理系统(C)和USB设备可信认证系统(D)组成的可信认证系统;其中第三方芯片检测机构使用的第三方认证授权管理系统(A)由授权管理器(1)、授权密码算法模块(2)和USB主控芯片设备证书签发管理器(3)组成,授权密码算法模块(2)中包含哈希算法、数字签名算法和数字验签算法;由USB主控芯片生产厂商使用的USB主控芯片设备证书生成管理系统(B)由系统密码算法模块(4)和芯片设备证书生成器(5)组成,系统密码算法模块(4)中包含哈希算法和数字签名算法;内置于USB设备USB主控芯片的USB主控芯片安全管理系统(C)由芯片安全存储单元(6)、芯片密码算法硬件模块(7)、安全自检ROM引导程序(8)和安全验证管理固件程序(9)组成,芯片密码算法硬件模块(7)包含硬件实现的哈希算法和数字验签算法;USB主机端的USB设备可信认证系统(D)由USB主控芯片认证管理器(10)、密钥安全存储单元(11)和认证密码算法模块(12)组成,认证密码算法模块(12)中包含数字验签算法;其主要实施步骤为: 1. A trusted authentication method for USB devices at the USB control chip level, which uses a third-party authentication and authorization management system (A), a USB master chip device certificate generation management system (B), and a USB master chip security management system (C) and a trusted authentication system for USB devices (D); where the third-party authentication and authorization management system (A) used by the third-party chip testing agency consists of an authorization manager (1), an authorized cryptographic algorithm module ( 2) and the USB main control chip device certificate issuance manager (3), the authorized cryptographic algorithm module (2) includes the hash algorithm, digital signature algorithm and digital signature verification algorithm; the USB main control chip manufacturer used by the USB main control chip The control chip device certificate generation management system (B) is composed of a system cryptographic algorithm module (4) and a chip device certificate generator (5). The system cryptographic algorithm module (4) includes a hash algorithm and a digital signature algorithm; it is built into the USB device The USB main control chip security management system (C) of the USB main control chip consists of a chip security storage unit (6), a chip cryptographic algorithm hardware module (7), a safety self-test ROM boot program (8) and a safety verification management firmware program (9 ), the chip cryptographic algorithm hardware module (7) contains the hash algorithm and digital signature verification algorithm implemented by hardware; the USB device trusted authentication system (D) on the USB host side is composed of the USB master chip authentication manager (10), the key The secure storage unit (11) is composed of an authentication cryptographic algorithm module (12), and the authentication cryptographic algorithm module (12) includes a digital signature verification algorithm; its main implementation steps are: 11 )系统授权:) system authorization: ① 第三方认证授权管理系统(A)中的授权管理器(1)为USB设备可信认证系统(D)提供第三方认证公钥(13),并存储固化到USB设备可信认证系统(D)的密钥安全存储单元(11)中; ① The authorization manager (1) in the third-party authentication and authorization management system (A) provides the third-party authentication public key (13) for the USB device trusted authentication system (D), and stores and solidifies it in the USB device trusted authentication system (D ) in the key security storage unit (11); ② 第三方认证授权管理系统(A)中的授权管理器(1)为USB主控芯片安全管理系统(C)提供第三方认证公钥(13),并存储固化到USB主控芯片安全管理系统(C)的芯片安全存储单元(6)中; ② The authorization manager (1) in the third-party authentication and authorization management system (A) provides the third-party authentication public key (13) for the USB main control chip security management system (C), and stores and solidifies it in the USB main control chip security management system (C) in the chip security storage unit (6); 22 )USB主控芯片设备证书生成、签发与存储固化:) USB master chip device certificate generation, issuance and storage curing: ①USB主控芯片设备证书生成管理系统(B)的芯片设备证书生成器(5)使用系统密码算法模块(4)中的哈希算法对USB主控芯片中的USB主控芯片固件全部或部分数据进行哈希处理,生成USB主控芯片固件数字摘要,并使用芯片设备私钥和系统密码算法模块(4)中的数字签名算法生成USB主控芯片固件数字摘要的数字签名;将USB主控芯片标识、USB设备类型说明、芯片设备公钥、USB主控芯片固件数字摘要以及固件数字摘要的数字签名信息打包生成与USB主控芯片对应的芯片设备证书体(14);芯片设备证书体(14)将被提供给第三方认证授权管理系统(A); ①USB main control chip device certificate generation The chip device certificate generator (5) of the management system (B) uses the hash algorithm in the system cryptographic algorithm module (4) to encrypt all or part of the data of the USB main control chip firmware in the USB main control chip Perform hash processing to generate a digital summary of the firmware of the USB main control chip, and use the private key of the chip device and the digital signature algorithm in the system cryptographic algorithm module (4) to generate a digital signature of the digital summary of the firmware of the USB main control chip; Identification, USB device type description, chip device public key, USB main control chip firmware digital summary and digital signature information of the firmware digital summary are packaged to generate a chip device certificate body (14) corresponding to the USB main control chip; chip device certificate body (14 ) will be provided to the third-party authentication authorization management system (A); ②第三方认证授权管理系统(A)中的USB主控芯片设备证书签发管理器(3)使用芯片设备证书体(14)中的芯片设备公钥和授权密码算法模块(2)中的数字验签算法验证芯片设备证书体(14)中的USB主控芯片固件数字摘要的数字签名,确认USB主控芯片固件数字摘要的合法性和完整性;如通过数字签名验证,使用授权密码算法模块(2)中的哈希算法对USB主控芯片固件全部或部分数据进行哈希处理,生成USB主控芯片固件数字摘要,将该数字摘要与芯片设备证书体(14)中的USB主控芯片固件数字摘要进行比对,如果数据一致,则使用第三方签名私钥和授权密码算法模块(2)中的数字签名算法生成芯片设备证书体(14)的数字签名,并将芯片设备证书体(14)和数字签名打包生成USB主控芯片设备证书(15); ②The USB master chip device certificate issuance manager (3) in the third-party authentication and authorization management system (A) uses the chip device public key in the chip device certificate body (14) and the digital authentication in the authorized cryptographic algorithm module (2). The signature algorithm verifies the digital signature of the USB main control chip firmware digital digest in the chip device certificate body (14), and confirms the legitimacy and integrity of the USB main control chip firmware digital digest; if the digital signature verification is passed, use the authorized cryptographic algorithm module ( The hash algorithm in 2) performs hash processing on all or part of the data of the USB main control chip firmware, generates a digital summary of the USB main control chip firmware, and combines the digital summary with the USB main control chip firmware in the chip device certificate body (14) Compare the digital digests, and if the data are consistent, use the third-party signature private key and the digital signature algorithm in the authorized cryptographic algorithm module (2) to generate a digital signature for the chip device certificate body (14), and send the chip device certificate body (14) ) and digital signature packaging to generate a USB master chip device certificate (15); ③USB主控芯片设备证书(15)将被存储固化在USB主控芯片安全管理系统(C)的芯片安全存储单元(6)中; ③The USB main control chip device certificate (15) will be stored and solidified in the chip security storage unit (6) of the USB main control chip security management system (C); 33 )USB主控芯片的安全自检:)Security self-test of USB main control chip: ①USB设备经USB总线连接USB主机,实现USB设备上电后,USB主控芯片开始执行USB主控芯片安全管理系统(C)的安全自检ROM引导程序(8); ①The USB device is connected to the USB host through the USB bus, and after the USB device is powered on, the USB main control chip starts to execute the safety self-test ROM boot program (8) of the USB main control chip safety management system (C); ②安全自检ROM引导程序(8)使用芯片安全存储单元(6)中第三方认证公钥(13)和芯片密码算法硬件模块(7)中的数字验签算法验证芯片安全存储单元(6)中USB主控芯片设备证书(15)的数字签名,确认芯片设备证书的合法性和完整性;如未通过数字签名验证,USB设备将被阻止与USB主机进行通信连接; ②The security self-test ROM boot program (8) uses the third-party authentication public key (13) in the chip security storage unit (6) and the digital signature verification algorithm in the chip cryptographic algorithm hardware module (7) to verify the chip security storage unit (6) The digital signature of the USB master chip device certificate (15) confirms the legitimacy and integrity of the chip device certificate; if the digital signature fails to pass the digital signature verification, the USB device will be blocked from communicating with the USB host; ③安全自检ROM引导程序(8)使用USB主控芯片设备证书(15)中的芯片设备公钥和芯片密码算法硬件模块(7)中的数字验签算法验证USB主控芯片设备证书(15)中的USB主控芯片固件数字摘要的数字签名,确认USB主控芯片固件数字摘要的合法性和完整性;如未通过数字签名验证,USB设备将被阻止与USB主机进行通信连接; ③Security self-test ROM boot program (8) uses the chip device public key in the USB master chip device certificate (15) and the digital signature verification algorithm in the chip cryptographic algorithm hardware module (7) to verify the USB master chip device certificate (15 ) in the digital signature of the USB main control chip firmware digital digest to confirm the legitimacy and integrity of the USB main control chip firmware digital digest; if the digital signature fails to pass the digital signature verification, the USB device will be blocked from communicating with the USB host; ④安全自检ROM引导程序(8)使用芯片密码算法硬件模块(7)中的哈希算法对USB主控芯片固件全部或部分数据进行哈希处理,得到USB主控芯片固件数字摘要;将该数字摘要与USB主控芯片设备证书(15)中的USB主控芯片固件数字摘要进行比对,如果数据一致,确认USB主控芯片固件数据未被篡改;如果数据不一致,USB设备将被阻止与USB主机进行通信连接; ④Security self-check ROM boot program (8) uses the hash algorithm in the chip cryptographic algorithm hardware module (7) to perform hash processing on all or part of the data of the USB main control chip firmware to obtain a digital summary of the USB main control chip firmware; Compare the digital summary with the digital summary of the USB main control chip firmware in the USB main control chip device certificate (15). If the data is consistent, it is confirmed that the firmware data of the USB main control chip has not been tampered with; if the data is inconsistent, the USB device will be blocked. USB host for communication connection; ⑤USB设备与USB主机建立通信连接后,USB主控芯片将执行USB主控芯片安全管理系统(C)的安全验证管理固件程序(9),配合USB主机对USB设备的可信认证; ⑤ After the USB device establishes a communication connection with the USB host, the USB main control chip will execute the security verification management firmware program (9) of the USB main control chip security management system (C), and cooperate with the trusted authentication of the USB device by the USB host; 44 )USB主控芯片的可信认证:) Trusted certification of the USB master chip: ①USB主机检测到USB设备后,建立通信连接,USB设备可信认证系统(D)的USB主控芯片认证管理器(10)与 USB主控芯片安全管理系统(C)的安全验证管理固件程序(9)进行会话通讯,获取USB主控芯片设备证书(15);并使用密钥安全存储单元(11)中的第三方认证公钥(13)和认证密码算法模块(12)中的数字验签算法验证USB主控芯片设备证书(15)的数字签名,确认芯片设备证书(15)的合法性和完整性;如未通过数字签名验证,直接断开USB主机与USB设备的通信连接; ① After the USB host detects the USB device, it establishes a communication connection, and the USB main control chip authentication manager (10) of the USB device trusted authentication system (D) and the security verification management firmware program of the USB main control chip security management system (C) ( 9) Conduct session communication, obtain the USB master chip device certificate (15); and use the third-party authentication public key (13) in the key security storage unit (11) and the digital signature verification in the authentication cryptographic algorithm module (12) The algorithm verifies the digital signature of the USB master chip device certificate (15), and confirms the legitimacy and integrity of the chip device certificate (15); if the digital signature verification is not passed, the communication connection between the USB host and the USB device is directly disconnected; ②USB设备可信认证统(D)的USB主控芯片认证管理器(10)开始USB设备枚举过程,从USB主控芯片获取USB设备类型声明,将该USB设备类型声明与USB主控芯片设备证书(15)中的设备类型说明进行比对;如果设备类型一致,则继续USB设备的正常枚举过程;如设备类型不一致,直接断开USB主机与USB设备的通信连接。 ②The USB main control chip authentication manager (10) of the USB device trusted authentication system (D) starts the USB device enumeration process, obtains the USB device type declaration from the USB main control chip, and combines the USB device type declaration with the USB main control chip device Compare the device type description in the certificate (15); if the device type is consistent, continue the normal enumeration process of the USB device; if the device type is inconsistent, directly disconnect the communication connection between the USB host and the USB device. 2.如权利要求1所述的USB控制芯片级的USB设备可信认证方法,其特征在于,所述的USB设备可信认证系统(D)的密钥安全存储单元(11)和USB主控芯片安全管理系统(C)的芯片安全存储单元(6)均是指芯片内由芯片烧录工具一次性写入数据后受芯片保护的防篡改的存储单元。 2. The trusted authentication method for USB devices at the USB control chip level according to claim 1, characterized in that, the secure key storage unit (11) and the USB master of the USB device trusted authentication system (D) The chip security storage unit (6) of the chip security management system (C) refers to a tamper-proof storage unit protected by the chip after data is written once by the chip programming tool in the chip. 3.如权利要求1或2所述的USB控制芯片级的USB设备可信认证方法,其特征在于,所述第三方认证公钥(13)和第三方签名私钥是由第三方认证授权管理系统(A)管理,用于USB主控芯片设备证书(15) 的数字签名和验签;所述芯片设备私钥和芯片设备公钥是由USB主控芯片生产厂商所有和管理,用于对USB主控芯片固件进行数字签名和验签,与USB主控芯片没有一一对应关系。 3. The trusted authentication method for USB devices at the USB control chip level according to claim 1 or 2, wherein the third-party authentication public key (13) and the third-party signature private key are managed by a third-party authentication authority System (A) management, used for digital signature and verification of the USB main control chip device certificate (15); the chip device private key and chip device public key are owned and managed by the USB main control chip manufacturer, and used for The firmware of the USB main control chip performs digital signature and verification, and there is no one-to-one correspondence with the USB main control chip. 4.如权利要求3所述的USB控制芯片级的USB设备可信认证方法,其特征在于,所述USB主控芯片标识是由USB主控芯片的型号和USB主控芯片固件版本号构成的标识,与USB主控芯片设备证书(15)一一对应。 4. the USB device credible authentication method of USB control chip level as claimed in claim 3, it is characterized in that, described USB main control chip identification is made of the model of USB main control chip and the firmware version number of USB main control chip The identification is in one-to-one correspondence with the USB main control chip device certificate (15). 5.一种USB控制芯片级的USB设备可信认证系统,其特征在于,它由第三方认证授权管理系统(A)、USB主控芯片设备证书生成管理系统(B)、USB主控芯片安全管理系统(C)和USB设备可信认证系统(D)组成;所述第三方认证授权管理系统(A)由授权管理器(1)、授权密码算法模块(2)和USB主控芯片设备证书签发管理器(3)组成,授权密码算法模块(2)中包含哈希算法、数字签名算法和数字验签算法;所述USB主控芯片设备证书生成管理系统(B)由系统密码算法模块(4)和芯片设备证书生成器(5)组成,系统密码算法模块(4)中包含哈希算法和数字签名算法;所述USB主控芯片安全管理系统(C)由芯片安全存储单元(6)、芯片密码算法硬件模块(7)、安全自检ROM引导程序(8)和安全验证管理固件程序(9)组成,芯片密码算法硬件模块(7)包含硬件实现的哈希算法和数字验签算法;所述USB设备可信认证系统(D)由USB主控芯片认证管理器(10)、密钥安全存储单元(11)和认证密码算法模块(12)组成,认证密码算法模块(12)中包含数字验签算法;第三方认证授权管理系统(A)是第三方芯片检测机构使用的系统,完成对统USB主控芯片安全管理系统(C)和USB设备可信认证系(D)的认证授权功能;USB主控芯片设备证书生成管理系统(B)是USB主控芯片生产厂商使用的系统,完成USB主控芯片设备证书(15)的生成和管理工作;USB主控芯片安全管理系统(C)内置于USB设备的USB主控芯片,完成USB设备主控芯片的安全自检和安全验证功能;USB设备可信认证系统(D)内置于USB主机控制器或由独立芯片实现,完成USB主机对USB设备的可信认证和安全使用验证功能。 5. A trusted authentication system for USB devices at the USB control chip level, characterized in that it consists of a third-party authentication and authorization management system (A), a USB master chip device certificate generation management system (B), a USB master chip security Composed of a management system (C) and a USB device trusted authentication system (D); the third-party authentication and authorization management system (A) consists of an authorization manager (1), an authorized cryptographic algorithm module (2) and a USB master chip device certificate Issuance manager (3), the authorized cryptographic algorithm module (2) includes hash algorithm, digital signature algorithm and digital signature verification algorithm; the USB main control chip device certificate generation management system (B) consists of the system cryptographic algorithm module ( 4) Composed of a chip device certificate generator (5), the system cryptographic algorithm module (4) includes a hash algorithm and a digital signature algorithm; the USB main control chip security management system (C) consists of a chip security storage unit (6) , chip cryptographic algorithm hardware module (7), security self-check ROM boot program (8) and security verification management firmware program (9), the chip cryptographic algorithm hardware module (7) includes hardware-implemented hash algorithm and digital signature verification algorithm ; The USB device trusted authentication system (D) is composed of a USB main control chip authentication manager (10), a key security storage unit (11) and an authentication cryptographic algorithm module (12), and the authentication cryptographic algorithm module (12) Including the digital signature verification algorithm; the third-party certification and authorization management system (A) is a system used by the third-party chip testing agency, and completes the certification of the USB main control chip security management system (C) and the USB device trusted certification system (D) Authorization function; USB main control chip device certificate generation management system (B) is a system used by USB main control chip manufacturers to complete the generation and management of USB main control chip device certificates (15); USB main control chip security management system ( C) The USB main control chip built into the USB device completes the security self-check and security verification functions of the USB device main control chip; the USB device trusted authentication system (D) is built into the USB host controller or implemented by an independent chip to complete the USB The trusted authentication and safe use verification function of the host to the USB device.
CN201510156573.8A 2015-04-03 2015-04-03 USB control chip-level USB equipment credibility authentication method and system thereof Active CN106161024B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510156573.8A CN106161024B (en) 2015-04-03 2015-04-03 USB control chip-level USB equipment credibility authentication method and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510156573.8A CN106161024B (en) 2015-04-03 2015-04-03 USB control chip-level USB equipment credibility authentication method and system thereof

Publications (2)

Publication Number Publication Date
CN106161024A true CN106161024A (en) 2016-11-23
CN106161024B CN106161024B (en) 2023-05-12

Family

ID=57338008

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510156573.8A Active CN106161024B (en) 2015-04-03 2015-04-03 USB control chip-level USB equipment credibility authentication method and system thereof

Country Status (1)

Country Link
CN (1) CN106161024B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107358109A (en) * 2017-07-17 2017-11-17 山东超越数控电子有限公司 A kind of safety enhancing intelligent terminal encryption storage system
CN108199849A (en) * 2018-01-04 2018-06-22 北京中电华大电子设计有限责任公司 The USBkey equipment safeties attacking system and method for a kind of real time data acquisition
CN108345805A (en) * 2017-05-05 2018-07-31 清华大学 Verify the method and device of firmware
CN109063470A (en) * 2018-07-26 2018-12-21 郑州云海信息技术有限公司 A kind of safe verification method and system of BMC firmware
CN110532777A (en) * 2018-05-24 2019-12-03 霍尼韦尔环境自控产品(天津)有限公司 Secure startup system and method, terminal device and its core system
CN111181724A (en) * 2018-11-09 2020-05-19 紫光同芯微电子有限公司 SIM chip security credibility authentication system and authentication method thereof
CN112385198A (en) * 2018-07-12 2021-02-19 西门子交通有限责任公司 Method for setting up an authorization credential for a first device
CN112579374A (en) * 2020-12-16 2021-03-30 惠州市德赛西威智能交通技术研究院有限公司 System and method for safety debugging of embedded equipment
CN115563625A (en) * 2022-10-21 2023-01-03 重庆长安汽车股份有限公司 Starting method, device, vehicle and storage medium of vehicle-mounted electronic control unit
CN115630377A (en) * 2022-10-10 2023-01-20 广州市金其利信息科技有限公司 External device access method and device, computer device and external device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553349A (en) * 2003-05-29 2004-12-08 联想(北京)有限公司 Safety chip and information safety processor and processing method
US20100023777A1 (en) * 2007-11-12 2010-01-28 Gemalto Inc System and method for secure firmware update of a secure token having a flash memory controller and a smart card
CN102427449A (en) * 2011-11-04 2012-04-25 北京工业大学 Trusted mobile storage method based on security chips

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553349A (en) * 2003-05-29 2004-12-08 联想(北京)有限公司 Safety chip and information safety processor and processing method
US20100023777A1 (en) * 2007-11-12 2010-01-28 Gemalto Inc System and method for secure firmware update of a secure token having a flash memory controller and a smart card
CN102427449A (en) * 2011-11-04 2012-04-25 北京工业大学 Trusted mobile storage method based on security chips

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108345805B (en) * 2017-05-05 2022-09-02 清华大学 Method and device for verifying firmware
CN108345805A (en) * 2017-05-05 2018-07-31 清华大学 Verify the method and device of firmware
CN107358109A (en) * 2017-07-17 2017-11-17 山东超越数控电子有限公司 A kind of safety enhancing intelligent terminal encryption storage system
CN108199849B (en) * 2018-01-04 2021-01-05 北京中电华大电子设计有限责任公司 USBKey equipment security attack system and method for real-time data acquisition
CN108199849A (en) * 2018-01-04 2018-06-22 北京中电华大电子设计有限责任公司 The USBkey equipment safeties attacking system and method for a kind of real time data acquisition
CN110532777A (en) * 2018-05-24 2019-12-03 霍尼韦尔环境自控产品(天津)有限公司 Secure startup system and method, terminal device and its core system
CN112385198A (en) * 2018-07-12 2021-02-19 西门子交通有限责任公司 Method for setting up an authorization credential for a first device
US11916903B2 (en) 2018-07-12 2024-02-27 Siemens Mobility GmbH Method for setting up authorization verification for a first device
CN112385198B (en) * 2018-07-12 2024-05-28 西门子交通有限责任公司 Method for establishing authorization certificate for a first device
CN109063470A (en) * 2018-07-26 2018-12-21 郑州云海信息技术有限公司 A kind of safe verification method and system of BMC firmware
CN111181724A (en) * 2018-11-09 2020-05-19 紫光同芯微电子有限公司 SIM chip security credibility authentication system and authentication method thereof
CN112579374A (en) * 2020-12-16 2021-03-30 惠州市德赛西威智能交通技术研究院有限公司 System and method for safety debugging of embedded equipment
CN112579374B (en) * 2020-12-16 2024-03-08 惠州市德赛西威智能交通技术研究院有限公司 System and method for secure debugging of embedded device
CN115630377A (en) * 2022-10-10 2023-01-20 广州市金其利信息科技有限公司 External device access method and device, computer device and external device
CN115563625A (en) * 2022-10-21 2023-01-03 重庆长安汽车股份有限公司 Starting method, device, vehicle and storage medium of vehicle-mounted electronic control unit

Also Published As

Publication number Publication date
CN106161024B (en) 2023-05-12

Similar Documents

Publication Publication Date Title
CN106161024B (en) USB control chip-level USB equipment credibility authentication method and system thereof
CN102427449B (en) Trusted mobile storage method based on security chips
CN107567630B (en) Isolation of trusted input/output devices
TWI487359B (en) Secure key generation
CN103532713B (en) Sensor authentication and shared key production method and system and sensor
CN110795126A (en) A firmware security upgrade system
CN104268477B (en) A kind of method of controlling security and the network equipment
WO2021128988A1 (en) Authentication method and device
CN111917710A (en) PCI-E password card, key protection method thereof, and computer-readable storage medium
TWI763294B (en) Data storage device, system, and method for digital signature
CN102340500B (en) Security management system and method of dependable computing platform
CN112311718A (en) Method, apparatus, device and storage medium for detecting hardware
CN107911567A (en) A system and method for resisting physical attacks on printers
CN115801232A (en) Private key protection method, device, equipment and storage medium
CN105933117A (en) Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage
CN101488851A (en) Method and device for issuing identity certificate in trusted computing
CN113360887A (en) Authentication encryption method and module for relay protection equipment
CN116561734A (en) A verification method, device, computer and computer configuration system
CN108574578A (en) A black box data protection system and method
US12075255B2 (en) Secure wireless communication system and method
CN115834149A (en) Numerical control system safety protection method and device based on state cryptographic algorithm
CN120768694A (en) Device verification method and electronic device
WO2023070425A1 (en) Device identity authentication method and apparatus, electronic device, and computer readable medium
CN115879087A (en) Safe and trusted starting method and system for power terminal
CN204578548U (en) A kind of USB device authentic authentication device of USB control chip level

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: Floor 30, Block A, Tsinghua Tongfang Science and Technology Building, No. 1, Wangzhuang Road, Haidian District, Beijing 100080

Patentee after: Tongfang Co.,Ltd.

Country or region after: China

Patentee after: Softtek Computer Co.,Ltd.

Address before: 100083 Haidian District, Beijing, Tsinghua Tongfang square A block 29.

Patentee before: Tongfang Co.,Ltd.

Country or region before: China

Patentee before: TONGFANG COMPUTER Co.,Ltd.