RU230486U1 - TRUSTED BOOT HARDWARE AND SOFTWARE MODULE - Google Patents

Abstract

The hardware and software module of trusted boot XBLOX is intended for trusted boot of a computer and creation of a trusted environment for execution of programs at all stages of operation of computer and computing equipment. The technical result consists in increasing the efficiency of protection against unauthorized access of users to hardware and software components and to information stored and processed in computer equipment. The device is made in the form of a separate autonomous unit with interfaces for interaction with the motherboard of computer equipment, includes a USB interface for performing access control and data exchange, an interface for simulating control of the main power supply of the computer. Hardware and software modules are introduced into the module, increasing the level of its functionality for protection against unauthorized access and the efficiency of the protection itself due to ensuring its interaction with other means of protection, the possibility of limiting and delimiting access to hardware and software components of a personal computer and protection devices, effective and reliable blocking of a personal computer during various attempts of unauthorized actions, as well as performing the most critical operations directly in the protection device itself.

Description

1. The field of technology to which the utility model relates

This technical solution pertains to the field of information security of computer equipment. It is intended for trusted computer boot, as well as creation of a trusted environment for program execution at all stages of computer and computing equipment operation. The technical result consists in increasing the efficiency of protection against unauthorized user access to hardware and software components and to information stored and processed in computer equipment. The module contains a control processor (microcontroller), non-volatile memory, a built-in antenna module for synchronization with a wireless user access key, elements of light and sound indication. The device is made in the form of a separate autonomous unit with interfaces for interaction with the motherboard of computer equipment, includes a USB interface for access control and data exchange, an interface for simulating control of the main power supply of the computer.

2. State of the art

The hardware and software module of trusted boot pertains to the field of information security of computer equipment and is intended for trusted boot of the computer, as well as trusted use of software and stored information. The technical result consists in additional effective protection of computer equipment from unauthorized access of users and their actions at the stages before turning on the computer, as well as during the use of applications and data.

One of the most similar modules used to solve the problem of protecting a computer from unauthorized actions is the hardware-software module of trusted boot, which is designed to protect the resources of a personal computer from unauthorized access, starting from the trusted boot stage. The most fully functional representatives of this class of devices are:

1. APMDZ "Software and hardware complex Sobol. Version 3.1, Mini PCI-E".

2. APMDZ "KRYPTON-ZAMOK/UM2"

3. a device for creating a trusted environment for computers of information and computing systems, described in application No. 2013131871/08(047653), IPC 7 G06F 12/14, filed on July 11, 2013.

4. a portable device for trusted loading of an operating system of a computing device, described in US Patent Application No. US2009/0094447 A1 (YANG JYH CHIANG et al.), published 04/09/2009

5. Dallas Lock Trusted Boot Tool (TBT)

The disadvantages of the specified modules include: 1) it is not always possible to install the module in the PCI-E port (the port is missing or busy); 2) the user key reader must be physically installed in the computer case, i.e. actions must be taken to install and modify the computer case, which entails the loss of warranty; 3) the user key must be physically applied to the reader installed in the computer case, which can cause inconvenience if the computer case is located far enough away or in an inconvenient or inaccessible place.

An important feature of the declared trusted boot module is its connection to the computer's standby power source (located on the USB ports built into the motherboard), due to which it begins to function immediately after the computer is connected to the power supply (the network cable plug is inserted into the socket) before the PC's "POWER" button is turned on. Therefore, the module monitors the integrity of the BIOS before starting the PC.

Not all similar modules do not provide a fully trusted environment for information processing in the computer, since they are installed on the common control and data exchange bus of the computer, designed to connect peripheral devices to the computer motherboard (in particular, the PCI bus for interaction of peripheral components - Peripheral Component Interconnect). Therefore, the operation of similar modules does not begin with the computer being turned on, but after initialization has occurred and the BIOS has loaded. Consequently, in the case of loading an untrusted BIOS, unauthorized actions may occur before the trusted boot module is initialized. Thus, a necessary condition for creating a trusted PC environment is to solve the problem of protecting the BIOS code from modification and unauthorized influence both when loading the PC and during operation.

3. Disclosure of the utility model

The trusted boot module prevents unauthorized users from using the computer. The main protection method is based on wireless synchronization via Bluetooth Low Energy technology (pairing distance up to 50 meters) with an individual mobile user token (physical hardware ibeacon tag and/or an application on a mobile device for emulating an ibeacon tag). A computer equipped with the described trusted boot module operates as follows. The trusted boot module continuously scans the surrounding space for the presence (within the specified wireless range) of a previously linked trusted user token. After the user token is detected, LED and sound indication built into the trusted boot module occurs, then the computer can be turned on using the power button on the case. The trusted boot module is connected to the break in the circuit of the power button on the computer case and the motherboard, thus monitoring the availability of a mechanical contact for the power button.

It is possible to adjust the sensitivity of wireless synchronization with decreasing range (the user selects 9 different values). The access control controller contains autonomous computing means (a 32-bit microprocessor, a frequency of up to 240, 4 megabytes of built-in memory with support for the transfer of 4 bits of data per cycle), without affecting the performance of the user's computer, and also contains a program code protected from modification with the impossibility of introducing viruses. The controller supports simultaneous pairing with 4 (four) user tokens (a physical hardware ibeacon tag and / or an application on a mobile device for emulating an ibeacon tag), synchronization with which the user has pre-approved. There are elements of optical isolation of input and output discrete signals, protection against reverse polarity power supply. Wireless synchronization technology has interference protection technology. An energy saving algorithm is used, costs occur only in synchronization mode. In the automatic synchronization mode of the trusted boot module and the token (ibeacon tag), a cyclic replacement of wireless frequencies occurs, which is known only to the trusted boot module and the token. The automatic synchronization time is less than 1 (one) second. There is a built-in LED indicator of power supply and information about the synchronization mode, a built-in speaker for sound accompaniment of the functions and actions performed (sound intensity of 85 decibels). It is possible to flash the firmware of the access control controller without opening the computer case cover. There is a built-in function for sending messages to a user-specified e-mail - synchronization with a token (lost and installed), an attempt to enter an incorrect password to access the settings application. There is software in Russian for the Windows and Linux operating systems. The software has an intuitive graphical interface and the ability to assign a user password of more than 100,000 (one hundred thousand) different combinations using letters and symbols. There is a function for blocking access to the trusted boot module settings application after entering a certain number of incorrect combinations. There is a built-in master password for accessing the application when it is locked. Passwords and application data are stored encrypted in a special area of the operating system registry. The software does not require setting up the operating system's security functions and does not require security confirmation when starting and using. There is a page with monitoring the status of token keys within the signal reception radius - signal level, spatial position along three axes and temperature (when using a compatible token). The software allows you to configure the settings - binding, replacing and deleting user tokens; activation and deactivation of all listed blocking functions, setting up e-mail to notify the user and the trusted boot module operating modes, setting up the code combination operating modes when simulating the computer's power button; monitoring the operating time (total time, current session since turning on the computer) of the trusted boot module (days, hours, seconds).

It is possible to use a mobile device with the Android operating system as an imitation of a physical token - it is possible to set a user password to enter the application, when the application is launched, synchronization with the controller is performed automatically, there is a built-in generator of a unique token cipher with the ability to use it on third-party devices (import and export function). In total, it is possible to generate 4 different tokens, each of which can be assigned a user name for quick access. There is a mode for quickly switching 4 (four) different IDpasses with one touch.

4. Brief description of drawings (if included in the application)

The features and advantages of the present utility model will become apparent from the following detailed description and the accompanying drawings, in which:

Fig. 1 illustrates the electrical functional diagram. The presented method of interaction of components ensures electrical safety of interaction of the module with interfaces of the computer motherboard, high speed for execution of all declared functions.

Fig. 2 illustrates the structural division scheme. The presented method of interaction of components ensures reliability in performing the main functions of the module in the event of failure of individual parts and blocks.

5. Implementation of the utility model

The current technical solution includes hardware and software modules that increase the level of its functionality for protection against unauthorized access and the effectiveness of the protection itself by ensuring its interaction with other means of protection, the ability to limit and delimit access to the hardware and software components of the PC and protection devices, effective and reliable blocking of the PC during various attempts at unauthorized actions, as well as performing the most critical operations directly in the protection device itself.

In the absence of synchronization with the token, customizable scenarios of actions of the described trusted boot module are possible

1) the impossibility of turning on the computer using the power button on the case

2) automatic shutdown of the computer with preservation of data and the operating system session in case of loss of synchronization

3) automatic shutdown of the computer by hardware (simulation of pressing the power button on the computer case) with the loss of all unsaved data when synchronization is lost

4) automatic hibernation of the operating system, blocking the operating system with the inability to enter login and password combinations (letters and symbols entered from the keyboard are automatically deleted).

After blocking the operating system and restoring synchronization with the token, automatic unlocking does not occur, requiring the user to enter the password assigned to access the operating system (Windows and Linux operating systems are supported). There is a function for blocking access to the operating system with the impossibility of entering login and password combinations (letters and symbols entered from the keyboard are automatically deleted) of the user in the absence of a physical connection (no connection of the module to the USB port on the computer's motherboard) with the trusted boot module.

It is possible to completely reset the trusted boot module to factory settings without opening the computer case using the power button on the computer case (a special pre-programmed combination). There is a built-in function for coding the computer power button with 1728 combinations (3 (three) input difficulty modes are selected). For ease of entering combinations, there is a sound accompaniment, and it is also possible to turn it off to complicate the input procedure. If the combination is entered incorrectly (the number of attempts and the blocking period are assigned by the user), temporary and permanent blocking of the trusted boot module is possible, with the impossibility of starting and using the computer (the action of the power button on the computer case is blocked) without a complete hardware reset of the trusted boot module. It is possible to disable the need for synchronization with the user token (ibeacon tag) to start the computer using the power button coding.

Claims (1)

A hardware and software trusted boot module comprising: a control and monitoring unit connected to a break in the circuit of the power button on the computer case and the motherboard, the digital output of which is connected to the interface for connecting the case power button on the computer motherboard, the digital input is connected to the interface for connecting the computer case power button, non-volatile memory, a digital USB integration and data exchange port, a wireless module interface that ensures synchronization using Bluetooth Low Energy technology with previously linked trusted user tokens implemented by means of a physical ibeacon hardware tag and/or by emulating the ibeacon tag by an application on the user's mobile device, wherein the trusted boot module is designed with the possibility of connecting to a standby power source of the computer located on a USB port built into the motherboard.

Images