本文選題：硬盤加密 + Ukey��； 參考：《杭州電子科技大學(xué)》2017年碩士論文

【摘要】：隨著信息化時代的到來,計算機(jī)被廣泛使用,存儲在計算機(jī)硬盤中的數(shù)據(jù)也呈幾何級數(shù)般增長,數(shù)據(jù)的存儲安全性顯得越來越重要。硬盤加密仍然是目前保護(hù)硬盤數(shù)據(jù)的主要趨勢和手段。當(dāng)前針對硬盤的軟件加密方案安全性不高且性能較低;加密卡、FPGA等硬件加密方案性能較高,但缺乏安全可靠的身份認(rèn)證方案和必要的密鑰安全恢復(fù)機(jī)制;基于BIOS的認(rèn)證方案安全性較高,但導(dǎo)致硬盤只能工作在定制的BIOS環(huán)境下,通用性大大降低。在這種背景之下,本文針對臺式機(jī)和筆記本電腦等個人計算機(jī)系統(tǒng),提出并實現(xiàn)了一種新的硬盤加密和安全認(rèn)證系統(tǒng),該系統(tǒng)基于Ukey和LiveOS,在整體安全性、性能、易用性和通用性上優(yōu)于現(xiàn)有解決方案。硬件方案上,采用集成了硬件加密引擎的固態(tài)硬盤(SSD)主控芯片,實現(xiàn)對硬盤數(shù)據(jù)的實時加解密,同時將加解密密鑰存儲在Ukey之中,實現(xiàn)密鑰和加密引擎的分離。只有唯一與加密SSD配對的Ukey才能解密硬盤并啟動盤內(nèi)系統(tǒng)。軟件方案上,通過對Linux內(nèi)核的裁剪和編譯,對initrd文件系統(tǒng)的定制以及對引導(dǎo)程序的配置,定制出了一個基于Linux內(nèi)核的LiveOS系統(tǒng),該系統(tǒng)隨Ukey啟動,為加密SSD與Ukey的安全配對、認(rèn)證和密鑰傳遞提供了一個安全且通用的軟件環(huán)境。加密硬盤和Ukey的配對及認(rèn)證方案是整個硬盤加密和安全認(rèn)證系統(tǒng)的核心所在,本文通過交換國密SM2算法公鑰實現(xiàn)加密硬盤和Ukey的一一配對,通過設(shè)置PIN碼保障Ukey使用安全,同時基于挑戰(zhàn)響應(yīng)式認(rèn)證實現(xiàn)加密硬盤對Ukey的認(rèn)證,通過與硬盤主控固件程序配合消除了重放攻擊的可能。最后提出了一種雙因子認(rèn)證的密鑰安全恢復(fù)方案。根據(jù)整個安全認(rèn)證方案的需求,設(shè)計了針對Ukey和加密SSD主控芯片的API接口,該接口基于Linux SCSI協(xié)議,最后將認(rèn)證程序與LiveOS結(jié)合實現(xiàn)完整的硬盤加密及安全認(rèn)證。最后,在搭建的PC應(yīng)用環(huán)境上,測試了整個硬盤加密和安全認(rèn)證系統(tǒng)的可行性,對比了硬盤加密和非加密狀態(tài)下的讀寫性能,并從固件、密鑰、LiveOS三個層面詳細(xì)分析了系統(tǒng)的安全性�？偟膩碚f,本文提出的基于Ukey和LiveOS的硬盤加密和安全認(rèn)證系統(tǒng)達(dá)到了預(yù)期效果,具有很高的實用價值。
[Abstract]:With the arrival of the information age, the computer is widely used, and the data stored in the hard disk of the computer is growing in geometric progression. The security of data storage is becoming more and more important. Hard disk encryption is still the main trend and means to protect hard disk data. The current software encryption scheme for hard disk is not high security and low performance, encryption card FPGA and other hardware encryption scheme performance is high, but the lack of secure and reliable identity authentication scheme and the necessary key security recovery mechanism; The security of the authentication scheme based on BIOS is high, but the hard disk can only work in the customized BIOS environment, and the universality is greatly reduced. Under this background, this paper proposes and implements a new hard disk encryption and security authentication system for personal computer systems such as desktop computers and notebook computers. The system is based on Ukey and Live OS, and has overall security and performance. Ease of use and versatility are superior to existing solutions. In the hardware scheme, the solid-state hard disk (SSD) master chip which integrates the hardware encryption engine is used to realize the real-time encryption and decryption of the hard disk data. At the same time, the encryption and decryption key is stored in the Ukey to realize the separation of the key and the encryption engine. Only the Ukey that matches the encrypted SSD can decrypt the hard disk and boot the disk system. In the software scheme, by tailoring and compiling the Linux kernel, customizing the initrd file system and configuring the boot program, a LiveOS system based on the Linux kernel is customized. The system starts with Ukey and matches the encrypted SSD and Ukey safely. Authentication and key delivery provide a secure and universal software environment. The pairing and authentication scheme of encrypted hard disk and Ukey is the core of the whole hard disk encryption and security authentication system. In this paper, the encrypted hard disk and Ukey are matched one by exchanging the national secret SM2 algorithm public key, and the use security of Ukey is guaranteed by setting PIN code. At the same time, the Ukey authentication of encrypted hard disk is realized based on the challenge response authentication, and the possibility of replay attack is eliminated by cooperating with the harddisk master firmware program. Finally, a key security recovery scheme based on double factor authentication is proposed. According to the requirements of the whole security authentication scheme, the API interface for Ukey and encrypted SSD master control chip is designed. The interface is based on Linux SCSI protocol. Finally, the authentication program is combined with LiveOS to realize the complete encryption and security authentication of hard disk. Finally, in the PC application environment, the feasibility of the whole hard disk encryption and security authentication system is tested, and the read and write performance in the state of hard disk encryption and non-encryption is compared, and the firmware is used. The security of the system is analyzed in detail at three levels. In general, the proposed hard disk encryption and security authentication system based on Ukey and LiveOS has achieved the desired results and has high practical value.
【學(xué)位授予單位】：杭州電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP333

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 Qianying Zhang;Shijun Zhao;Yu Qin;Dengguo Feng;;Formal analysis of TPM2.0 key management APIs[J];Chinese Science Bulletin;2014年32期

2 陳柯;劉中山;李航;;一種基于Linux Live USB的啟動優(yōu)化研究[J];工業(yè)控制計算機(jī);2014年10期

3 徐萍;;淺析Windows7系統(tǒng)下的BitLocker驅(qū)動器加密[J];計算機(jī)光盤軟件與應(yīng)用;2013年17期

4 李成東;徐飛;;一種基于USBKEY的文件保險箱設(shè)計與實現(xiàn)[J];軟件;2013年05期

5 ;U盾,網(wǎng)銀安全的衛(wèi)士[J];中國防偽報道;2013年04期

6 解雙建;原亮;謝方方;;DES算法原理及其FPGA實現(xiàn)[J];計算機(jī)技術(shù)與發(fā)展;2011年07期

7 師俊芳;李小將;李新明;;基于TPM的安全操作系統(tǒng)的設(shè)計研究[J];裝備指揮技術(shù)學(xué)院學(xué)報;2009年05期

8 于曉鋒;朱紅;;解析Initramfs機(jī)制在嵌入式Linux系統(tǒng)中的應(yīng)用[J];軟件導(dǎo)刊;2008年07期

9 史芳麗,周亞莉;Linux系統(tǒng)中虛擬文件系統(tǒng)內(nèi)核機(jī)制研究[J];陜西師范大學(xué)學(xué)報(自然科學(xué)版);2005年01期

10 許先斌,彭潤年,王慧星;Linux下SCSI API研究及應(yīng)用[J];微型機(jī)與應(yīng)用;2004年04期

相關(guān)博士學(xué)位論文 前1條

1 楊波;密碼學(xué)Hash函數(shù)的設(shè)計和應(yīng)用研究[D];北京郵電大學(xué);2008年

相關(guān)碩士學(xué)位論文 前10條

1 張永建;RSA算法和SM2算法的研究[D];江西理工大學(xué);2015年

2 顏世駿;Koblitz橢圓曲線離散對數(shù)問題的計算[D];中山大學(xué);2015年

3 關(guān)少華;基于無線UKey的分段式文件加密系統(tǒng)研究與實現(xiàn)[D];西安電子科技大學(xué);2014年

4 李鵬飛;Linux內(nèi)核編譯機(jī)制分析以及優(yōu)化研究[D];西安電子科技大學(xué);2014年

5 石陶;分組密碼算法SMS4的安全性分析[D];山東大學(xué);2013年

6 尹燕偉;郵件加密的USBKEY終端實現(xiàn)[D];華南理工大學(xué);2012年

7 孫瑜;基于FPGA的數(shù)據(jù)加解密系統(tǒng)設(shè)計[D];大連海事大學(xué);2010年

8 曹U，

本文編號：1809854