一种加密硬盘的身份鉴别和密钥保护方案  被引量：4

作　　者：谷双双 夏鲁宁[1,2,3] 贾世杰[1,2,3,4] 

机构地区：[1]中国科学院信息工程研究所,北京100093 [2]中国科学院数据与通信保护研究教育中心,北京100093 [3]中国科学院信息安全国家重点实验室,北京100093 [4]中国科学院大学,北京100049

出　　处：《密码学报》2016年第2期126-136,共11页Journal of Cryptologic Research

摘　　要：随着信息技术的发展,以硬盘为介质的数字化存储成为企业和个人主要信息存储方式,数据存储安全的问题也因此成为信息安全领域不可忽视的重要问题.使用加密硬盘作为存储介质,是企业和个人常用的存储数据保护的方式.对于硬盘数据加密存储而言,密钥的存储和管理是安全性的关注焦点.当前的加密硬盘普遍将加解密密钥存放在硬盘本身,或者在执行运算期间被加载出现在计算机内存中,使得攻击者可以采用直接硬盘读取或者是采用冷启动攻击内存等手段获得加解密密钥,进而存在硬盘内数据被泄露的风险.为了更好的解决上述问题,本文提出了一种基于安全U盘的加密硬盘密钥保护和身份鉴别方案,以安全U盘作为硬盘加密密钥的载体.计算机在启动时从安全U盘引导,在系统启动之前由安全U盘完成对用户的身份鉴别,并将硬盘加密密钥传递给硬盘,从而实现密钥存储与硬盘的物理隔离,保障硬盘解密密钥的安全存储.我们针对此方案实现了原型系统,验证了身份鉴别和密钥保护方案的有效性.With the development of information technology,digital storage in hard disk becomes a main method for individuals and companies to store their data and information,consequentially,storage security becomes an important issue.Using encrypted hard disk as the storage medium is a common method for companies and individuals to protect their data and information.For encrypted hard disk storage,encryption/decryption key management problem becomes the main concern.Current solutions commonly store the key in the hard disk itself or in the memory,as a result,attackers can read the hard disk directly or use cool boot technique to get access to the memory to get the encryption/decryption key.This paper proposes a new identity authentication and encryption/decryption key protection scheme based on USB disk to avoid this risk,by using the USB disk as the storage medium of encryption/decryption key.The operating system will boot from secure USB disk,and the USB Disk will conduct the authentication process of user's identity,and then send the encryption/decryption key to the hard disk.By this method,we implemented the method to physically separate of the disk data and encryption/decryption key.We also implemented a prototype system,and verified the effectiveness of the authentication and key protection method.

关 键 词：加密硬盘 安全U盘 身份鉴别 物理隔离 

分 类 号：TN918.4[电子电信—通信与信息系统]