CN104102887A - Implementation method for login security certification of operation system - Google Patents
Implementation method for login security certification of operation system Download PDFInfo
- Publication number
- CN104102887A CN104102887A CN201410351132.9A CN201410351132A CN104102887A CN 104102887 A CN104102887 A CN 104102887A CN 201410351132 A CN201410351132 A CN 201410351132A CN 104102887 A CN104102887 A CN 104102887A
- Authority
- CN
- China
- Prior art keywords
- login authentication
- implementation method
- mode
- self
- flow process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The invention provides an implementation method for login security certification of an operation system. The problem that double certification on static passwords and dynamic passwords cannot be realized in a Windows safety mode in the prior art is solved. The implementation method comprises the following steps of S101, judging the current starting mode when a Windows system is started; S102, automatically looking up a system calling description list when a current starting mode is a safety mode, and entering a custom login certification procedure; and S103, loading a dynamic password procedure. The custom login certification procedure runs in the safety mode, safety logging of a user can be realized in the safety mode under the condition that dynamic password certification and original static password certification are combined, the safety performance of the Windows system is improved, the safety of data of the user is guaranteed, and the system can be maintained easily.
Description
Technical field
The present invention relates to information security field, espespecially a kind of operating system security login authentication implementation method.
Background technology
Along with the development of Information technology, information security is more extensive in the application in each field.At information security field, the authentication first key that infosystem is used often, its security is subject to increasing attention.Correspondingly, in order to strengthen the dynamic password technology of identification authentication security, be applied to more and more each different field.
For example, in the enterprise computer that the Windows operating system of take is platform, in different employees, store significant data, comprise technical information, customer data, corporate strategy file, financial data etc.But generally, the password that user logins Windows operating system is weak passwurd, using letter, numeral or alphanumeric combination as fixing password, but the safety coefficient of this cipher mode is very low, very easily victim invasion of system, to Windows user, cause potential safety hazard, caused computer data to divulge a secret.
For this kind of safety problem, the normal method adopting of prior art is mainly to utilize Windows GINA (Graphical Identification and Authentication, graphical Certificate Authority) programming, when login Windows system, increase OTP (One-time Password, dynamic password) authentication processing process, the verification process that while logining to realize, static password is combined with dynamic password.If but Windows system starts with safe mode, not load GINA module, this solution will realize static password and dynamic password in conjunction with the mode of authentication, if but forbid Windows safe mode completely, can bring very large trouble to system maintenance again.
Summary of the invention
The object of this invention is to provide a kind of operating system security login authentication implementation method, with solving the problem that can not realize static password and the two authentications of dynamic password in prior art under Windows safe mode, thereby login authentication solution safer under a kind of Windows safe mode is provided, guarantees the safety of Windows system.
In order to realize the above goal of the invention of the present invention, the invention provides a kind of operating system security login authentication implementation method, described method comprises:
S101. when Windows system starts, judge current start-up mode;
If S102. current start-up mode is safe mode, the description list that automatically seeks system call, enters self-defined login authentication flow process;
S103. load dynamic password flow process.
Further, described method also comprises:
The start-up parameter of described self-defined login authentication flow process is set in advance as to boot (referring to bootup process, system-level startup) type.
Further, the described description list that automatically seeks system call, enters self-defined login authentication flow process and specifically comprises:
Revise system call description list, change call address into new user mode application address, described self-defined login authentication flow process is pointed in described new user mode application address.
By changing the operating path of system, system enters in self-defining login authentication module while starting automatically, can not affect the operation of other modules of system, has improved stability and the security of system operation.
Further, in S102 step, call self-defined login authentication flow process and specifically comprise:
S1021. registration table key assignments is set to 0;
S1022. judge that whether current process is logon process, if so, judges whether logon process inquires about registration table key assignments;
If S1023. to inquire about described registration table key assignments be 0 to logon process, load graphical Certificate Authority module GINA.
By by the set of registration table key assignments, when logon process moves, automatically enter patterned debarkation authentication authorization module, add dynamic password graphical boxes, in the time of for dynamic password and static password, inputted prerequisite.
Further, described method also comprises:
If logon process is not inquired about registration table key assignments, just continue the original user mode application of calling system.
When logon process is not inquired about registry value, still according to the original operating path of system, continue operation, can not change the operational mode of system, and can not cause the misoperation of system.
The present invention is by joining self-defined login authentication flow process under safe mode and move, make user can under safe mode, carry out the secure log that dynamic password authentication and original static cipher authentication combine, improved the security of Windows system, ensure the safety of user data, can not increase the troublesome maintenance of system simultaneously.
Accompanying drawing explanation
Below in conjunction with the drawings and specific embodiments, the present invention is described in further detail:
Fig. 1 is the process flow diagram of a kind of operating system security login authentication of embodiment of the present invention implementation method;
Fig. 2 is the process flow diagram that the embodiment of the present invention is called self-defined login authentication flow process.
Embodiment
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
As a specific embodiment, as shown in Figure 1, be the process flow diagram of embodiment of the present invention operating system security login authentication implementation method, described method comprises:
S101. when Windows system starts, judge current start-up mode;
If S102. current start-up mode is safe mode, the description list that automatically seeks system call, enters self-defined login authentication flow process;
This self-defined login authentication flow process for loading Windows GINA module under safe mode, and provide dynamic password and static password input dialogue frame, because in prior art, when Windows starts with safe mode, nonsystematic module is not to be loaded operation.
The embodiment of the present invention is set in advance as boot type by the start-up parameter of described self-defined login authentication flow process, and when Windows system runs on safe mode, described self-defined login authentication flow process is loaded operation.Thereby provide under safe mode, static password and dynamic password be the man-machine conversation window of input authentication simultaneously, for two authentications have realized prerequisite.
Wherein, the described description list that automatically seeks system call, enters self-defined login authentication flow process and specifically comprises:
Revise system call description list, change call address into new user mode application address;
In embodiments of the present invention, need to revise in advance system call description list, with new user mode application (NewNtQueryValueKey) address, the original user mode application of replacement system (NtQueryValueKey) address, allly like this will forward calling new user mode application NewNtQueryValueKey to calling of original user model system program.By changing the operating path of system, system enters in self-defining login authentication flow process while starting automatically, can not affect the operation of other modules in system starting process, improve stability and the security of system operation, can not increase the troublesome maintenance of system simultaneously.
And in S102 step, call self-defined login authentication flow process and specifically comprise:
S1021. registration table key assignments is set to 0;
S1022. judge that whether current process is logon process, if so, judges whether logon process inquires about registration table key assignments;
If S1023. to inquire about described registration table key assignments be 0 to logon process, load graphical Certificate Authority module GINA.
By by the set of registration table key assignments, when logon process moves, automatically enter patterned debarkation authentication authorization module, add dynamic password graphical boxes, in the time of for dynamic password and static password, inputted prerequisite.In new user mode application NewNtQueryValueKey function, first judge whether the current process of calling this function is winlogon.exe process, if not logon process winlogon.exe, just continue the original user mode application NtQueryValueKey of calling system, if logon process winlogon.exe, judge again whether logon process winlogon.exe is inquiry registration table key assignments OptionValue, if do not inquire about this key value of OptionValue, just continue the original user mode application NtQueryValueKey of calling system, if just directly return to Query Result, be that registration table key assignments OptionValue is 0, no longer continue to call original system NtQueryValueKey.When logon process is not inquired about registry value, still according to the original operating path of system, continue operation, can not change the operational mode of system, and can not cause the misoperation of system.
Like this, the value that the winlogon.exe logon process of Windows system reads registration table OptionValue is 0, can think that Windows is normal startup, GINA module will be loaded, and other functional modules of Windows operating system can't be affected, continuation can think that current start-up mode is safe mode and carry out work according to the configuration of safe mode.
S103. load dynamic password flow process.
Load after GINA module, just can articulate by traditional method OTP authentication module, realize the authentication that while logining under safe mode, static password is combined with dynamic password, and the login module of Windows operating system self is carried out work according to normal mode, thereby realize static password in conjunction with two authentications of dynamic password, simultaneously, other functional modules of Windows operating system should not be affected, continuation starts with safe mode, the safe operation of other modules of assurance system, improve the stability of system, realized the two authentications of dynamic password and static password.
In sum, the present invention is by joining self-defined login authentication flow process under safe mode and move, make user can under safe mode, carry out the secure log that dynamic password authentication and original static cipher authentication combine, improved the security of Windows system, ensure the safety of user data, and other modules of system can not be affected, guarantee the correct safe operation of system, can not increase the troublesome maintenance of system simultaneously.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (5)
1. an operating system security login authentication implementation method, is characterized in that, described method comprises:
S101. when Windows system starts, judge current start-up mode;
If S102. current start-up mode is safe mode, the description list that automatically seeks system call, calls self-defined login authentication flow process;
S103. load dynamic password module.
2. operating system security login authentication implementation method according to claim 1, is characterized in that, described method also comprises:
The start-up parameter of described self-defined login authentication flow process is set in advance as to boot type.
3. operating system security login authentication implementation method according to claim 2, is characterized in that, the described description list that automatically seeks system call calls self-defined login authentication flow process and specifically comprises:
Revise system call description list, change call address into new user mode application address, described self-defined login authentication flow process is pointed in described new user mode application address.
4. operating system security login authentication implementation method according to claim 3, is characterized in that, in S102 step, described in call self-defined login authentication flow process and specifically comprise:
S1021. registration table key assignments is set to 0;
S1022. judge that whether current process is logon process, if so, judges whether logon process inquires about registration table key assignments;
If S1023. to inquire about described registration table key assignments be 0 to logon process, load graphical Certificate Authority module GINA.
5. operating system security login authentication implementation method according to claim 4, is characterized in that, it is characterized in that, described method also comprises:
If logon process is not inquired about registration table key assignments, just continue the original user mode application of calling system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410351132.9A CN104102887B (en) | 2014-07-22 | 2014-07-22 | A kind of operating system security login authentication implementation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410351132.9A CN104102887B (en) | 2014-07-22 | 2014-07-22 | A kind of operating system security login authentication implementation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104102887A true CN104102887A (en) | 2014-10-15 |
| CN104102887B CN104102887B (en) | 2018-01-12 |
Family
ID=51671030
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410351132.9A Active CN104102887B (en) | 2014-07-22 | 2014-07-22 | A kind of operating system security login authentication implementation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104102887B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104539635A (en) * | 2015-01-22 | 2015-04-22 | 成都卫士通信息安全技术有限公司 | Windows 7-based secure login setting method and secure login method based on Windows 7-based secure login setting method |
| CN115189960A (en) * | 2022-07-18 | 2022-10-14 | 西安热工研究院有限公司 | Authentication method combining static password and dynamic password |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5592553A (en) * | 1993-07-30 | 1997-01-07 | International Business Machines Corporation | Authentication system using one-time passwords |
| US5732137A (en) * | 1994-06-03 | 1998-03-24 | Sun Microsystems, Inc. | Method and apparatus for secure remote authentication in a public network |
| CN1828623A (en) * | 2006-04-11 | 2006-09-06 | 北京飞天诚信科技有限公司 | Method for protecting computer login using disposable password |
| CN103685232A (en) * | 2013-11-11 | 2014-03-26 | 上海乐今通信技术有限公司 | Mobile terminal and mobile application login method |
-
2014
- 2014-07-22 CN CN201410351132.9A patent/CN104102887B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5592553A (en) * | 1993-07-30 | 1997-01-07 | International Business Machines Corporation | Authentication system using one-time passwords |
| US5732137A (en) * | 1994-06-03 | 1998-03-24 | Sun Microsystems, Inc. | Method and apparatus for secure remote authentication in a public network |
| CN1828623A (en) * | 2006-04-11 | 2006-09-06 | 北京飞天诚信科技有限公司 | Method for protecting computer login using disposable password |
| CN103685232A (en) * | 2013-11-11 | 2014-03-26 | 上海乐今通信技术有限公司 | Mobile terminal and mobile application login method |
Non-Patent Citations (2)
| Title |
|---|
| 上海宁盾信息科技有限公司: "DKEY for Windows Server", 《HTTP://WWW.NDKEY.COM/INDEX.PHP?_M=MOD_PRODUCT&_A=VIEW&P_ID=657》 * |
| 韩君: "基于USB Key的Windows身份认证与访问控制研究", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104539635A (en) * | 2015-01-22 | 2015-04-22 | 成都卫士通信息安全技术有限公司 | Windows 7-based secure login setting method and secure login method based on Windows 7-based secure login setting method |
| CN115189960A (en) * | 2022-07-18 | 2022-10-14 | 西安热工研究院有限公司 | Authentication method combining static password and dynamic password |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104102887B (en) | 2018-01-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6625636B2 (en) | Identity infrastructure as a service | |
| US9426182B1 (en) | Context-based authentication of mobile devices | |
| US10216937B2 (en) | Secure BIOS password method in server computer | |
| CN110463161A (en) | For accessing the password state machine of locked resource | |
| US20150281225A1 (en) | Techniques to operate a service with machine generated authentication tokens | |
| US20130332727A1 (en) | Access token event virtualization | |
| EP2895982B1 (en) | Hardware-enforced access protection | |
| US9479335B2 (en) | Encrypted mass-storage device with self running application | |
| US8955068B1 (en) | Systems and methods for providing strong authentication for web-based applications | |
| CN105279423A (en) | Password management method and password management device | |
| US9569610B2 (en) | Managing a password | |
| CN104102887A (en) | Implementation method for login security certification of operation system | |
| US11245679B1 (en) | Securing external access to runtime services in appliances | |
| US20200195434A1 (en) | Hardware security module equipment with native implementation of a cryptographic key management communication protocol and remote confidence enhancement method for authorization of operations | |
| CN106933605A (en) | A kind of intelligent progress recognizing control method and system | |
| CN102594815A (en) | Method and device for setting user right and executing corresponding operation before login of operating system | |
| US20200387385A1 (en) | Device provisioning with manufacturer boot environment | |
| KR101473607B1 (en) | Apparatus and Method for Access Control in a Virtual Private Network | |
| CN105282145A (en) | Multi-data center user access control method and system | |
| CN103838989A (en) | Mobile terminal and method | |
| CN110781527B (en) | Control register protection method and device | |
| CN107451490B (en) | TrustZone-based security authentication method, device, system and storage medium | |
| US9871887B2 (en) | Method for access to an operating system, removable memory medium and use of a removable memory medium | |
| CN111177697A (en) | Identity authentication method and system for exchange equipment and computer readable storage medium | |
| EP3599568A1 (en) | Systems and methods for providing secure database interface systems within an ecrypted device system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20160315 Address after: 201821, room 4, building 1411, 211 Yecheng Road, Jiading Industrial Zone, Shanghai, China Applicant after: Shanghai PeopleNet Security Technology Co., Ltd. Address before: 201203 Shanghai City, Pudong New Area Zhangjiang hi tech park Zuchongzhi Road No. 899 Building 9 room 01 4 Applicant before: Shanghai everybody Science and Technology Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |