CN104102887B - Operating systems implement secure login authentication method - Google Patents

Operating systems implement secure login authentication method Download PDF

Info

Publication number
CN104102887B
CN104102887B CN201410351132.9A CN201410351132A CN104102887B CN 104102887 B CN104102887 B CN 104102887B CN 201410351132 A CN201410351132 A CN 201410351132A CN 104102887 B CN104102887 B CN 104102887B
Authority
CN
China
Prior art keywords
process
system
mode
login authentication
login
Prior art date
Application number
CN201410351132.9A
Other languages
Chinese (zh)
Other versions
CN104102887A (en
Inventor
谈剑锋
尤磊
钱金金
Original Assignee
上海众人网络安全技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海众人网络安全技术有限公司 filed Critical 上海众人网络安全技术有限公司
Priority to CN201410351132.9A priority Critical patent/CN104102887B/en
Publication of CN104102887A publication Critical patent/CN104102887A/en
Application granted granted Critical
Publication of CN104102887B publication Critical patent/CN104102887B/en

Links

Abstract

本发明提供了一种操作系统安全登录认证实现方法,解决现有技术中Windows安全模式下不能实现静态密码和动态口令双认证的问题,所述方法包括:S101.当Windows系统启动时,判断当前的启动模式;S102.若当前的启动模式为安全模式,则自动查找系统调用描述表,进入自定义登录认证流程;S103.加载动态口令流程。 The present invention provides a method of operating a security login authentication system implemented method of solving the prior art can not achieve the security mode Windows static and dynamic password authentication password dual problem, the method comprising:. S101 starts when the Windows system, determines the current the startup mode; S102 if the current startup mode is the safety mode, the system automatically find the call descriptor table, enter the custom login authentication process;.. S103 load dynamic password process. 通过将自定义登录认证流程加入到安全模式下运行,使得用户可以在安全模式下进行动态口令认证和原始静态密码认证相结合的安全登录,提高了Windows系统的安全性,保障用户数据的安全,同时不会增加系统的维护麻烦。 By custom login authentication process added to the run in safe mode, allows users to securely log on dynamic password authentication and original static password authentication combined in safe mode, improve the security of Windows systems, protect the security of user data, without increasing maintenance problems of the system.

Description

一种操作系统安全登录认证实现方法 Operating systems implement secure login authentication method

技术领域 FIELD

[0001]本发明涉及信息安全领域,尤指一种操作系统安全登录认证实现方法。 [0001] The present invention relates to information security, and more particularly to a secure operating system login authentication implementation.

背景技术 Background technique

[0002]随着信息科技的发展,信息安全在各领域的应用更为广泛和深入。 [0002] With the development of information technology, information security applications in various fields more extensive and in-depth. 在信息安全领域,身份认证往往是信息系统使用的第一把钥匙,其安全性受到越来越多的重视。 In the field of information security, identity information is often used by the system first key, its security gets more and more attention. 相应地, 为了加强身份认证安全性的动态口令技术已经越来越多地应用于各个不同领域。 Accordingly, in order to strengthen the security of identity authentication dynamic password technology has been increasingly used in various fields.

[0003] 例如,以Windows操作系统为平台的企业电脑里,不同员工内存储有重要数据,包括技术资料、客户资料、公司战略文件、财务数据等。 [0003] For example, the Windows operating system as a platform for enterprise computer, different employees have important data stored, including technical data, customer data, corporate strategy documents, financial data and so on. 但通常情况下,用户登录Windows操作系统的密码为弱口令,即以字母、数字或字母数字的组合作为固定口令,但这种加密方式的安全系数非常低,系统极易被攻击者入侵,给Windows用户造成了安全隐患,造成电脑数据泄密。 But typically, the user login password for the Windows operating system weak passwords, that is a combination of letters, numbers or as a fixed alphanumeric password, but the safety factor this encryption method is very low, the system can easily be invaded attacker, to Windows users create a security risk, causing the computer data leaks.

[0004] 对于该种安全问题,现有技术常采用的方法主要是利用Windows GINA (Graphical Identification and Authentication,图形化认证授权)编程,在登录Windows系统时增加OTP (One-time Password,动态口令)认证处理过程,以实现登录时静态密码与动态口令结合的认证过程。 [0004] For this kind of security problems, the prior art method often used is the use of Windows GINA (Graphical Identification and Authentication, graphical authentication and authorization) program to increase the OTP when logging in Windows System (One-time Password, dynamic password) certification process in order to achieve a static password authentication login process combined with dynamic password. 但Windows系统若以安全模式启动,是不加载GINA模块的,这种解决办法就会无法实现静态密码和动态口令结合认证的方式,但如果完全禁用Windows安全模式,又会给系统维护带来很大的麻烦。 In terms of system but Windows Safe Mode boot, is not loaded GINA module, this solution will not be achieved Static and dynamic password authentication password combination, but if you completely disable Windows Safe Mode, and system maintenance will bring it big trouble.

发明内容 SUMMARY

[0005] 本发明的目的是提供一种操作系统安全登录认证实现方法,用来解决现有技术中Windows安全模式下不能实现静态密码和动态口令双认证的问题,从而提供一种Windows安全模式下更为安全的登录认证解决方案,保证Windows系统的安全。 [0005] The object of the present invention is to provide a secure operating system login authentication implemented method for solving the problem can not be achieved and a double static password authentication dynamic password prior art under Windows security model, thereby providing a safe mode Windows more secure login authentication solutions to ensure the security of Windows systems.

[0006] 为了实现本发明以上发明目的,本发明提供了一种操作系统安全登录认证实现方法,所述方法包括: [0006] To achieve the above object of the invention of the present invention, the present invention provides a method of operating system security login authentication implementation, the method comprising:

[0007] S101 •当Windows系统启动时,判断当前的启动模式; When the [0007] S101 • When Windows system startup, determine the current startup mode;

[0008] S102.若当前的启动模式为安全模式,则自动查找系统调用描述表,进入自定义登录认证流程; . [0008] S102 if the current startup mode is the safety mode, the system automatically find the call descriptor table, enter the custom login authentication process;

[0009] S103.加载动态口令流程。 [0009] S103. Dynamic password loading process.

[0010] 进一步地,所述方法还包括: [0010] Preferably, the method further comprising:

[0011] 将所述自定义登录认证流程的启动参数预先设置为boot (指引导过程,系统级启动)类型。 [0011] The login authentication parameters are defined from the start of the process set in advance boot (boot process means, system startup) type.

[0012] 进一步地,所述自动查找系统调用描述表,进入自定义登录认证流程具体包括: [0012] Further, the automatic search system calls description proceeds custom login authentication process comprises:

[0013] 修改系统调用描述表,将调用地址改为新的用户模式应用程序地址,所述新的用户模式应用程序地址指向所述自定义登录认证流程。 [0013] Review system call described table, the call address to the new address of user mode application, a new user mode application addressed to customize the login authentication process.

[0014] 通过改变系统的运行路径,系统启动时自动进入自定义的登录认证模块中,不会影响系统其他模块的运行,提高了系统运行的稳定性和安全性。 [0014] By running path of changing the system to automatically enter the custom login authentication system startup module, the module will not affect the operation of other systems, improve the stability and security of the system operation.

[0015] 进一步地,S102步骤中,调用自定义登录认证流程具体包括: [0015] Further, S102 step, the calling custom login authentication process comprises:

[0016] S1021 •将注册表键值置为0; [0016] S1021 • The registry key set to 0;

[0017] S1022.判断当前进程是否为登录进程,若是,则判断登录进程是否查询注册表键值; [0017] S1022 to determine whether the current process for the login process, and if so, determine whether the logon process queries the registry key.;

[0018] S1023.若登录进程查询所述注册表键值为0,则加载图形化认证授权模块GINA。 [0018] S1023. If the logon process queries the registry key value is 0, then load the graphical authentication and authorization module GINA.

[0019] 通过将注册表键值置位,在登录进程运行时,自动进入图形化的登陆认证授权模块,加进动态口令图形框,为动态口令和静态密码的同时输入了前提。 [0019] By the registry key set, the login process is running automatically enter graphical login authentication and authorization module, add dynamic password graphic box, simultaneously dynamic and static password password entered premise.

[0020] 进一步地,所述方法还包括: [0020] Preferably, the method further comprising:

[0021] 若登录进程不查询注册表键值,就继续调用系统原始的用户模式应用程序。 [0021] If the login process does not query the registry key, the system will continue to call the original user-mode applications.

[0022] 当登录进程不查询注册表值时,仍然按照系统原始的运行路径继续运行,不会改变系统的运行模式,并且不会导致系统的异常运行。 [0022] When the login process does not query the registry value, still continue to operate in accordance with the original running path system, will not change the operation mode of the system, and do not cause abnormal operation of the system.

[0023] 本发明通过将自定义登录认证流程加入到安全模式下运行,使得用户可以在安全模式下进行动态口令认证和原始静态密码认证相结合的安全登录,提高了Windows系统的安全性,保障用户数据的安全,同时不会增加系统的维护麻烦。 [0023] The present invention is by custom login authentication process is added to the safe mode operation, so that the user can secure login dynamic password authentication and the original static password authentication combined in safe mode, improve the security of Windows security security of user data, without increasing maintenance problems of the system.

附图说明 BRIEF DESCRIPTION

[0024] 下面结合附图和具体实施方式对本发明作进一步详细说明: [0024] Hereinafter, the present invention is described in further detail in conjunction with accompanying drawings and specific embodiments:

[0025] 图1是本发明实施例一种操作系统安全登录认证实现方法的流程图; [0025] FIG. 1 is a flowchart of embodiments of the present invention embodiment of a method for implementing security login authentication system operation;

[0026] 图2是本发明实施例调用自定义登录认证流程的流程图。 [0026] FIG 2 is a flowchart illustrating an embodiment defined login authentication from the call process of the present invention.

具体实施方式 Detailed ways

[0027] 为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。 [0027] In order to more clearly illustrate the technical solutions in the embodiments or the prior art embodiment of the present invention, briefly introduced hereinafter, embodiments are described below in the accompanying drawings or described in the prior art needed to be used in describing the embodiments the drawings are only some embodiments of the present invention, those of ordinary skill in the art is concerned, without creative efforts, can derive from these drawings other drawings.

[0028] 作为一个具体实施例,如图1所示,为本发明实施例操作系统安全登录认证实现方法的流程图,所述方法包括: OS flowchart security login authentication implementation of the method [0028] As a specific embodiment shown in Figure 1, embodiments of the present invention, the method comprising:

[0029] S101.当Windows系统启动时,判断当前的启动模式; . [0029] S101 starts when the Windows system, determines the current startup mode;

[0030] S102.若当前的启动模式为安全模式,则自动查找系统调用描述表,进入自定义登录认证流程; . [0030] S102 if the current startup mode is the safety mode, the system automatically find the call descriptor table, enter the custom login authentication process;

[0031] 该自定义登录认证流程用于在安全模式下加载Windows GINA模块,并提供动态口令和静态密码输入对话框,因为现有技术中,当Windows以安全模式启动时,非系统模块是不被加载运行的。 [0031] The custom login authentication process for loading in Safe Mode Windows GINA module, and provide dynamic and static password password entry dialog, because the prior art, when Windows starts in Safe Mode, non-system module is not loaded run.

[0032] 本发明实施例将所述自定义登录认证流程的启动参数预先设置为boot类型,当Windows系统运行于安全模式时,所述自定义登录认证流程被加载运行。 [0032] Example embodiments of the present invention from the start parameter defines the login authentication process previously set to boot type, when the Windows operating system is in safe mode, the custom login authentication procedure is run loaded. 从而提供了安全模式下,静态密码和动态口令同时输入认证的人机对话窗口,为双认证实现了前提。 Thereby providing a safe mode, static and dynamic password authentication password input while the man-machine dialogue window, the preconditions for the realization of dual certification.

[0033]其中,所述自动查找系统调用描述表,进入自定义登录认证流程具体包括: [0033] wherein the automatic search system calls description proceeds custom login authentication process comprises:

[0034]修改系统调用描述表,将调用地址改为新的用户模式应用程序地址; [0034] Review system call described table, the call address to the new address of the user mode application;

[0035]在本发明实施例中,需要预先修改修改系统调用描述表,用新的用户模式应用程序(NewNtQueryValueKey)地址,替换系统原有用户模式应用程序(NtQueryValueKey)地址, 这样所有对原有用户模式系统程序的调用就会转到对新的用户模式应用程序NewNtQueryValueKey的调用。 [0035] In an embodiment of the present invention, it is necessary to modify the system call to modify description table, with the new user-mode application (NewNtQueryValueKey) address, replacing the existing user-mode application system (NtQueryValueKey) address, so that all users of the original mode system calls the program will go to a call to the new user-mode applications NewNtQueryValueKey of. 通过改变系统的运行路径,系统启动时自动进入自定义的登录认证流程中,不会影响系统启动过程中其他模块的运行,提高了系统运行的稳定性和安全性,同时不会增加系统的维护麻烦。 By running path to change the system to automatically enter the login authentication process to customize the system startup will not affect the operation of other modules in the system boot process, improve the stability and security of the system is running, without increasing system maintenance trouble.

[0036] 而S102步骤中,调用自定义登录认证流程具体包括: [0036] In the step S102, calls the custom login authentication process comprises:

[0037] S1021 •将注册表键值置为0; [0037] S1021 • The registry key set to 0;

[0038] S1022 •判断当前进程是否为登录进程,若是,则判断登录进程是否查询注册表键值; [0038] S1022 • determine whether the current process for the login process, and if so, determine whether the logon process queries the registry keys;

[0039] S1023.若登录进程查询所述注册表键值为0,则加载图形化认证授权模块GINA。 [0039] S1023. If the logon process queries the registry key value is 0, then load the graphical authentication and authorization module GINA.

[00401通过将注册表键值置位,在登录进程运行时,自动进入图形化的登陆认证授权模块,加进动态口令图形框,为动态口令和静态密码的同时输入了前提。 [00401 by the registry key set, the login process is running automatically enter graphical login authentication and authorization module, add dynamic password graphic box, simultaneously dynamic and static password password entered premise. 在新的用户模式应用程序NewNtQueryValueKey函数内,首先判断当前调用该函数的进程是否是winlogon.exe进程,如果不是登录进程winlogon.exe,就继续调用系统原始的用户模式应用程序NtQueryValueKey,如果是登录进程winlogon • exe,再判断登录进程winlogon • exe是否是查询注册表键值OptionValue,如果不查询OptionValue这个健值,就继续调用系统原始的用户模式应用程序NtQueryValueKey,如果是就直接返回查询结果即注册表键值OptionValue 为0,不再继续调用原始的系统NtQueryValueKey。 In the new user-mode application NewNtQueryValueKey function, first call the function to determine whether the current process is winlogon.exe process, if not the login process winlogon.exe, will continue to call the original user-mode application NtQueryValueKey system, and if the login process winlogon • exe, and then determine whether the login process winlogon • exe is to query the registry key OptionValue, if this does not query OptionValue health value, it continues to call the original user-mode application NtQueryValueKey system, if the query results are returned directly to the registry that is OptionValue key value is 0, no longer continue to call the original system NtQueryValueKey. 当登录进程不查询注册表值时,仍然按照系统原始的运行路径继续运行,不会改变系统的运行模式,并且不会导致系统的异常运行。 When the login process does not query the registry value, still continue to operate in accordance with the original running path system, will not change the operation mode of the system, and do not cause abnormal operation of the system. [0041] 这样,Windows系统的winlogon. exe登录进程读取注册表OptionValue的值是0,会认为Windows是正常启动,GINA模块就会被加载起来,而Windows操作系统的其他功能模块并不会受到影响,继续会认为当前启动模式是安全模式而按照安全模式的配置进行工作。 [0041] In this way, winlogon Windows system. OptionValue read the registry value is 0 exe ​​login process, think Windows is started normally, GINA module will be loaded up, and the Windows operating system and other functional modules will not be influence, continue to think that the current mode is the safe mode and start to work in accordance with the security configuration mode. [0042] S103.加载动态口令流程。 [0042] S103. Dynamic password loading process.

[0043] 加载GINA模块后,就可以用传统的方法挂接0TP认证模块,实现安全模式下登录时静态密码与动态口令结合的认证,而Windows操作系统自身的登录模块按照正常模式来工作,从而实现静态密码结合动态口令的双认证,同时,Windows操作系统的其他功能模块不应会受到影响,继续以安全模式启动,保证系统其他模块的安全运行,提高了系统的稳定性,实现动态口令和静态密码双认证。 [0043] After loading GINA module can be mounted in a conventional manner 0TP authentication module, safe mode in conjunction with a static password when you log dynamic password authentication, and Windows operating system itself login module to work in normal mode, thereby static password combination to achieve the dual dynamic password authentication, while, Windows operating system other functional modules should not be affected, continue to start in safe mode to ensure the safe operation of the other modules in the system, improve system stability, and dynamic password double static password authentication.

[0044]综上所述,本发明通过将自定义登录认证流程加入到安全模式下运行,使得用户可以在安全模式下进行动态口令认证和原始静态密码认证相结合的安全登录,提高了Windows系统的安全性,保障用户数据的安全,并且系统的其他模块不会受到影响,保证系统的正确安全运行,同时不会增加系统的维护麻烦。 [0044] In summary, the present invention is by running a custom login authentication process is added to the safe mode, so that the user can secure login password authentication and dynamic password authentication original combination of static in safe mode, to improve the Windows system security, protect the security of user data, and other modules of the system is not affected, to ensure proper and safe operation of the system without increasing maintenance problems of the system.

[0045]以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。 [0045] The above are only preferred embodiments of the present invention, it should be noted that those of ordinary skill in the art, in the present invention without departing from the principles of the premise, can make various improvements and modifications, such modifications and modifications should also be regarded as the protection scope of the present invention.

Claims (1)

1.一种操作系统安全登录认证实现方法,其特征在于,所述方法包括: S101 •当Windows系统启动时,判断当前的启动模式; 5102. 若当前的启动模式为安全模式,则自动查找系统调用描述表,调用自定义登录认证流程; 5103. 加载动态口令模块;所述自定义登录认证流程用于在安全模式下加载Windows GINA模块,并提供动态口令和静态密码输入对话框; 所述方法还包括:将所述自定义登录认证流程的启动参数预先设置为b〇〇t类型; 所述自动查找系统调用描述表,调用自定义登录认证流程具体包括: # 修改系统调用描述表,将调用地址改为新的用户模式应用程序地址,所述新的用户検式应用程序地址指向所述自定义登录认证流程; 所述调用自定义登录认证流程具体包括: 51021. 将注册表键值置为〇; 51022. 判断当前进程是否为登录进程,若是,则判断登录进程 1. A method of operating system security login authentication-implemented method, wherein the method comprises: S101 • starts when the Windows system, determines whether the current startup mode; 5102. If the current boot in secure mode, the system automatically finds call description, call custom login authentication process; the method; load module 5103. dynamic password; the custom login authentication process for loading Windows GINA module in safe mode, and provides dynamic and static password password entry dialog further comprising: starting the login authentication parameters to customize the process set in advance b〇〇t type; the automatic search system call description, call custom login authentication process comprises: modifying the system call # description, will be called address to the new address of user mode application, the new application user ken formula addressed to the custom login authentication process; custom calling the login authentication process comprises: a registry key is set to 51021. billion; 51022. judge whether the current process for the login process, and if so, determine the login process 否查询注册表键值; 51023. 若登录进程查询所述注册表键值为0,则加载图形化认证授权模块GINA; 若登录进程不查询注册表键值,就继续调用系统原始的用户模式应用程序。 No query the registry keys; 51023. If the logon process queries the registry key value is 0, then load the graphical authentication and authorization module GINA; if the login process does not query the registry key, you continue to call the original user-mode applications program.
CN201410351132.9A 2014-07-22 2014-07-22 Operating systems implement secure login authentication method CN104102887B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410351132.9A CN104102887B (en) 2014-07-22 2014-07-22 Operating systems implement secure login authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410351132.9A CN104102887B (en) 2014-07-22 2014-07-22 Operating systems implement secure login authentication method

Publications (2)

Publication Number Publication Date
CN104102887A CN104102887A (en) 2014-10-15
CN104102887B true CN104102887B (en) 2018-01-12

Family

ID=51671030

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410351132.9A CN104102887B (en) 2014-07-22 2014-07-22 Operating systems implement secure login authentication method

Country Status (1)

Country Link
CN (1) CN104102887B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539635A (en) * 2015-01-22 2015-04-22 成都卫士通信息安全技术有限公司 Windows 7-based secure login setting method and secure login method based on Windows 7-based secure login setting method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3053527B2 (en) * 1993-07-30 2000-06-19 インターナショナル・ビジネス・マシーンズ・コーポレイション Method and apparatus to enable a password, a method and apparatus for generating and preliminarily activate the password, a method and apparatus for controlling the access of the resource by using the authentication code
US5604803A (en) * 1994-06-03 1997-02-18 Sun Microsystems, Inc. Method and apparatus for secure remote authentication in a public network
CN100365641C (en) * 2006-04-11 2008-01-30 北京飞天诚信科技有限公司 Method for protecting computer login using disposable password
CN103685232A (en) * 2013-11-11 2014-03-26 上海乐今通信技术有限公司 Mobile terminal and mobile application login method

Also Published As

Publication number Publication date
CN104102887A (en) 2014-10-15

Similar Documents

Publication Publication Date Title
US7836299B2 (en) Virtualization of software configuration registers of the TPM cryptographic processor
US8181219B2 (en) Access authorization having embedded policies
US10176095B2 (en) Secure management of operations on protected virtual machines
US8904477B2 (en) Configuring and providing profiles that manage execution of mobile applications
CN101960446B (en) Secure browser-based applications
US7818781B2 (en) Behavior blocking access control
US9628448B2 (en) User and device authentication in enterprise systems
CN102763098B (en) In the method and system for communication between trusted and untrusted virtual machine
US20040098627A1 (en) Process based security system authentication system and method
CN103262024B (en) Methods and systems for forcing an application to store data in a secure storage location
US20070277127A1 (en) Screensaver for individual application programs
US20090222880A1 (en) Configurable access control security for virtualization
US8850549B2 (en) Methods and systems for controlling access to resources and privileges per process
US8972980B2 (en) Automated provisioning of secure virtual execution environment using virtual machine templates based on requested activity
US8024564B2 (en) Automating configuration of software applications
EP1679632A2 (en) Systems and methods for securely booting a computer with a trusted processing module
US9171146B2 (en) Method and system for monitoring calls to an application program interface (API) function
US20120331518A1 (en) Flexible security token framework
US8024790B2 (en) Portable secured computing environment for performing online confidential transactions in untrusted computers
US8423756B2 (en) Remote management of UEFI BIOS settings and configuration
KR101208257B1 (en) Protection systems computing platform, computing platform protection method and computer readable medium
JP4933519B2 (en) Computer having a biometric authentication device
JP4982825B2 (en) How to manage computer and shared password
CN1185584C (en) Method for using safety cipher in non-safety programming environment
US7841000B2 (en) Authentication password storage method and generation method, user authentication method, and computer

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C41 Transfer of patent application or patent right or utility model
GR01