CN104735085A - Terminal two-factor secure login protection method - Google Patents

Terminal two-factor secure login protection method Download PDF

Info

Publication number
CN104735085A
CN104735085A CN201510176375.8A CN201510176375A CN104735085A CN 104735085 A CN104735085 A CN 104735085A CN 201510176375 A CN201510176375 A CN 201510176375A CN 104735085 A CN104735085 A CN 104735085A
Authority
CN
China
Prior art keywords
client
computer
usbkey
login
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510176375.8A
Other languages
Chinese (zh)
Inventor
高广涛
徐彭城
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANGHAI HANBANGJINGTAI DIGITAL CODE TECHNOLOGY Co Ltd
Original Assignee
SHANGHAI HANBANGJINGTAI DIGITAL CODE TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHANGHAI HANBANGJINGTAI DIGITAL CODE TECHNOLOGY Co Ltd filed Critical SHANGHAI HANBANGJINGTAI DIGITAL CODE TECHNOLOGY Co Ltd
Priority to CN201510176375.8A priority Critical patent/CN104735085A/en
Publication of CN104735085A publication Critical patent/CN104735085A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a terminal two-factor secure login protection method. An audit center is installed in a server; a host sensor is installed in a client; the audit center issues login supervision rules to the client and enables login supervision; the client automatically enables USB (universal serial bus) key certification; a USB key writes in user information and an initial PIN (personal identification number) code during mass production; after the USB key is plugged to a computer, a PIN code is entered before verification is passed. The method using terminal two-factor secure login protection has the advantages that the USB key certification with a password is used as a startup login verification, the drive-level encryption technique is utilized, illegal operations such as illegally visiting a computer and stealing or revising confidential files are effectively prevented, and safety of a personal computer is improved.

Description

A kind of terminal double factor secure log means of defence
Technical field
The present invention relates to computer security technique field, specifically a kind of terminal double factor secure log means of defence.
Background technology
Login authentication technology confirms the process of operator's identity in a computer network and the effective workaround produced.The identity information that in the computer network world, all information comprise user all represents by one group of specific data, and computer can only identify the digital identity of user, and all mandates to user are also the mandates for number identity.
Can be divided into three kinds to the authentication basic skills of user, namely (1) is based on the authentication of information privacy; (2) based on the authentication of trusting object; (3) based on the authentication of biological characteristic.In order to reach higher identification authentication security, some scene can by above 3 kinds select 2 kinds used in combination, i.e. double factor authentication.
USBKEY common authentication certificate, still can open object-computer after USBKEY is obtained by other people, and server can not know which platform client computer is opened, and therefore this mode is very dangerous.
Current exist the deployment that technical problem mainly concentrates on PKI, and PKI is too complicated huge, if do not dispose PKI system in enterprise, so dispose PKI some is complicated in order to this authentication method.Therefore, if only have several needs to use USBKEY carry out log into thr computer, then cost is too large; If being applied to some is deployed with PKI certainly, and a large amount of unit using USBKEY log into thr computer, Double Factor Authentication Technology is a good selection.
Summary of the invention
The object of the present invention is to provide a kind of terminal double factor secure log means of defence, to solve the problem proposed in above-mentioned background technology.
For achieving the above object, the invention provides following technical scheme:
A kind of terminal double factor secure log means of defence, concrete operation step is as follows: (1) installs audit center at server end, installs host sensor in client; (2) issue login regulatory rule to client by audit center, and enable login supervision, client meeting is unlatching USBKEY certification automatically, and USBKEY can write user profile and initial p IN code when volume production; (3) USBKEY is inserted computer, input PIN code, waits for and being verified.
Compared with prior art, the invention has the beneficial effects as follows:
(1) by PIN code, the present invention ensure that non-holder cannot use, and once take checking, will send information and the USBKEY information of current client to server end, thus the secure log of personal computer;
(2) terminal double factor secure log guard technology adopts USB Key certification to add password as start logging on authentication on Linux terminal logs in, employ driving stage encryption technology, effectively prevent the illegal operations such as the stealing of unauthorized access computer, classified papers, amendment, thus improve the fail safe of personal computer;
(3) Double Factor Authentication Technology is adopted can effectively to prevent unauthorized user log into thr computer, client software can remove to obtain certificate in USBKEY to obtain user profile by the interface of USBKEY, after the match is successful, require that user inputs the PIN code of USBKEY, to determine that active user is the legitimate user of this USBKEY, thus guarantee the fail safe of personal computer.
Embodiment
Below in conjunction with the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
A kind of terminal double factor secure log means of defence, (1) installs audit center at server end, installs host sensor in client; (2) issue login regulatory rule to client by audit center, and enable login supervision, client meeting is unlatching USBKEY certification automatically, and USBKEY can write user profile and initial p IN code when volume production; (3) USBKEY is inserted computer, input PIN code, waits for and being verified.
USBKEY has unique sequence numbers, has bound unique sequence numbers, while authenticated user information, also check the legitimacy of KEY, reach unique USBKEY open the computer of specifying with this during binding KEY.
The mode that the inventive method is combined by hardware (USB Key) and software (Client), based on the secure logon facility of PKI, achieve the double authentication of physical identity and user identity, the digital certificate identifying user Role Identity under terminal computer or territory environment is used bind with operating system authority, the secure log of the interior network termination of combined with hardware USB Key realization or territory environment.
Double Factor Authentication Technology is adopted can effectively to prevent unauthorized user log into thr computer, client software can remove to obtain certificate in USBKEY to obtain user profile by the interface of USBKEY, after the match is successful, require that user inputs the PIN code of USBKEY, to determine that active user is the legitimate user of this USBKEY, thus guarantee the fail safe of personal computer; PIN code cannot be obtained by software mode, and checking work is completed by the main control chip in USBKEY, and notifies client software the result.
USB Key certification is used to add the authority of password as authentication, can the basic problem denied of the solution identity validation of effective and safe and behavior; Adopt USBKEY mode log into thr computer, fail safe is more reliable, while logging in hit or miss, client all can send certificate information (comprising user profile) in the USBKEY of current logon attempt computer and current by the system for computer information of logon attempt and hardware information to server, server can recognize which platform computer is logged and whether log in successful in real time in this way, also judges whether to there is illegal situation about logging in by this.
Meanwhile, need not shut down when the user departs to ensure information security, when USBKEY extracts computer, client software can enter screen lock state by computer automatically, needs to plug USBKEY and again can unlock after certification.
Whole two-factor authentication system have employed PKC#11 technology, by completing the identification to KEY legitimacy to the checking of certificate; PIN code is set by main control chip simultaneously and accomplishes duplicate protection, accomplish that unique media is bound; Simultaneously after checking starts, client-side program meeting active collection computerized information and USBKEY information reporting server, accomplish the service condition grasping client computer in real time.
PKC#11 is the specification of the operand word certificate of complete set, and digital certificate takes the digital signature encryption mode of sha1, makes certificate have uniqueness, makes USBKEY have uniqueness.

Claims (1)

1. a terminal double factor secure log means of defence, it is characterized in that, concrete operation step is as follows: (1) installs audit center at server end, installs host sensor in client; (2) issue login regulatory rule to client by audit center, and enable login supervision, client meeting is unlatching USBKEY certification automatically, and USBKEY can write user profile and initial p IN code when volume production; (3) USBKEY is inserted computer, input PIN code, waits for and being verified.
CN201510176375.8A 2015-04-15 2015-04-15 Terminal two-factor secure login protection method Pending CN104735085A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510176375.8A CN104735085A (en) 2015-04-15 2015-04-15 Terminal two-factor secure login protection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510176375.8A CN104735085A (en) 2015-04-15 2015-04-15 Terminal two-factor secure login protection method

Publications (1)

Publication Number Publication Date
CN104735085A true CN104735085A (en) 2015-06-24

Family

ID=53458520

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510176375.8A Pending CN104735085A (en) 2015-04-15 2015-04-15 Terminal two-factor secure login protection method

Country Status (1)

Country Link
CN (1) CN104735085A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107704749A (en) * 2017-10-25 2018-02-16 深圳竹云科技有限公司 Windows system safe login methods based on U-shield verification algorithm
CN108269091A (en) * 2018-01-25 2018-07-10 北京明华联盟科技有限公司 standby processing method, device, system and computer readable storage medium
CN108880822A (en) * 2018-06-29 2018-11-23 郑州云海信息技术有限公司 A kind of identity identifying method, device, system and a kind of intelligent wireless device
CN111428213A (en) * 2020-03-27 2020-07-17 深圳融安网络科技有限公司 Two-factor authentication apparatus, method thereof, and computer-readable storage medium
CN112187729A (en) * 2020-09-08 2021-01-05 南京南瑞继保电气有限公司 Operation permission safety management and control system and method
CN118445780A (en) * 2024-05-16 2024-08-06 中国铁道科学研究院集团有限公司 Dual factor identity authentication method and system for railway signal system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030012387A1 (en) * 2000-01-31 2003-01-16 Henri Gilbert Communication method with encryption key escrow and recovery
CN101256608A (en) * 2008-03-25 2008-09-03 北京飞天诚信科技有限公司 Safe operation method and system
CN101986325A (en) * 2010-11-01 2011-03-16 山东超越数控电子有限公司 Computer security access control system and method
CN202058159U (en) * 2010-11-30 2011-11-30 方正国际软件有限公司 USB key
CN102413143A (en) * 2011-12-01 2012-04-11 江苏华丽网络工程有限公司 Security audit system and method based on cloud computing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030012387A1 (en) * 2000-01-31 2003-01-16 Henri Gilbert Communication method with encryption key escrow and recovery
CN101256608A (en) * 2008-03-25 2008-09-03 北京飞天诚信科技有限公司 Safe operation method and system
CN101986325A (en) * 2010-11-01 2011-03-16 山东超越数控电子有限公司 Computer security access control system and method
CN202058159U (en) * 2010-11-30 2011-11-30 方正国际软件有限公司 USB key
CN102413143A (en) * 2011-12-01 2012-04-11 江苏华丽网络工程有限公司 Security audit system and method based on cloud computing

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107704749A (en) * 2017-10-25 2018-02-16 深圳竹云科技有限公司 Windows system safe login methods based on U-shield verification algorithm
CN108269091A (en) * 2018-01-25 2018-07-10 北京明华联盟科技有限公司 standby processing method, device, system and computer readable storage medium
CN108880822A (en) * 2018-06-29 2018-11-23 郑州云海信息技术有限公司 A kind of identity identifying method, device, system and a kind of intelligent wireless device
CN108880822B (en) * 2018-06-29 2021-06-29 郑州云海信息技术有限公司 Identity authentication method, device and system and intelligent wireless equipment
CN111428213A (en) * 2020-03-27 2020-07-17 深圳融安网络科技有限公司 Two-factor authentication apparatus, method thereof, and computer-readable storage medium
CN111428213B (en) * 2020-03-27 2024-02-02 深圳融安网络科技有限公司 Dual-factor authentication apparatus, method thereof, and computer-readable storage medium
CN112187729A (en) * 2020-09-08 2021-01-05 南京南瑞继保电气有限公司 Operation permission safety management and control system and method
CN118445780A (en) * 2024-05-16 2024-08-06 中国铁道科学研究院集团有限公司 Dual factor identity authentication method and system for railway signal system

Similar Documents

Publication Publication Date Title
CN104735085A (en) Terminal two-factor secure login protection method
KR100437225B1 (en) Method and apparatus for protecting file system based on digital signature certificate
CN105491062B (en) A kind of client software guard method, device and client
CN111931144B (en) Unified safe login authentication method and device for operating system and service application
CN107563213B (en) Safety secrecy control device for preventing data extraction of storage equipment
CN102904719B (en) The using method of a kind of USB-key and USB-key
CN109257209A (en) A kind of data center server centralized management system and method
CN109257391A (en) A kind of access authority opening method, device, server and storage medium
CN105243314B (en) A kind of security system and its application method based on USB key
CN112084472B (en) Real-time dynamic authentication method for multi-user secure storage
JP5013931B2 (en) Apparatus and method for controlling computer login
CN101420302A (en) Safe identification method and device
CN106161348A (en) A kind of method of single-sign-on, system and terminal
CN106161442A (en) A kind of system control user login method
CN106446613A (en) Protection method for pre-installed application in terminal
CN101859373A (en) Method for safely accessing mobile credible terminal
CN112434270B (en) Method and system for enhancing data security of computer system
CN109584421A (en) A kind of intelligent door lock authentication administrative system based on domestic safety chip
US20150121504A1 (en) Identification process of application of data storage and identification hardware with ic card
CN103678973A (en) System capable of realizing access control of host and virtual machine simultaneously and working method thereof
CN103455358A (en) Upgrading method of electric energy meter program
CN116455605A (en) Account data interaction method based on trusted execution environment
CN108574657B (en) Server access method, device and system, computing equipment and server
CN100527692C (en) VPN user identification system and method
Lee et al. A study on a secure USB mechanism that prevents the exposure of authentication information for smart human care services

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20150624