KR100549645B1 - Guarding method for input data by keyboard and guarding system - Google Patents

Abstract

The present invention relates to a security method of data input to a keyboard in a local unit and a security system for implementing the same, comprising: activating an input data security module of a keyboard; An input data reception step of receiving input data of a keyboard by the security module; A key input information detecting step of detecting key input information generated by a user's key operation from the input data; A key input information encryption step of encrypting the key input information detected / processed through the detection step; An input data deletion step of deleting the input data remaining in a kernel area so that an operating system does not recognize the input data; A key input information decrypting step of decrypting the key input information encrypted in the encryption step so that an operating system can process the key input information; And a security hook execution step in which a hook procedure is executed in which the decrypted key input information is first delivered to the corresponding application program for processing and the hook procedure is first hooked in the key input information and the next order hooking does not occur. .

Description

Guarding method for input data by keyboard and guarding system

1 is a block diagram showing the configuration and signal flow of a security system according to the present invention,

FIG. 2 is a block diagram illustrating the block diagram of FIG. 1 in more detail.

3 is a block diagram showing the configuration of a security system according to the present invention for securing the input data input via the USB keyboard in the kernel area,

4 is a block diagram showing a configuration of a security system according to the present invention for securing input data input through a PS / 2 keyboard in a kernel region;

5 is a block diagram showing the configuration of a driver management module according to the present invention;

6 is a block diagram showing a configuration of a security system according to the present invention for securing input data input through a keyboard in a user area;

7 is a flowchart sequentially illustrating a security method according to the present invention,

FIG. 8 is a flowchart showing the flowchart of FIG. 7 in detail.

FIG. 9 is a flowchart specifically describing the interrupt service routine address monitoring step illustrated in FIG. 8 in more detail.

10 is a flowchart more specifically specifying a security hook execution step according to the present invention;

11 is a flowchart showing an embodiment of a filter installation method according to the present invention.

The present invention relates to a security method of data input by a keyboard in a local unit and a security system implementing the same.

During the data communication between the terminal and the terminal, the server and the server, and / or the server and the terminal, the data is leaked by various spyware or hacking programs (hereinafter, malicious programs) previously stored on the terminal and / or the server. It's not just a problem today. Particularly, among the data leakage methods made through various means, a data signal input through the keyboard is extracted before being transmitted to the operating system. Even if it is disabled through the security program, the stability of data security is not fully guaranteed.

In order to solve these problems, techniques for a security method and a system for preventing information leakage from the keyboard level have been devised.

However, these security methods and systems receive signals transmitted from the keyboard hardware (electric signals generated by the user operating the keyboard) and convert them into data recognizable by the operating system, and pass through a security driver that encrypts and decrypts the converted data. The process is delivered to the application.

This description is well described in the prior art 'Computer security system using a security input device driver' (Application No. 10-2004-0007614).

In this case, the application program proposed in the prior art is an individual program installed under an operating system (Windows, NT, etc.), which is a tool for controlling a physical computer main body, and performing a specific task. The type of operating program described in the prior art is assumed to be an application for Internet communication, but is not specifically specified through the claims, so that users can edit documents, edit images, etc. at the local level as well as a web browser that enables internet communication. It can be a word or a variety of programs that can be.

However, in the state of the art disclosed as prior art, the security scope for the data input through the keyboard is limited to the stage where the operating system recognizes and processes the signal input through the keyboard hardware, and the operating system processes the data. Therefore, there is no suggestion about the steps to enable the application to recognize / process.

That is, the conventional security technology is limited only to the process (kernel area) where the operating system first processes signals and data generated on keyboard hardware, and there is no security in the process of processing the data (user area) while the application program is running. It is not presented. In particular, when the application program is run on a local unit, since no security function is provided in the application program for Internet communication to which various security programs for preventing data leakage on the Internet are applied, information by malicious programs is provided. There is no preparation for spills.

In general, information leakage in the user area is caused by a malicious program that executes a so-called hook.

On the other hand, the security methods and security systems proposed for the conventional keyboard security is limited to PS / 2 type keyboard, there is no way to secure data input through the USB keyboard, PS / 2 type and USB keyboard In terms of methods, security systems and security methods that can perform security universally have not been proposed at all.

The USB keyboard is connected to the concept of exchanging messages with the operating system while the communication between the main body of the computer and peripheral devices is not a simple electrical signal flow but a packet flow containing a plurality of data. These USB keyboards have been developed in accordance with the trend of compact and easy attachment and detachment of peripheral devices in large desktop computers, and the demand is gradually increasing. In other words, unlike the PS / 2 type keyboard, the USB keyboard can be directly connected to the USB port of the computer main body, and has the advantage of reducing the inconvenience of using the rebooting at the same time.

Accordingly, the present invention has been made to solve the above problems, it is possible to prevent the leakage of information made in the keyboard hardware unit as well as to prevent the leakage of information made in the operating system unit while the data input to the keyboard is transmitted to the application program It is an object of the present invention to provide a security method for data input from the keyboard in a local unit and a security system implementing the same.

In addition, another object of the present invention is to provide a security method for data input to the keyboard at a local unit capable of performing a general-purpose security function regardless of the PS / 2 method and the USB cable connection method, and a security system implementing the same. have.

In order to achieve the above object, the present invention,

Activating the input data security module of the keyboard;

An input data reception step of receiving input data of a keyboard by the security module;

A key input information detecting step of detecting key input information generated by a user's key operation from the input data;

A key input information encryption step of encrypting the key input information detected / processed through the detection step;

An input data deletion step of deleting the input data remaining in a kernel area so that an operating system does not recognize the input data;

A key input information decrypting step of decrypting the key input information encrypted in the encryption step so that an operating system can process the key input information; And

A security hook execution step of executing a hook procedure for firstly hooking the key input information in a process of transmitting the decrypted key input information to a corresponding application program for processing the second key and preventing a second order hooking from occurring;

This is a security method for data input with the keyboard included.

In order to achieve the above object, the present invention provides a security method of data input by a keyboard,

A key input information parsing step of arranging the key input information detected through the key input detection step according to the generation order when the input data received by the security module is generated from the USB keyboard;

Is more included.

In order to achieve the above object, the present invention, in the security method of data input by the keyboard, the security module activation step is

A USB keyboard checking step of confirming registry registration of the USB keyboard through initial input data of the USB keyboard;

A filter activation step of activating a USB filter included in the security module according to the registry of the USB keyboard identified in the USB keyboard verification step;

Is more included.

In order to achieve the above object, the present invention provides a security method of data input by a keyboard,

A USB filter installation determining step of determining installation of a USB filter corresponding to the USB keyboard when it is determined that the hardware ID of the USB keyboard is not registered through the USB keyboard checking step;

A filter installation step of installing a USB filter that secures key input information of the new USB keyboard;

Is more included.

In order to achieve the above object, the present invention, in the security method of data input by the keyboard, the filter installation step is

A HID device search step of searching for a hardware ID of the HID device registered in the operating system registry;

A keyboard search step of searching for a hardware ID classified as a keyboard in the hardware ID;

A USB device searching step of searching for a hardware ID of a USB device registered in an operating system registry;

A matching ID checking step of checking hardware IDs matched with the hardware IDs searched through the keyboard searching step and the USB device searching step;

A filter registration step of registering a USB filter in the device registry of the corresponding hardware ID searched through the matching ID search step;

Is more included.

The security module activation step is made in conjunction with the execution of the application program in conjunction with the executable file of the security target application program;

An interrupt service routine replacement step of receiving an interrupt generated through operation of the keyboard to replace the interrupt service routine address of the interrupt descriptor table;

The key input information encryption step is performed by a security input driver through which the key input information is transmitted according to the service routine address replaced by the interrupt service routine replacement step;

It is characterized by.

In order to achieve the above object, the present invention provides a security method of data input by a keyboard,

A secure input driver address storing step of storing an address of the secure input driver;

A service routine address storing step of storing an interrupt service routine address of the interrupt descriptor table;

An address comparison step of comparing the security input driver address with a service routine address;

Is more included.

In order to achieve the above object, the present invention provides a security method of data input by a keyboard,

An address changing step of replacing an interrupt service routine address of the interrupt descriptor table with the security input driver address when the security input driver address and the interrupt service routine address are different from each other after the address comparing step;

Is more included.

In order to achieve the above object, the present invention, in the security method of data input to the keyboard, the security hook execution step is

Activation of global hooks for security that hooks to processes or threads created with the application execution

An allowable global hook checking step of checking the contents of other global hooks allowed in the corresponding application;

A key input information hooking step of hooking a message including key input information transmitted to the application program;

Next hook neutralization step not to call the next hook progress API, so that next-order hooking is not made other than the security global hook; And

A hook removal step of removing the security global hook being executed when the process or thread is destroyed;

Comprising

In order to achieve the above object, the present invention provides a security method of data input by a keyboard,

If another global hook related to the keyboard is newly attempted in the security global hook activated state, a global hook attempt monitoring step of returning the other global hook installation API to block execution of another global hook is further included.

In order to achieve the above object, the present invention provides a security method of data input by a keyboard,

Generating a list of the corresponding application so that only the designated application is the target of keyboard security, and further comprises a target program confirmation step of determining the hooking of the key input information by searching the list before the hooking step of the key input information .

In order to achieve the above object, the present invention,

In the kernel area, the security module for receiving the input data from the keyboard hardware receives the first signal input through the keyboard to encrypt / decrypt the key input information contained in the input data; And

In a user area where the key input information is delivered to an application program through a message queue by a subsystem of an operating system, the key input information is first hooked during the delivery of the key input information to prevent next hooking. A hook module;

It is a security system for data entered with a keyboard.

In order to achieve the above object, the present invention provides a security system for data input by a keyboard,

The security module

A key input information detection module for detecting key input information of a key among input data generated by a key operation, a parsing module for arranging the key input information according to the generation order, an encryption module for encrypting the sorted key input information, and And a USB filter including an input data deletion module for processing the operating system not to recognize the input data.

A USB filter driver including a management module for mediating communication between the plurality of USB filters and an operating system; And

A driver management module including a decryption module for decrypting the key input information encrypted by the encryption module;

This is included.

In order to achieve the above object, the present invention, in the security system for data input by the keyboard, the USB filter driver is

A filter check module for checking whether a new USB keyboard is installed by counting a hardware ID of the USB keyboard connected to the main body and the corresponding USB filter;

A filter installation module for installing a USB filter corresponding to the new USB keyboard;

This is more included.

In order to achieve the above object, the present invention, in the security system for data input by the keyboard, the security module is

A security input driver for receiving and encrypting the key input information;

When the security target application is executed, the interrupt interrupter table for executing an interrupt service routine by an interrupt generated by keyboard operation from the keyboard hardware and replacing the address of the security input driver encrypting the key input information. ; And

A driver management module including a decryption module for decrypting the key input information encrypted by the security input driver;

This is included.

In order to achieve the above object, the present invention, in the security system for data input by the keyboard, the hook module is

When the process or thread is created by the execution of the secured application, the process or thread is destroyed while running a global hook procedure that first hooks a message containing key input information delivered to the application and blocks next-order hooking. System hook module for removing the running global hook;

A hook permission program management module for determining whether to allow next-order hooking by checking contents of other global hooks allowed in the application program;

A hook permission program list storage module including data for other global hooks allowed by the application program and transmitting the data to a search / request of the hook permission program management module; And

A hook installation monitoring module that blocks the execution of another global hook by returning the other global hook installation API when a new global hook related to the keyboard is newly attempted in the active global hook for security;

This is included.

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram showing the configuration and signal flow of the security system according to the present invention, Figure 7 is a flow chart illustrating a security method according to the present invention will be described with reference to this.

The present invention has been invented to prevent external leakage of the data by securing data that is executed / operated / processed / stored by an application program in a local unit. The first half of the input data is generated in the local unit from the input data generation step through the keyboard operated by the (kernel area) to the delivery step (user area) in which the input data is processed by the operating system and delivered to the corresponding application program. Security over is made into that content.

To this end, the security system according to the present invention, in the kernel region 20, receives the input data from the keyboard hardware that receives a signal first input through the keyboard 10, encrypting / decrypting the key input information included in the input data A security module 100; And a first hooking of the key input information during the transfer of the key input information in the user area 30 in which the key input information is transmitted to the application program 40 through the message queue by a subsystem of an operating system. By hook module 200 to block so that the next-order hooking is made; consists of.

The kernel area 20 is the most important core of the computer operating system, and provides various basic services to all other parts of the operating system. Similarly, there is the term 'nucleus'. In general, the kernel has an interrupt handler that handles all requests that competitively require the services of the kernel, such as terminated I / O operations, a scheduler that determines which programs share the kernel's processing time, and in what order. After that, it actually includes a supervisor that gives each process a license to the computer. The kernel 20 also has a memory manager that manages the operating system's address space in memory or storage and distributes it evenly among all the peripherals and other users of the kernel 20's services. Services of the kernel 20 are requested through other parts of the operating system, or through a series of program interfaces, commonly known as system calls. Since the code for maintaining the kernel 20 is used continuously, the kernel is usually loaded in a protected memory area so that it is not overwritten by the rest of the operating system, which is not frequently used.

Meanwhile, the user area 30 is located at the outermost part of the operating system and is responsible for processing user commands. Also called a cell.

In the following description, the kernel 20 may use the input data transmitted from the keyboard 10 to the application 40 by the operating system via the keyboard hardware 21 and 22 and the keyboard class driver 25. The user area 30 is regarded as an area for processing input data or key input information in order for temporal or arithmetic operations based on the subsystem 31 of the operating system. At this time, the present invention relates to the security of the keyboard, and since the input data input by the keyboard 10 must be processed in the order of input, a queue system for processing data with FIFO (First In, First Out) is provided in the user area 30. Included is a system for the system message queue 32, which will govern messages for the entire system, and a thread message queue 33 for independently running multiple applications 40 (see FIG. 2).

The security system according to the present invention described above will be described along with a security method.

(1) activating the input data security module of the keyboard (S400);

The security module 100 according to the present invention is a system for encrypting and decrypting the input data on behalf of the system of the existing kernel area so as not to leak the input data input through the keyboard 10 to the user area. .

In general, the method of activating the security module 100 may be applied in various ways. In the present invention, in the present invention, the PS / 2-type keyboard and the USB-type keyboard, which are widely used in recent years, are used. Security functions can be performed on one or more of the keyboards.

As will be described again below, first of all, briefly, in the case of the PS / 2 keyboard, an interrupt is generated at the same time as the user operates the keyboard keyboard, and the kernel area 20 receiving the input is input through the PS / 2 keyboard. The interrupt service routine address of the driver to process the input data is transmitted. In the present invention, the interrupt service routine address is adapted to the security input driver of the security module 100. At this time, the interrupt service routine address is replaced with the existing interrupt service routine address at the same time the security target application program is executed. In addition to this replacement, the security module 100 is activated. On the other hand, in the case of the USB keyboard, when the USB cable of the USB keyboard is connected to the USB port of the main body, the operating system recognizes this and recognizes the USB keyboard and installs / activates the security module 100 accordingly. More details will be described with reference to the accompanying drawings.

(2) an input data receiving step of first receiving the input data in the security module (S500);

Since the present invention is invented to prevent leakage of the input data made at the most end, the security module 100 is received from the keyboard 10 because the first input data input to the keyboard 10 is first received and securely processed. The input data to be received is first received.

(3) a key input information detecting step (S600) of detecting key input information generated by a user's key operation from the input data;

The input data includes key information that is actually input by the user by key manipulation, and auxiliary information including information about the corresponding keyboard 10 and a path. However, since the present invention protects the input data by securing the key input information, a process of detecting the key input information from the input data is performed. However, the present invention is not limited thereto, and the security module 100 according to the present invention may also decrypt and decrypt the entire input data including key input information.

(4) a key input information encryption step (S800) for encrypting key input information detected / processed through the detection step;

The detected key input information is encrypted through the security module 100. Encryption in the present invention is a 128-bit encryption method using the Rijndael algorithm, which is a standard algorithm of the American Advanced Encryption Standard (AES). Rijndael algorithm has excellent performance in terms of security, processing speed and memory utilization. However, such an algorithm is only one embodiment of the present invention and various other methods may be applied.

(5) an input data deletion step (S900) of deleting the input data remaining in a kernel area so that an operating system does not recognize the input data;

Since the security module 100 according to the present invention replaces a system for processing input data of a keyboard in the existing kernel area 20, the input data remains in the kernel area 20. Of course, the remaining input data is transmitted to the user region 30 through the existing system, so that the operating system simultaneously receives the input data transmitted from the security module 100 and the input data transmitted from the existing kernel region 20 and conflicts with each other. Cause Accordingly, in order to prevent such an error from occurring, the remaining input data is deleted so that the input data cannot be processed in the existing kernel region 20.

(6) a key input information decryption step (S1000) for decrypting the key input information encrypted in the encryption step so that the operating system can process it;

Since the security module 100 transmits the input data to the user area 30 instead of processing the keyboard input data in the existing kernel area, the transmitted input data must be processed in the user area 30. do. Therefore, since the key input information of the input data is encrypted, it is decrypted again.

(7) a security hook execution step in which a hook procedure is executed in which the decrypted key input information is first transmitted to a corresponding application program for processing thereof, and the hook procedure is executed to hook the key first in the key input information and prevent the next order hooking from occurring. (S1100);

The hook module 200 of the user area 30 corresponding to the security module 100 of the kernel area 20 may leak the input data through a hook during the processing of the input data made in the user area 30. To prevent this, execute a security global hook. In general, the hook is executed sequentially in the message queue through a hook chain, and during this process, a hacking hook installed by a malicious program is included to extract a message containing input data. Therefore, the hook module 200 according to the present invention executes the hook for the input data related to the keyboard for the first time to prevent leakage of the input data by the hacking hook, and disables all the next-order hooks in the hook chain. Information leakage by hook can be blocked at source. A more detailed description thereof will be made with reference to the accompanying drawings.

FIG. 2 is a block diagram illustrating the block diagram of FIG. 1 in more detail, and FIG. 8 is a flowchart illustrating the flowchart of FIG. 7 in detail.

As described above, the user area 30 includes a subsystem 31, a system message queue 32, and a thread message queue to process input data input through the keyboard while being transmitted to the application program 40. 33). It further includes a hook module 200 according to the present invention. On the other hand, the kernel area 20 is the keyboard hardware 21, 22, HID class driver 23, keyboard class driver 25 to process the input data input through the keyboard to the user area 30, while processing it; And port driver 24. The security module 100 according to the present invention is further included, the security module 100 is a USB filter 110, USB filter driver 120, security interrupt handler 130 and the driver management module 140 It includes.

Of course, all of the configuration blocks except for the hook module 200 and the security module 100 in the configuration diagram shown in FIG. 2 schematically illustrate the existing operating system, and thus may be further included. Meanwhile, in the kernel region 20, the keyboard port 22, an interrupt handler (not shown), the port driver 24, and the keyboard class driver 25 process input data of the conventional PS / 2 keyboard 11. In order to process the input data of the USB keyboard 11, the USB device 21 and the HID class driver 23 may be further included.

The keyboard port unit 22 is a keyboard hardware for processing input data generated from the PS / 2 keyboard 12 and includes a port to which a cable of the PS / 2 keyboard 12 is connected, and the PS / 2 keyboard 12 Receives a signal of and generates an interrupt.

The interrupt handler provides the interrupt service routine address of the port driver 24 to process the input data of the PS / 2 keyboard 12 along with the occurrence of the interrupt.

The port driver 24 is a widely used i8042 port driver, and the interrupt handler sets the path of the input data to process the input data.

The keyboard class driver 25 is composed of a Keyboard HID mapper driver (kbdhid.sys) and a Keyboard class driver (kbdclass.sys). The keyboard class driver 25 is a type of a keyboard that generates data input through the keyboard port unit 22. The operating system will confirm.

The USB device 21 may include a USB bus hardware (not shown), a host controller driver (usbport.sys), and a USB port including a USB port through which a USB cable of the USB keyboard 21 is physically connected to the main body. Hub driver (usbhub.sys) is included.

The input data input to the USB device 21 is transferred to the HID class driver 23 of the operating system. "HID" is an abbreviation of Human Input Device, and refers to a device capable of manually inputting data by a human in an English meaning. In other words, including the 'keyboard', 'mouse' and 'joystick'.

Subsequently, the input data transmitted to the HID class driver 23 includes an input device that generates the input data, that is, input data having information on a 'keyboard', and thus the HID class driver 23. Recognizes that the input data coming in through the USB port is input data by the keyboard. For this purpose, the HID class driver 23 includes a HID minidriver (hidusb.sys) and a Hid class driver (hidclass.sys), and the operating system recognizes input data input through the USB port.

When it is confirmed that the input data coming from the USB port is input data through the 'keyboard', the operating system checks the type of the 'keyboard' from the input data and allows the 'keyboard' to be connected to the main body and used for the driver. Will be searched. To this end, the input data via the HID class driver 23 is transferred to the keyboard class driver 25.

Here, the driver of the 'keyboard' which generated the input data can be searched / driven to utilize the keyboard.

At this time, if the 'keyboard' is a new keyboard that was not previously connected to the main body, the user is required to install a driver of the 'keyboard' in order to enable the use of the 'keyboard' or install a driver required by the operating system itself. do.

When the operating system recognizes the type of the keyboard while passing through the keyboard class driver 25, the key input information is transmitted to the user area 30.

The key input information is transmitted to the subsystem 31 of the operating system and transformed into a form that can communicate with the application program 40. In general, in an operating system such as a window, the key input information is transformed into a window message. At this time, the subsystem 31 will be Win32 Subsystem in the case of Window system.

The Window Message is delivered to an application program in a queue manner through message queues 32 and 33. As described above, the first input data is processed first, and when the user operates the keys, the first operation is commonly applied to the key input information processing process of the keyboard or various input devices to be processed first. On the other hand, the message queues 32 and 33 are means for processing the Window Message transmitted from the subsystem 31 in the queue manner.

Through the message queues 32 and 33, the window message is delivered to the application program 40, and the corresponding key input information is then processed by its own function. In this case, the application program 40 may be a document creation / editing program, a drawing creation program, or the like executed in a local unit.

In more technical terms, the electrical data of the USB bus hardware is transformed into USB Request Blocks (URB) in the USB hub via the host controller driver, and the HID class driver 23 and the keyboard class driver 25 ) Is transformed into an IRP (I / O Request Packet) form and delivered to the subsystem 31. The subsystem 31 is transformed into a window message and transmitted to the application program 40.

Based on the above-described existing kernel area and user area, the present invention can perform PS / 2 keyboard security as well as USB keyboard security.

First, a security method and a security system according to the present invention for input data input to the USB keyboard 11 will be described.

3 is a block diagram illustrating a configuration of a security system according to the present invention which secures input data input through a USB keyboard in a kernel region.

The USB filter 110 according to the present invention is systematically arranged to be connected with the USB device 21 first. The USB filter 110 disposed as described above is preferentially recognized by the USB filter 110 before the operating system recognizes the input data of the USB keyboard 11 input through the USB device 21.

In the security system according to the present invention, the URB (input data) transmitted from the USB device 21 is first received, encrypted, and then transmitted to the application program 40, and the existing kernel area of the input data through the operating system. There is no delivery process in.

The USB filter driver 120 is a configuration for relaying the operating system and the USB filter 110 because the operating system does not directly control the USB filter 110, a detailed description thereof will be described below.

In the security system according to the present invention, the USB filter 110, in the USB keyboard 11 connected to the main body driven by the operating system, key input information for detecting the key input information for the key of the input data generated by the key operation A detection module 111, a parsing module 112 for arranging the key input information according to the generation order, an encryption module 113 for encrypting the aligned key input information in a packet form, and the operating system converts the input data. It includes an input data deletion module 114 for processing not to recognize.

As described above, the USB filter 110 first captures and encrypts input data (key input information) transmitted from the USB device 21 to the operating system, and deletes the input data remaining in the USB device 21. To prevent the operating system from recognizing data input through the USB keyboard 11. Therefore, while the input data (key input information) encrypted by the USB filter 110 is transferred to the driver management module 140, the operating system also recognizes the input data (key input information) and processes it through the above-described process. After that, it is possible to prevent a collision that may occur by transferring to the user area (30).

As shown in FIG. 3, a plurality of USB filters 110, 110 ′ and 110 ″ according to the present invention may be installed according to the number of peripheral devices connected through USB. A plurality of USB devices 21, 21 ', 21 "are provided to connect the device to the main body at the same time.

Therefore, in order to relay the plurality of USB filters 110, 110 ′, 110 ″ with the operating system, a USB filter driver 120 managing them should be provided.

To this end, in the security system according to the present invention, the USB filter driver 120 includes a management module 123 for mediating / managing communication between a plurality of the USB filters 110, 110 ′, 110 ″ and an operating system, and the main body. Filter identification module 121 for checking whether the new USB keyboard 11 is installed by counting the hardware ID of the USB keyboard 11 connected thereto and the corresponding USB filter 110, 110 ′, 110 ″. The filter installation module 122 for installing the USB filter (110, 110 ', 110 ") for the keyboard 11 is further configured.

In the security system having the above-described configuration, a key input information parsing step S701 is further included in addition to the security method.

(1) The security module includes a USB filter for securing the input data of the USB keyboard, and the key input information parsing step of sorting the key input information detected through the key input detection step according to the generation order (S701). ;

The process of processing the input data of the USB keyboard 11 in the security method according to the present invention described above to further understand the parsing step (S701) will be described in addition to the parsing step (S701).

(1) keyboard confirmation step (S100);

Electrical data generated while the user manipulates the keys of the USB keyboard one by one is transformed into data in a form recognizable by the operating system through the USB device 21. This modified data is called input data. Such input data includes information on the USB keyboard 11 as well as key input information containing the actual user's intention about the key operation contents. Accordingly, the operating system requests the user to communicate with the operating system and the application 40 by searching for, installing, and installing a driver that enables the USB keyboard 11 to be utilized under the operating system through the latter information. It is set to achieve through the USB keyboard (11).

This will be described in more detail. When the cable of the USB keyboard 11 is plugged into the USB port of the main body, the operating system exchanges a signal with the USB keyboard 11 through the cable to check this. Through such signal exchange, the initial input data containing the information of the USB keyboard 11 is transferred to the operating system to check the type of the USB keyboard and install a driver necessary for utilization.

Here, the meanings of the initial input data and the input data are clearly defined.

The initial input data is data obtained from the peripheral device while the operating system actively exchanges signals to identify the peripheral device connected to the USB port via a cable, and the input data is obtained by a user operating a key on the USB keyboard. It includes the generated key input information and includes additional data that allows the operating system to recognize the source of the key input information.

In general, when a peripheral device is newly connected to the main body, the operating system assigns a driver ID for recognizing the peripheral device and recognizes a hardware ID to be registered in the registry.

As shown in FIG. 3, a plurality of USB filters 110, 110 ′ and 110 ″ may be installed, and each of the USB filters 110, 110 ′ and 110 ″ may be interlocked with the corresponding USB keyboard 11. In the checking step (S100) it is prepared to secure the key input information.

On the other hand, the keyboard check step (S100) is not necessarily a process that must be preceded because only one USB keyboard exists in the main body and there is no need to check the USB keyboard if there is no room for another USB keyboard to be additionally installed. However, as shown in FIG. 2, since a plurality of USB devices 21, 21 ′, 21 ″ are provided in the main body, the USB keyboards 11, 11 ′, 11 ″ may also be connected to one or more of them. Correspondingly, a plurality of USB filters 110, 110 ', 110 "will also be formed.

That is, the verification process of the USB keyboard 11 performed in the USB keyboard verification step (S100) may be effective when a plurality of USB keyboards are connected, and thus a plurality of USB filters are installed.

On the other hand, when the USB keyboard 11 and the PS / 2 keyboard 12 are used together, the security system according to the present invention needs to know what keyboard is currently generating the input data. Therefore, the keyboard check step (S100) checks / determines whether the USB keyboard 11 or the PS / 2 keyboard 12 as well as the confirmation of the USB keyboard.

(2) USB filter installation determination step (S301);

As described above, since the USB filters 110, 110 ', and 110 "according to the present invention are installed according to the USB keyboards 11, 11' and 11" connected to the main body, drivers are already installed and the USB keyboards are installed. If there is a USB filter (110, 110 ', 110 ") that is interlocked for security of (11, 11', 11"), a separate installation process is not carried out, while a new USB keyboard is connected to the main body, If the USB filter is not installed, it is determined whether to install a USB filter to be interlocked for security of the USB keyboard.

At this time, there will be a method of determining whether or not to install according to the user's intention and the user's intention in the determination process.

In general, the operating system sets a unique hardware ID so as to recognize and recognize a peripheral device connected to the main body and registers it in a registry. Therefore, the USB devices that have been used by connecting to the main body more than once are registered with the hardware ID in the registry of the operating system, and even though the USB device 21 is disconnected from the main body and connected again, the operating system recognizes this and installs the driver. If the USB keyboard without a hardware ID is newly connected with the main body, the driver can check whether the driver that can use the USB keyboard is installed and ask the user to install the driver or to install the driver. After the driver installation is completed, the OS sets / registers a hardware ID for recognizing the USB keyboard in the registry.

(3) filter installation step (S311);

In the newly connected USB keyboard, the USB filters 110, 110 ', and 110 "according to the present invention are not installed for security. Therefore, the USB filters 110 and 110 are stored in the registry of the operating system corresponding to the newly registered hardware ID. ', 110 ").

As a result, when the USB keyboard 11 is connected to the USB port of the main body, the operating system communicates with the USB keyboard 11 and checks whether the hardware ID and the driver are installed, and whether it is a new USB keyboard or an existing hardware ID and driver. Determine if is present. In addition, the filter check module 121 according to the determined content counts the number of USB filters and the number of hardware IDs of the USB keyboard applied thereto while interworking with the operating system, and the number of USB filters is smaller than the number of hardware IDs. The installation module 122 searches for a hardware ID for which the USB filters 110, 110 ', and 110 "are not installed, and installs the USB filters 110, 110', and 110" in the corresponding registry.

However, peripheral devices managed by HID in PS / 2 system are classified by class (keyboard, mouse, joystick, etc.) in the operating system, whereas in case of USB, keyboard, mouse without detailed classification like Class in the HID classification step. Since peripheral devices such as joysticks and memory are registered and managed in an integrated manner, it is difficult to find an installation position where the USB filter can be linked only to the corresponding USB keyboard.

(4) activating the security module (S401);

In the security module 100 to secure the input data of the USB keyboard 11, as described above, the USB filter 110 can be installed and activated simply by connecting the USB port to the main body, The activation of the security module 100 may be determined according to the result of the query. When the activation is selected by the user, the USB filter 110 is operated. If the activation is not selected, the USB filter 110 is not operated and maintains the input data processing performed in the existing kernel region 20. (S411, S501)

(5) detecting key input information (S601);

In the input data generated and transmitted by the key operation of the USB keyboard 11, the key input information containing the intention contents generated by the user by the key operation, that is, information on the key on which the operation is performed, is performed. Detects through). The key input information is a part that should be encrypted for security. On the other hand, in the key input information, a plurality of pieces of information are transmitted at the same time in a packet unit due to the characteristics of the data input method of the USB keyboard 11.

For reference, in the case of the PS / 2 type keyboard, since key input information generated by key manipulation is individually transmitted according to a queue, there is a big difference from the key input information transmission method of the USB keyboard 11. will be.

(6) parsing key input information (S701);

As described above, when the key input information is detected from the input data through the key input information detection module 111, the information is arranged by the parsing module 112 according to the input order of the key input information. The sorted key input information is transmitted to the user area 30 while being decrypted and processed according to the input order of the key input information.

(7) a key input information encryption step (S801) in which the key input information arranged in the parsing step is encrypted on a packet basis;

The key input information arranged in packet units through the parsing module 112 is encrypted through the encryption module 113 so that hacking or confirmation through a malicious program from the outside is impossible. Therefore, it is possible to prevent the key input information from being hacked and leaked in the middle while being transmitted from the local unit to the user area 30 including the USB devices 21, 21 ′, 21 ″.

(8) deleting input data (S901);

The operating system reads the input data from the USB bus of the USB devices 21, 21 ', 21 "to check the input data transmitted from the USB keyboard 11 in the USB devices 21, 21', 21". In this case, the same key input information already transmitted to the user area 30 via the USB filters 110, 110 ′ and 110 ″ collides with the input data read from the USB bus by the operating system and causes an error in the system. Of course, while the input data is hacked while being transmitted to the user area 30 through the operating system, the security functions of the USB filters 110, 110 ′ and 110 ″ become meaningless.

Accordingly, the input data deletion module 114 processes the input data remaining in the USB device 21, that is, the USB bus so that the operating system recognizes that there is no data input from the USB keyboard 11. Therefore, the input data input from the USB keyboard 11 is transferred to the user area 30 only through the USB filters 110, 110 ′ and 110 ″.

Since the key input information decryption step S1000 and the security hook execution step S1100 have been described above, they will be omitted here.

In the security method according to the present invention has proposed a filter installation step (S311) that can be solved without modifying the existing operating system for the above-described problem, will be described in detail with reference to the drawings.

11 is a flowchart illustrating an embodiment of a filter installation method according to the present invention.

The filter installation step (S311),

(1) HID device search step (S311a) in which the hardware ID of the HID device registered in the operating system registry is searched for;

The filter installation module 122 finds all hardware IDs of peripheral devices corresponding to "HID" among the peripheral devices currently used or previously installed in the system through the registry access API. In this case, when the operating system is Windows-based, the SetUpDiGetClassDevs Win32 API may be used as the registry access API.

(2) a keyboard search step of searching for a hardware ID classified as a keyboard in the hardware ID (S311b);

The hardware ID of the peripheral device whose Class Guid is classified as a keyboard is searched from the hardware ID searched through the HID device search step S311a.

(3) a USB device searching step (S311c) in which the hardware ID of the USB device registered in the operating system registry is searched;

The filter installation module 122 finds all hardware IDs of the peripheral devices corresponding to "USB" among the peripheral devices currently used or previously installed in the system through the registry access API. In this case, when the operating system is Windows-based, the SetUpDiGetClassDevs Win32 API may be used as the registry access API.

(4) a matching ID verification step (S311d) in which hardware IDs matched with each other in hardware IDs searched through the keyboard search step and the USB device search step are identified;

The same hardware ID is found by comparing the keyboard related hardware ID and the USB related hardware ID. Since the found hardware ID is a peripheral device registered in the registry of the operating system in relation to the USB keyboard, it is possible to access the registry of the hardware ID for installing the USB filter according to the present invention.

(5) a filter registration step (S311e) in which a USB filter is registered in the device registry of the corresponding hardware ID searched through the matching ID search step;

The filter installation module 122 accesses the registry of the USB keyboard 11, 11 ′, 11 ″ in which the USB filters 110, 110 ′, 110 ″ according to the present invention are to be installed through the above-described process, By additionally registering the service name of the USB filter (110, 110 ', 110 ") in the LowerFilters item of the registry, the USB filter 110, according to the present invention when the USB keyboard (11, 11', 11") is utilized. 110 ', 110 ") are operated preferentially to perform security functions.

Meanwhile, in the embodiment of the security method according to the present invention, the USB device 110, 110 ', 110 is reloaded by reloading the peripheral device, that is, the USB keyboard 11, 11', 11 "through the function" SetupDiCallClassInstaller ". &Quot;) is driven together with the corresponding USB keyboards 11, 11 ', 11 ".

The above is a description of a security method and a security system according to the present invention for performing security of the USB keyboards 11, 11 ', 11 "in the kernel area 20. Hereinafter, the PS / 2 keyboard in the kernel area 20 will be described. A security method and a security system according to the present invention for performing security of (12, 12 ', 12 ") will be described.

Figure 4 is a block diagram showing the configuration of a security system according to the present invention for implementing the security of input data input through the PS / 2 keyboard in the kernel area, Figure 9 is an interrupt service routine address monitoring step shown in FIG. The flowchart is described in more detail with reference to FIG. 8.

(1) The keyboard checking steps S100 and S200 have been described above and thus will be omitted here.

(2) a target application program execution step (S302) and a target application program thread generation step (S303);

In the present invention, the PS / 2 keyboard security, unlike the USB keyboard security, the security is made for each application. That is, as described above, the USB keyboard is activated when the security module 100 is activated at the moment the port of the USB keyboard is connected to the USB device, while in the case of the PS / 2 keyboard, the USB keyboard is interlocked with the executable file of the corresponding application executing security. The security module 100 is activated. In addition, as an embodiment of a means for detecting whether the corresponding application is activated, a method of determining whether a thread for processing the application is generated may be applied.

(3) activating the security module (S402);

Since the same as the security module activation step (S401) in the USB keyboard will not be duplicated.

(4) interrupt service routine replacement step (S412);

When the security module 100 is activated, the routine address of the interrupt descriptor table is replaced. That is, the interrupt descriptor table becomes the security interrupt descriptor table 132 to provide an interrupt service routine address of the security input driver 131 to process the corresponding input data by an interrupt generated from the PS / 2 keyboard 12. In operation, the input data to the existing port driver 24 is blocked. Here, the security interrupt descriptor table 132 and the security input driver 131 are used as the interrupt handler 130.

(5) receiving input data (S502);

The input data input through the PS / 2 keyboard 12 is processed by the secure input driver 131 according to the present invention according to the interrupt service routine address.

(6) key input information detection step (S702);

Since the same as the key input information detection step (S701) in the USB keyboard, duplicate description will be avoided. In this case, the input data includes an interrupt vector containing an identification number for the keyboard, and various other information is configured in addition to the data by the user's key manipulation. Here, the security input driver 131 also has a function of detecting key input information from the input data.

(7) encrypting key input information (S802);

The security input driver 131 performs encryption according to the transmitted key input information.

(8) deleting remaining input data (S902);

The security input driver 131 deletes input data remaining in the port through an acknowledgment message or an ECHO command.

Meanwhile, decryption of encrypted data by detecting key input information from input data input through the USB keyboard, and decryption of encrypted data by detecting key input information from input data input through the PS / 2 keyboard are performed. By the driver management module 140 is made. To this end, the driver management module 140 includes a decryption module 141 for performing the decryption and a thread for each keyboard for managing heterogeneous keyboards by separately managing threads generated for the operation of the USB keyboard or the PS / 2 keyboard. The processing module 142 may be included (see FIG. 5).

The driver management module 140 transmits the decrypted key input information to the user area 30 and performs a relay function between the security module 100 and the operating system.

On the other hand, in the process of processing the input data of the PS / 2 keyboard, if there is an attempt to change the interrupt service routine address in the interrupt descriptor table for the purpose of information leakage through a malicious program, it prevents it and maintains a continuous security state. You will have to. To this end, the security method according to the invention may further include an interrupt service routine address monitoring step (S602).

The interrupt service routine address monitoring step S602 will be described with reference to FIG. 9 (a flowchart describing the interrupt service routine address monitoring step shown in FIG. 8 in more detail).

(1) a security input driver address storing step of storing an address of the security input driver (S602a);

Input data input through the PS / 2 keyboard is transmitted to the security input driver 131 according to the interrupt service routine address of the security interrupt descriptor table 132, and stores the service routine address at this time.

(2) a service routine address storing step (S602b) for storing an interrupt service routine address of the interrupt descriptor table;

The address value stored in the interrupt service routine area of the current security interrupt descriptor table 132 is stored.

(3) an address comparison step (S602c) for comparing the security input driver address with a service routine address;

The service routine address of the secure input driver address storage step (S602a) and the service routine address storage step (S602b) are compared to check whether they match.

(4) changing the interrupt service routine address in the interrupt descriptor table to the secure input driver address (S602d);

If the service routine address matches through the address comparison step (S602c), processing of input data of the PS / 2 keyboard is continued. If the service routine address does not match, the interrupt service routine address of the security interrupt descriptor table 132 is a security input driver (S602c). Replace / change to match the address of 131).

6 is a block diagram showing the configuration of a security system according to the present invention that secures input data input through a keyboard in a user area, and FIG. 10 is a more detailed flow of the execution of a security hook according to the present invention. The chart will be described with reference to this.

The security method and security system according to the present invention described above is a keyboard security made in the kernel area 20, while the following security methods and security systems are user areas in addition to the security method and security system in the kernel area 20. A security method and a security system for securing the input data processing of the keyboard made in (30).

As already seen, the kernel region 20 decrypts the input data of the keyboard through the security module 100 to prevent the corresponding data from leaking to the outside. Then, when the input data including the decrypted key input information is transferred from the user area 30 to the subsystem 31, the subsystem 31 sends a message for processing / delivering the input data to the application program 40. The queues 32 and 33 are used. In this case, the message queues 32 and 33 may include a system message queue 32 which manages data to be input to applications currently being executed and a thread message queue 33 which processes them for each application program. Data input through the keyboard are sequentially transmitted to the application program 40 through the message queues 32 and 33. Since the queue method has already been described above, the description thereof is omitted here.

On the other hand, the operating system (Window) -based input data is sequentially delivered to the application program 40 through the message queue, and attempts to hook in the input data delivery process so that the input data can also be transferred to other application programs to work with. do. Of course, in the case of the hooking is essentially performed by the need in the operating system there is no problem with security. However, hooking may not be essential through a malicious program. Since the hooking is a function of extracting input data, the input data may be leaked without being authenticated by the user.

In the present invention, the hook module 200 is further included to block the activity of the hook procedure installed through the malicious program, thereby preventing the input data being input through the keyboard from leaking to the outside without the user knowing it. Can be.

In the security system according to the present invention, the hook module 200, when a process or a thread is generated by the execution of a security target application program, first hooks a message including key input information delivered to the application program and blocks next-order hooking. A system hook module 210 for driving a global hook procedure and removing a global hook that is being executed when the process or thread is destroyed; A hook allowable program management module 230 for determining whether to allow next order hooking by checking contents of other global hooks allowed in the application program; A hook allowable program list storage module 260 including data about other global hooks allowed in the application program and transmitting the data to a search / request of the hook allowable program management module 230; And a hook installation monitoring module 240 which blocks the execution of another global hook by returning the other global hook installation API when a new global hook related to the keyboard is newly attempted in the security global hook activation state. .

The security method according to the present invention will be described sequentially with reference to the components of the security system described above.

(1) activating a global hook for security that executes hooking for a process or thread generated with the execution of an application program (S1110);

The system hook module 210 executes various HOOKs by placing a CALLBACK function inside .EXE, which is an executable file extension of a security target application program. That is, when the security target application program is executed, a thread of the application program is generated, and the hook module 200 executes a WH_CBT global hook, so that WH_KEYBOARD, WH_GETMESSAGE, WH_CALLWNDPROC, and WH_CBT hooks for all processes and threads currently running in the computer. To do this. Of course, the hook procedure that is executed at the latest due to the nature of the hook chain is operated first and foremost, so that the hook installed by the hook module 200 has priority over the hook procedure previously executed while the security target application program is executed. It works.

(2) allow global hook confirmation step (S1130) to check the contents of other global hooks allowed for the application;

As described above, there is a hook that must be made in the operating system during the data transfer process to the application program. Thus, the hook module 200 may not be able to perform a normal execution of the application by blocking the activity of the global hook, which must be operated by the security global hook operating with the execution of the security target application program. Accordingly, the hook allowable program management module 230 searches the hook allowable program list storage module 260 for a list of global hooks that are essential to the corresponding application program, so that a global hook not included in the list is included in the hook chain. If it is confirmed, it will be notified to the user. Of course, the user finds the unauthorized global hook and loses or deletes its function.

In general, since the hook procedure executed by the hook module 200 secures only the input data input by the operation of the keyboard, the global hook directly monitored will be limited to the hook to hook the data input through the keyboard.

(3) a key input information hooking step of hooking a message including key input information transmitted to the application program (S1140);

The global hook installed by the hook module 200 in the process of transmitting the input data to the application program by the user operating the keyboard hooks the input data as compared with other hook procedures.

(4) disabling the next hook that does not call the next hooking progress API such that the next hooking is not made in addition to the security global hook (S1150);

In the hooking step (S1140), the continuity of the hook chain is broken so that the input data first hooked by the security hook procedure installed through the hook module 200 is not hooked by the next order hook procedure. In general, the hooking means that the data delivered to the application through the message queue can be briefly drawn in the middle. At this time, the data is pulled out in the process of being delivered to the application program in sequence, and the hook procedure that is drawn first gives a signal indicating that its operation is finished to the next hook procedure. Since the signals are sequentially and sequentially, many hook procedures have the shape of chains arranged in a line in operation. In the security method according to the present invention, the security hook procedure is located at the top of the chain and draws out the data input through the keyboard for the first time, and thus does not give a signal to the hook procedure operated afterwards so that the operation is not performed. Therefore, the hook procedure, which was previously installed by a malicious program, can not prevent the data from being leaked because its operation is not performed.

To this end, the hook module 200 returns 0 without calling the CallNextHookeX () API, which instructs the operation of the next-order hook procedure in the CALLBACK function of the hook, to operate the next-order hook procedure related to the input data of the keyboard. It is not to be supported.

If the CallNextHookeX () function is not called in the CALLBACK function for WH_KEYBOARD, WH_GETMESSAGE, WH_CALLWNDPROC, and WH_CBT, other WH_KEYBOARD, WH_GETMESSAGE, WH_CALLWNDPROC, and WH_CBT after the hook will not work.

(5) a hook removal step (S1170) for removing the security global hook being executed when the process or thread is destroyed;

Since the keyboard security is no longer needed when the application to be secured is terminated, the hooks are removed to speed up the processing of the computer.

The following process may be further included in the above-described security method.

(1) a global hook attempt monitoring step (S1160) to block execution of another global hook by returning the other global hook installation API when a new global hook associated with a keyboard is newly attempted in the active global hook for security;

If a new global hook attempts to operate with the current security global hook enabled, keyboard security cannot be fully secured using the methods described above. Therefore, constant monitoring of global hooks attempting to work is required. To this end, the hook installation monitoring module 240 checks the processes and threads generated in the operating system in real time and detects the generation and removal of global hooks to detect the occurrence of global hooks for hooking data input through the keyboard. .

The hook installation monitoring module 240 performs API HOOK on the SetWindowsHookEx () function to detect and notify the user when there is a program that attempts a global hook related to the keyboard, and uses the operation of the global hook according to the user's decision. Or a blocking operation is made.

In the above description, the global hook procedure is installed so that a hook is made to a process or a thread that is activated in an OS-based computer. Therefore, when the application program is executed regardless of the type of the application program, the security system according to the present invention is driven. However, in addition to this, it is also possible to select a security target application program to operate the security system according to the present invention only when the application program is executed.

To this end, the following process may be further included.

(1) A target program checking step of generating a list of the corresponding application programs so that only the designated application program is the target of keyboard security, and determining the hooking of the key input information by searching the list before performing the key input information hooking step ( S1120);

As described above, when the list of the security target application program is stored in the security target program list storage module 250, the security target program management module 220 checks the processes and threads that are currently being executed and executes the application program. The security target program list storage module 250 searches for the operation of the hook procedure for security.

According to the present invention as described above, regardless of the USB keyboard or PS / 2 keyboard, security of the data input to the computer through the keyboard can be widely implemented in the local unit irrespective of the kernel area or the user area,

Claims (16)

Activating the input data security module of the keyboard; An input data reception step of receiving input data of a keyboard by the security module; A key input information detecting step of detecting key input information generated by a user's key operation from the input data; A key input information encryption step of encrypting the key input information detected / processed through the detection step; An input data deletion step of deleting the input data remaining in a kernel area so that an operating system does not recognize the input data; A key input information decrypting step of decrypting the key input information encrypted in the encryption step so that an operating system can process the key input information; And A security hook execution step of executing a hook procedure for firstly hooking the key input information in a process of transmitting the decrypted key input information to a corresponding application program for processing the second key and preventing a second order hooking from occurring; Security method of data input by the keyboard comprising a. The method of claim 1, A key input information parsing step of arranging the key input information detected through the key input detection step according to the generation order when the input data received by the security module is generated from the USB keyboard; Security method of data input by the keyboard, characterized in that it further comprises. The method of claim 2, wherein the security module activation step A USB keyboard checking step of confirming registry registration of the USB keyboard through initial input data of the USB keyboard; A filter activation step of activating a USB filter included in the security module according to the registry of the USB keyboard identified in the USB keyboard verification step; Security method of data input by the keyboard, characterized in that it further comprises. The method of claim 3, wherein A USB filter installation determining step of determining installation of a USB filter corresponding to the USB keyboard when it is determined that the hardware ID of the USB keyboard is not registered through the USB keyboard checking step; A filter installation step of installing a USB filter that secures key input information of the new USB keyboard; Security method of data input by the keyboard, characterized in that it further comprises. The method of claim 4, wherein the filter installation step HID device search step of searching for the hardware ID of the HID device registered in the operating system registry; A keyboard search step of searching for a hardware ID classified as a keyboard in the hardware ID; A USB device searching step of searching for a hardware ID of a USB device registered in an operating system registry; A matching ID checking step of checking hardware IDs matched with the hardware IDs searched through the keyboard searching step and the USB device searching step; A filter registration step of registering a USB filter in the device registry of the corresponding hardware ID searched through the matching ID search step; Security method of data input by the keyboard, characterized in that it further comprises. The method according to claim 1 or 2, The security module activation step is made in conjunction with the execution of the application program in conjunction with the executable file of the security target application program; An interrupt service routine replacement step of receiving an interrupt generated through operation of the keyboard to replace the interrupt service routine address of the interrupt descriptor table; The key input information encryption step is performed by a security input driver through which the key input information is transmitted according to the service routine address replaced by the interrupt service routine replacement step; Security method of data input by the keyboard characterized in that. The method of claim 6, A secure input driver address storing step of storing an address of the secure input driver; A service routine address storing step of storing an interrupt service routine address of the interrupt descriptor table; An address comparison step of comparing the security input driver address with a service routine address; Security method of data input by the keyboard, characterized in that it further comprises. The method of claim 7, wherein An address changing step of replacing an interrupt service routine address of the interrupt descriptor table with the security input driver address when the security input driver address and the interrupt service routine address are different from each other after the address comparing step; Security method of data input by the keyboard, characterized in that it further comprises. 9. The security hook execution step according to any one of claims 1 to 5, 7 or 8, wherein Activation of global hooks for security that hooks to processes or threads created with the application execution A step of allowing global hooks to check the contents of other global hooks allowed to the corresponding application; A key input information hooking step of hooking a message including key input information transmitted to the application program; Next hook neutralization step not to call the next hook progress API, so that next-order hooking is not made other than the security global hook; And A hook removal step of removing the security global hook being executed when the process or thread is destroyed; Security method of the data input by the keyboard comprising a. The method of claim 9, If another global hook related to the keyboard is newly attempted in the security global hook activation state, a global hook attempt monitoring step of returning the other global hook installation API to block execution of another global hook is further included. How to secure the data entered by the keyboard. The method of claim 9, And a target program check step of generating a list of the corresponding application programs so that only the designated application programs are subject to keyboard security, and determining the hooking of the key input information by searching the list before performing the key input information hooking step. Security method of data input by the keyboard characterized in that. In the kernel area, the security module for receiving the input data from the keyboard hardware receives the first signal input through the keyboard to encrypt / decrypt the key input information contained in the input data; And In a user area where the key input information is delivered to an application program through a message queue by a subsystem of an operating system, the key input information is first hooked during the delivery of the key input information to prevent next hooking. A hook module; Security system of data input by the keyboard, characterized in that consisting of. The method of claim 12, wherein the security module A key input information detection module for detecting key input information of a key among input data generated by a key operation, a parsing module for arranging the key input information according to the generation order, an encryption module for encrypting the sorted key input information, and And a USB filter including an input data deletion module for processing the operating system not to recognize the input data. A USB filter driver including a management module for mediating communication between the plurality of USB filters and an operating system; And A driver management module including a decryption module for decrypting the key input information encrypted by the encryption module; Security system of data input by the keyboard comprising a. The method of claim 13, wherein the USB filter driver A filter check module for checking whether a new USB keyboard is installed by counting a hardware ID of the USB keyboard connected to the main body and the corresponding USB filter; A filter installation module for installing a USB filter corresponding to the new USB keyboard; Security system for data input by the keyboard, characterized in that further comprises. The method of claim 12, wherein the security module A security input driver for receiving and encrypting the key input information; When the security target application is executed, the interrupt interrupter table for executing an interrupt service routine by an interrupt generated by keyboard operation from the keyboard hardware and replacing the address of the security input driver encrypting the key input information. ; And A driver management module including a decryption module for decrypting the key input information encrypted by the security input driver; Security system of data input by the keyboard comprising a. The method of claim 12, wherein the hook module is When the process or thread is created by the execution of the secured application, the process or thread is destroyed while running a global hook procedure that first hooks a message containing key input information delivered to the application and blocks next-order hooking. System hook module for removing the running global hook; A hook permission program management module for determining whether to allow next-order hooking by checking contents of other global hooks allowed in the application program; A hook allowable program list storage module including data about other global hooks allowed in the application program and transmitting the data to a search / request of the hook allowable program management module; And A hook installation monitoring module that blocks the execution of another global hook by returning the other global hook installation API when a new global hook related to the keyboard is newly attempted in the active global hook for security; Security system of data input by the keyboard comprising a.

Images