A Method for logging on to Windows based on a smart card

A kind of method of implementing Windows logon Based on Smart Card Liang Hao (third Research Institute of Ministry of Public Security, Shanghai 200031) Abstract: design a smart card logon with Windows operating system Windows credential provider program is implemented,

Program automatically detects the smart card with the plug, pin, user identification card, Smart Card Reader notes saved automatically submit login information and features. in this design model, describes the design of Windows credential provider in the UI interface and replace the username and password login method.
Key words: Smart Card; credential provider; authentication; Login
With the development of the Windows operating system, the Windows operating system boot logon program is also constantly improved. In Windows Vista and Windows 7, Microsoft canceled the Gina (Graphical Identification and identity verification) model supported by interactive logon in Windows NT/2000, the Windows credential provider (Bill provider) model interface is used. Compared with Gina, Windows credential provider features high security and flexibility. Some developers have developed some windows credential providers, such as fingerprint credential providers, to improve the security of user logon systems. This section describes how to log on to the operating system using a smart card.
1. Design Scheme
The Smart Card used by Windows credential provider is a self-developed card. Its APIs include card plugging, pin verification, file storage, password calculation, and other functions. The smart card in this article has been formatted and has data such as symmetric keys and binary files required for storage design.
By default, Windows credential provider uses the user name and password for identity authentication. This document uses a smart card file as a carrier to encrypt and save the user name and password of a computer account. To log on to Windows, you must pass the password authentication of the smart card before obtaining the permission to decrypt the user name and password. Compared with the original login method using only the user name and password, smart card login features two-factor authentication, greatly improving the security of the Windows operating system login process.
2. Program Development
The program is divided into two parts by module: one is the user name and password binding program, and the other is the Windows credential provider com library.

2.1 bind a user name and password Program
The user name and password binding program initializes the login of some smart cards to Windows. That is, the System user name and password are entered and written to the smart card to bind the system password to the smart card password.

You must bind a user name and password to a smart card to log on to Windows. After binding, the user name and password are encrypted and saved to the smart card for long-term validity. If the system is not reinstalled, the normal binding may be invalid in the following cases: You must bind a smart card with the user name and password to use the smart card to log on to Windows. After binding, the user name and password are encrypted and saved to the smart card for long-term validity. If the system is not reinstalled, the normal binding may be invalid in the following situations:
1) Use the user name and password binding program to delete the binding.
2) The user modified the original user name and password after binding, resulting in invalid binding.
Relatively, the interface related to the Gina program can be used to determine and automatically modify the binding relationship based on the user's password modification. Windows credential provider does not have the relevant interface. Therefore, install an auxiliary service for the user name and password binding program. The service round-robin checks whether the bound user name and password are valid. When the binding relationship is changed, the service program calls the binding program to update the binding program again.
Generally, the user name and password binding program is used as the initialization tool and must be authorized for use. Therefore, you must pass the PIN code verification of the smart card before using the user name and password binding program. After authentication, the user name and password binding program verifies the user name, password, and domain name entered by the user.
The user name and password binding program is divided into two parts by function: first, when you open the user name and password binding program, enter the PIN code in the pop-up dialog box to verify the PIN code, complete the user identity authentication process; second, after verifying the user identity, the user login credential binding input box is displayed. To briefly describe the design scheme, only one Windows login credential can be bound to the user name and password binding program. Windows logon creden。 include the user name, password, and domain name (if the domain name is already added ). When the user determines the binding information, the user name and password binding program encrypts and saves the login creden。 information to the smart card file system through the smart card API. the encryption key is the symmetric key written during the smart card initialization. Now, the user name and password binding program initializes the smart card. 2.2 Windows credential com Library
Windows credential provider is the core part of the design solution. It includes interfaces for customizing the user logon interface and interfaces for processing and submitting User Logon creden. The Windows credential provider of the design scheme incrementally registers to the Windows operating system through the new COM library, and does not uninstall the built-in credential provider of the Windows operating system. That is to say, when you log on to Windows, you can choose the original Windows logon method or the smart card logon method. The logon process of Windows Vista is divided into two phases: the unselected phase of the title image and the password input box phase after the title image is selected. The title image is not selected. The title image and logon username are displayed. The Smart Card windows credential provider customizes the title image with the smart card as the image. You can use Windows credential provider to set custom smart cards.

Log on to the computer using the smart card.
The smart card image is inserted into the DLL as a resource. The resource ID is idb_tile_image. Add the code in the getbitmapvalue function of the icredentialprovidercredential interface:
Hbitmap hbmp = loadbitmap (hinst_thisdll, makeintresource (idb_tile_image ));
* Phbmp = hbmp;
The default Windows credential provider is displayed as the logon user name under the title image. The smart card windows credential provider modifies the logon user name to indicate whether to insert a prompt message to the smart card. Static const field_state_pair s_rgmessagefieldstatepairs [] =
{
{Cpfs_display_in_both, cpfis_none}, // smfi_tileimage
{Cpfs_display_in_both, cpfis_none}, // smfi_message
{Cpfs_display_in_deselected_tile, cpfis_none}, // smfi_status
};
When the title image is not selected, replace the page enumeration information entered by the original user name with the pin code input box, and add the prompt text (such as incorrect PIN code input ). The pin text box uses the type and style of the original Windows text box.
Static const credential_provider_field_descriptor s_rgcredprovfielddescriptors [] =
{
{Sfi_tileimage, cpft_tile_image, l "image "},
{Sfi_username, cpft_large_text, l "username "},
{Sfi_status, cpft_small_text, l "States "},
{Sfi_pin, cpft_password_text, l "pin "},
{Sfi_tip_text, cpft_small_text, l "tip "},
{Sfi_submit_button, cpft_submit_button, l "Submit "},
};
When you select the title image of a smart card during login, you can call the function of the corresponding windows credential Provider Interface for logging on to the smart card, and call the icredentialprovidercredential: setselected function to determine whether the smart card has been inserted, if inserted, you can switch to the input pin box interface.
If (checkkeyisinsert () = true)
{Setconnect ();
}
After the PIN code is entered in the PIN code input box, the smart card windows credential provider calls the icredentialprovidercredential: getserialization function. Call the smart card API in the getserialization function to check whether the PIN code of the control corresponding to sfi_pin is correct. If the test fails, set the prompt text corresponding to sfi_tip_text to the prompt message of the PIN code verification result. If the verification succeeds, the encrypted user login information in the file system will be read and decrypted, and the information will be returned to the output parameters of the getserialization function. The returned user logon information will be verified by the Windows login application. If the result matches, the logon interface is now displayed on the Windows desktop. Otherwise, an error message is displayed.
After the Windows credential provider is completed, you need to copy the Windows credential provider Library to the System32 directory of the system disk and register it to the Windows system through the registry.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Authentication \ credential providers \ {ed756d7f-139d-403f-aea8-82e97a83d184}]
@ = "Smartcard_credentialprovider"
[Hkey_classes_root \ CLSID \ {ad7a7d7f-139d-403f-aea8-82e97a83d184}]
@ = "Smartcard _ credentialprovider"
[Hkey_classes_root \ CLSID \ {ad7a7d7f-139d-403f-aea8-82e97a83d184} \ inprocserver32]
@ = "Smartcard _ credentialprovider. dll"
"Threadingmodel" = "apartment"
3 conclusion
So far, we have introduced a way to log on to the Windows operating system using a smart card, and briefly introduced the key functions of Windows credential provider. Through the above method, we have also gained the idea of converting the user name and password logon method into another login method (such as fingerprint logon and certificate logon ). It lays the foundation for creating a safer, more convenient, and more friendly Windows login program.
References:
[1] Windows Vista sample credential providers overview.doc [Eb].
[2] credential providers for PDC-final.doc [Eb].
[3] Chen Rui, Jiang zejun, Chen Fu, et al. Research and Implementation of credential provider-based identity authentication model [J]. Aviation computing technology, 2010 (3): 1-4.