1 Introduction before accessing the security system, the user first identifies the identity through the identity authentication system and then accesses the monitoring module. The system determines whether the user can access a certain resource based on the user's identity and authorization. Therefore, secure system login and identity authentication are the first level in the security system and the basis for implementing access control. They play a very important role in the field of system security. This article proposes a digital certificate-based ukey secure login and Identity Authentication solution, using a third-party developed ukey and user identity information combined authentication method, ensure that each user has a unique identifier to prove his/her identity during login, so that the system verifies the validity of the user's identity through this unique identifier. 2 Identity Authentication Technology identity authentication is an important aspect of network security technology. Before accessing the security system, the user first identifies the identity through the identity authentication system and then accesses the monitoring module. The system determines whether the user can access a certain resource based on the user's identity and authorization, common password authentication methods include: 1) password-based authentication is the simplest and easiest Authentication Technology in the Internet and computer fields. It is also the most widely used authentication method. For example, the logon and permission management of the operating system and some application systems, such as the mail system, are based on the password [1]. When a user logs on to the computer network, a password is required. The computer system builds the authentication mechanism on the basis of the user name and password. If the user tells the user name and password to others, the computer will also give the user access permission [2]. 2) the smart card authentication method based on smart cards was invented by Roland Moreno in 1970. Bull, France's first smart card product, applies this technology to finance, transportation, medical care, identity authentication and other aspects. Smart card-based identity authentication is a mechanism for Identity Authentication through physical devices. This mechanism combines electronic technology and modern cryptography knowledge to greatly improve the security of the physical device mechanism. Each user holds a smart card, which stores the user's secret information and the secret information on the authentication server. During authentication, the user enters the PIN (Personal Identity Authentication Code) and the server authenticates the PIN code. After successful authentication, the user can read the secret information in the smart card and then use the secret information to authenticate the host. Smart card-based authentication is a two-factor authentication (PIN + Smart Card), even if the PIN code or smart card is stolen separately, the identities of Valid users are not impersonate (that is, they cannot obtain access permissions ). 3) biometric identity authentication is a technology used to identify identities based on inherent physiological and behavioral characteristics of the human body, that is to say, through the close combination of computers with high-tech means such as optics, acoustics, biosensors and biostatistics principles, the use of inherent physiological characteristics of the human body (such as hand shape, fingerprint, facial features, Iris, retina, etc) and behavior features (such as handwriting, sound, and gaits) for personal identity identification [4]. The main applications of biometric feature authentication are identification and verification. Identification refers to determining the identity of a user. Generally, one-to-many matching is performed in the biometric feature template library or verification based on knowledge) it is used to verify whether the user is declared as an identity. Generally, a single template is used for one-to-one matching [5] (one-to-one ). 4) digital certificate is a series of characteristic data that marks a user's identity. Its function is similar to real-life ID Card [6]. The International Telecommunication Union's X.509 proposal defines a framework for providing certification services. The adoption of X.509 certificate-based authentication technology relies on third parties to achieve authentication. The difference is that it adopts an asymmetric password system, which is simpler and clearer. A third party is a Ca (Certificate Authority) Certification Authority that authenticates user identities and issues digital certificates to users. A digital certificate follows the format specified by the X.509 standard. Therefore, it is called an X.509 Certificate. With this certificate, users can access trusted ca servers and use the CA server to authenticate user identities. 3. digital certificate-based ukey secure logon and identity authentication for Windows 2000 operating systems and Microsoft's subsequent operating systems, such as Windows XP, all have built-in support for Smart Card user authentication, computer users can use traditional user names and passwords for intra-domain user authentication, or use smart cards to automatically complete user authentication. 3.1 ukey technology, also known as the smart electronic password key, fully inherits the security of the existing smart card technology and integrates the data transmission capabilities of the new USB interface. 1) ukey introduction ukey is a USB device integrating smart cards and card readers. It supports Hot Plug and Play, which is small in size, light in weight, and easy to carry [7]. The ukey itself acts as the key storage, and its hardware structure determines that users can only access data through vendor programming interfaces. This ensures that the digital certificates stored in the ukey cannot be copied, in addition, each ukey is protected by a PIN code, so that the hardware and PIN code of the ukey constitute two-factor authentication using the ukey. If the user's ukey is lost and the winner does not know the PIN code of the hardware, the user cannot impersonate a valid user identity. If the user's pin code is leaked, you only need to save the ukey hardware to ensure that your identity is not impersonated. Security is the foundation of many applications (especially network applications), and security measures are generally achieved through encryption algorithms, because the encryption algorithm can better achieve data confidentiality, data integrity, identity authentication, and transaction non-repudiation. Encryption Algorithm Security mainly depends on the confidentiality of the key, without the need to keep the algorithm confidential. As an effective security equipment, smart card is the most reliable means to store key information. The encapsulation of traditional smart cards requires additional card reader devices. Because the devices are large and difficult to carry, they are inconvenient to use. In addition, the overall cost of card reader devices is increased [8]. As shown in table 1, the ukey series products fully inherit the advantages of smart cards while well solving many shortcomings of traditional encapsulation.
Table 1Ukey Comparison with traditional smart cards
| Compare items | Ukey | Card Reader + PK card |
| Cost | Far lower than the sum of the cost of the reader + PK card. | Although the primary key card cost is low, the reader cost is usually high. |
| Mobile Office | Small size, light weight, easy to carry, very suitable for mobile office. | The card reader is large and heavy, so it cannot be carried with you. |
| Communication Rate | Connects the USB port of the Computer Host. The communication speed is 12 Mbps, which is a high-speed device. | The communication speed is generally BPS ~ Between 115200bps. |
| Multiple users | USB device, shared mode, supports multi-user access. USB cascade devices. A computer can connect multiple ukeys Through cascade. | For serial port readers, serial port resources are exclusive and the number of serial ports on the host is limited. If the serial port is occupied by other devices, the reader cannot be used. The USB Reader supports multiple users. |
| Ease of operation | Directly inserted into the USB port or extended line interface of the Computer Host, the operation is extremely simple. Hot-swappable device, you can insert/unplug ukey at any time without worrying about damage. | For serial port reader, the serial port of the Computer host does not support hot swapping, and frequent plugging and operations may not easily burn down the serial port of the host at that time. The convenience of USB reader operations is the same as that of ukey. |
2) ukey features (1) high security. Ukey has passed the technical appraisal and approval from the national security management authority-the State Key office, and supports the Group algorithm ssf33 for the state key office certification, it is also the only product in China that supports both ECC and RSA cryptographic algorithms. The hardware RSA algorithm-based ukey is safer and more reliable than the software-based RSA application. Sensitive data is stored in the secure storage area of ukey. Unauthorized users cannot access this information. The security of ukey also lies in that the encryption algorithms used by ukey are widely known and accepted by the industry and have been tested for many years. (2) flexible and easy to use. Using ukey requires no additional external devices. You can simply insert the ukey into any device with a USB interface to use the ukey. After using the ukey, you can directly unplug it. (3) low cost. Ukey saves money than any traditional hardware-based security system. Because ukey does not require any additional devices, it is suitable for a wide range of releases. Ukey can implement all functions provided by the smart card, but does not require a smart card reader. (4) easy to carry. Ukey is small in size, light in weight, exquisite and stylish, and can be carried with you. (5) seamless integration. Ukey provides two standard interfaces, PKCS #11 and Microsoft CryptoAPI, which are widely recognized by the industry. Any application compatible with these two interfaces can be immediately integrated with ukey for use. Ukey has a built-in high-capacity smart card security chip, which can store multiple digital certificates, user private keys, and other data at the same time. That is to say, multiple PKI applications can share the same ukey. (6) high reliability. Ukey is manufactured using strict processes to store user data securely for a long time. 3.2 Windows logon principles Windows 2000 supports two logon methods: Interactive logon and remote logon ). Interactive logon is the most typical logon method and is used by most users who access the domain. Interactive logon occurs when a user logs on to a computer for the first time. The user name and password are used to verify the real identity of the user. The authentication mechanism of the Windows operating system can be described in the system diagram of the Windows login module. As shown in 1, The Winlogon process is a component provided by Windows 2000 and later that supports interactive operations. It is used to manage and undertake login-related security work, this includes processing user logon and logout, starting User Shell, entering password, changing password, locking and unlocking the computer. Gina (graphical identification and authentication) is a graph dynamic link library that runs in the Winlogon process. It is used to provide a customizable logon interface and authenticate users. LSA (Local Security Authority) is a process that runs the/winnt/system32/lsass.exe image in user mode and is responsible for Local System security policies. Figure 1 architecture of the Windows logon ModuleDuring Windows logon, if you press CTRL + ALT + DEL after Windows is started, hardware interruption may occur. After the interruption is captured by the system, the operating system immediately activates the Winlogon process. The Winlogon process displays the logon window (account name and password logon prompt) in front of the user by calling Gina. dll. After collecting user logon information, Gina. dll calls the lsalogonuser command of LSA to pass user logon information to LSA. In fact, the authentication function is implemented through LSA. These three functions work together to implement the login authentication function for Windows. By default, Windows provides Microsoft's own Gina. DLL-msgina.dll for Winlogon process calls. There are three computer statuses before and after User Logon: logged_off (not logged on), logged_on (logged on), and locked (locked ). 3.3 MSGINA. dll status flow MSGINA. dll status flow 2 shows the name of the called function in English. Figure 2 MSGINA. dll status Flowchart(1) After the system is started, wlxnegotiate.exe is first called to confirm that the dll.exe supports the winlogon.exe in the previous version, and then wlxinitialize is called to initialize the related functions. After initialization, The Winlogon process calls the wlxdisplaysasnotice function to display the welcome User Logon interface. This function also checks whether a custom SAS (secure attention sequence, security prompt code sequence) appears. If so, a login request is sent to the Winlogon process. The default value of SAS in Windows 2000 is "CTRL + ALT + DEL". You can also define your own SAS. (2) When a SAS event is detected, the Winlogon process calls the wlxloggedoutsas function and calls wlxdialogboxparam to display the user logon dialog box and then calls LSA for verification. If the verification succeeds, the Winlogon process calls the wlxactivateusershell function to start the User Shell program. (3) when the system is successfully logged on and is not locked (logged _ on State), the Winlogon process calls the wlxloggedonsas function when it receives a SAS event. (4) when the system is in a locked state, the Winlogon process calls the wlxdisplaylockednotice function to display some information, such as the locker and lock time. When it receives a SAS event, it calls the wlxwkstalockedsas function. The return value of this function determines the status of the workstation: Still locked, unlocked, or logged out. (5) When a user logs out, the Winlogon process calls the wlxlogoff function to notify the MSGINA. dll user of the logout operation. MSGINA. dll will handle the cancellation accordingly. When a user needs to shut down the computer, the Winlogon process calls the wlxshutdown function, allowing MSGINA. DLL to process before the system is shut down. (6) by default, the Winlogon process searches for the key value HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/Winlogon in the registry. If Gina exists. DLL key, Winlogon uses this key; if there is no Gina. DLL key, then Winlogon uses the default MSGINA. DLL. Because Gina dynamic link library can be replaced, you only need to use a custom Gina to replace Gina. DLL to replace the default logon mode of windows with other authentication methods, such as EKEY and fingerprint recognition [10]. 3.4 Security Login implementation principle uses the security mechanism provided by ukey to store digital certificates in ukey for user login and identity authentication. According to the Windows system logon principle, two tasks are required to implement ukey secure logon and Identity Authentication Based on Digital Certificates: Writing custom Gina and interacting with ukey. 1) The implementation of custom GINA-Ginamy.dll in Gina, by the Winlogon process function call, through the custom SAS can realize the login support for ukey device. There are two parts in Gina that need to verify the user identity: one is to verify the user identity when the system starts; the other is to verify the user identity when the system is locked and unlocked, the corresponding functions are wlxloggedoutsas and wlxwkstalocked SAS. Before a user logs on, the Winlogon process calls the wlxloggedoutsas function when receiving a SAS event. Therefore, you can determine whether a ukey exists in the function. When a ukey is inserted, the ukey Detection Window finds that the system sends a logon SAS event to the Winlogon Process and calls the logonuser function to log on to the system. After several necessary parameters are returned, the Winlogon process calls the wlxactivateusershell function to activate the user's desktop, so that the user can successfully log on to the Windows System for normal operations. In Windows, if a user needs to leave the scene and ununplug the ukey, the application system obtains the ukey disconnection message and sends a custom SAS event by calling the wlxsasnotify function; then the Winlogon process calls the wlxloggedonsas function for corresponding processing, and sends the return value wlx_sas_action_lock _ wksta to lock the windows system desktop. After the system is locked, if you re-insert the ukey, the system calls the wlxsasnotify function to issue a custom SAS event to unlock the lock. The Winlogon process calls the wlxwkstalockedsas function, after verifying that the PIN is correct, send the return parameter wlx_sas_action_unlock _ wksta to unlock the Windows system desktop and allow the user to log on again. 2) Interaction with ukey 3 shows that a centralized management solution can be used in the office LAN to centrally configure an authentication server. All client login requests will be sent to the authentication server for verification. Figure 3 centralized authentication management solutionTo use ukey for identity authentication and secure logon, perform the following steps: 1) initialize ukey. When a new user initiates a logon application, the Administrator generates a digital certificate based on user requirements, at the same time, the digital certificate and the corresponding key pair are written into a new ukey, and then the ukey is issued to the user. The key is stored in a special file partition of ukey and cannot be read out to ensure its privacy. However, you can use this private key for encryption or signature. After obtaining your ukey, you can log on to the specified machine. 2) user registration when the client uses ukey for login for the first time, it needs to register with the authentication server. The client reads the digital certificate in the ukey, creates a local account name (machine name + hard disk serial number) and password, and sends it to the authentication server after the private key is encrypted. After receiving the certificate, the server verifies the validity of the certificate. If the certificate is valid, the server considers the user as a legal user and then checks the identity information database. If this account name is not found, the server considers this machine to be logged on for the first time. If you need to register the account name and password, the server adds the account name and password to the identity information database and sends the confirmation information back to the client, after receiving the message, the client determines that the registration is successful. 3) when logging on to the client securely, insert the ukey and submit the user information to the authentication server. The server generates a random number and sends it back to the client; then, the client uses the ukey to sign the random number and return it to the server. Finally, the server uses the corresponding user public key for verification. If the signature is valid, the server considers it as a legal user. Otherwise, login is denied. The specific logon authentication process is shown in step 4. Figure 4 based onUkey Secure Login and identity authentication process
A. log on to the client and enable the computer. B. The Winlogon process calls the custom ginamy. DLL to replace the default MSGINA. DLL to implement its own authentication process. C. ginamy. dll checks whether ukey is inserted by calling the ukey API function. If no ukey is found, the user is prompted to insert the ukey and refuse to log on. D. Once ukey is detected, a custom dialog box is displayed, asking the user to enter a personal PIN code. This process is used to confirm the identity of the cardholder. E. If the verification PIN code is correct, you can start the authentication process (the authentication algorithm in dotted box 4 ). F. The customized ginamy. dll module will return the result to allow or forbid users to log on to the system. G. If the user leaves temporarily and unpulls the ukey, the computer will be locked until the user inserts the valid ukey again and enters the Correct PIN code. After verification, the user can log on to the system again. 3.5 security analysis the security of the security system is the first consideration. The following describes the security of identity authentication using ukey in four aspects: 1) the user's private key protects the user's digital certificate and personal key in the ukey. During authentication, symmetric encryption algorithms are used to encrypt users' private keys. Because the private key is not transmitted over the network, attackers cannot obtain the user's private key from the intercepted data. In addition, the ukey access password only appears on the client and is not transmitted over the network. 2) Security of the authentication process because the random number is signed inside the ukey, the private key used for signature is stored in the fixed area of the card, and the private key is not read to the memory during the signing process, no one can obtain the ukey private key, which ensures the security of the authentication process. 3) The server must send different random numbers to the client for each authentication. Therefore, if the attacker replays the previously intercepted signature information, authentication is not possible; if the random number sent by the server is intercepted, the attacker cannot obtain the user's private key, and the random number cannot be correctly signed. Therefore, the authentication is not successful. 4) The attacker cannot obtain the user's private key and ukey's pin code. Therefore, the attacker cannot send authentication requests to the server and thus pass Server Authentication. 4. This article discusses the identity authentication technology. Based on the study of ukey technology and Windows System logon principle, a ukey secure logon and Identity Authentication solution based on digital certificates is proposed, the user-defined Gina is developed to implement ukey-based identity authentication and secure system logon. After debugging and running, the system meets the requirements for secure login and identity authentication.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
