阅读说明：本技术 基于双体系结构的操作系统用户身份认证方法及系统 (Operating system user identity authentication method and system based on dual-architecture ) 是由 杨钊 姬一文 郇福喜 王玉成 杨诏钧 魏立峰 孔金珠 谌志华 于 2021-11-11 设计创作，主要内容包括：本发明提供了一种基于双体系结构的操作系统用户身份认证方法,包括：用户在普通执行环境下输入用户口令,输入时触发安全执行环境,保证用户口令的字符均在所述安全执行环境中,安全执行环境每接收到所述用户口令的一个字符,均返回一个特定字符给普通执行环境；所述安全执行环境接收所述用户口令后,对所述用户口令进行加密处理,并读取已储存的对应用户的加密口令,将加密处理后的所述用户口令与所述加密口令进行对比,若对比一致,则用户身份认证正确,若对比不一致,则用户身份认证错误；所述安全执行环境输出用户身份认证结果给所述普通执行环境,完成认证。该方法能够从根本上来解决病毒、木马等恶意程序窃取用户口令等关键资源的问题。(The invention provides an operating system user identity authentication method based on a dual-system structure, which comprises the following steps: the method comprises the steps that a user inputs a user password in a common execution environment, a safe execution environment is triggered when the user password is input, characters of the user password are guaranteed to be in the safe execution environment, and each time the safe execution environment receives one character of the user password, the safe execution environment returns a specific character to the common execution environment; after receiving the user password, the safe execution environment encrypts the user password, reads the stored encrypted password corresponding to the user, compares the encrypted user password with the encrypted password, if the comparison is consistent, the user identity authentication is correct, and if the comparison is inconsistent, the user identity authentication is wrong; and the safe execution environment outputs the user identity authentication result to the common execution environment to finish authentication. The method can fundamentally solve the problem that malicious programs such as viruses and trojans steal key resources such as user passwords.)

1. An operating system user identity authentication method based on a dual-architecture is characterized by comprising the following steps:

a user inputs a user password in a common execution environment, a safe execution environment is triggered when the user password is input, characters of the user password are ensured to be in the safe execution environment, and each time the safe execution environment receives one character of the user password, a specific character is returned to the common execution environment;

after receiving the user password, the safe execution environment encrypts the user password, reads the stored encrypted password corresponding to the user, compares the encrypted user password with the encrypted password, if the comparison is consistent, the user identity authentication is correct, and if the comparison is inconsistent, the user identity authentication is wrong;

and the safe execution environment outputs the user identity authentication result to the common execution environment to finish authentication.

2. The dual architecture-based operating system user authentication method of claim 1, wherein the user authentication method is used for modification and creation of a user password, comprising:

a user inputs a newly created or modified new user password in the common execution environment, the secure execution environment is triggered when inputting, characters of the new user password are ensured to be in the secure execution environment, and each time the secure execution environment receives one character of the new user password, a specific character is returned to the common execution environment;

and after the safe execution environment receives the new user password, encrypting the new user password, and then storing the ciphertext of the new user password or updating the corresponding encrypted password in the storage so as to generate and store the new encrypted password in the safe execution environment.

3. The dual architecture-based operating system user identity authentication method of claim 1, wherein the generic execution environment includes an input box for entering the user password and displaying the specific character.

4. The dual architecture-based operating system user identity authentication method of claim 1, wherein the specific character is a "×".

5. An operating system user identity authentication system based on a dual-architecture structure is characterized by comprising a safe operating module and a common operating module, wherein the safe operating module runs under a safe execution environment, and the common operating module runs under a common execution environment;

the safety operation module comprises a safety input unit, a safety authentication unit and a safety storage unit, and the common operation module comprises an input device and a display unit;

the input device is used for inputting a user password, and the safety input unit is triggered when the user password is input, so that characters of the user password are all input into the safety input unit, each time a character of the user password is input into the safety input unit, a specific character is returned to the common operation module, and the specific character is displayed on the display unit;

the security input unit is used for encrypting the user password and outputting the user password to the security authentication unit;

the safety authentication unit is used for reading the encrypted password in the safety storage unit, comparing the encrypted user password with the encrypted password, if the comparison is consistent, the user identity authentication is correct, and if the comparison is inconsistent, the user identity authentication is wrong, and outputting the user authentication result to the display unit to be displayed on the display unit.

6. The dual architecture based operating system user identity authentication system of claim 5, wherein the input device includes a user password creation key and a user password modification key, such that the input device is used to enter a new user password that is newly created or newly modified;

and the safety input unit receives the new user password and carries out password encryption processing to generate a new encrypted password, and the new encrypted password is output to the safety storage unit for storage.

7. The dual architecture based operating system user identity authentication system of claim 5, in which the input device is a keyboard.

8. The dual-architecture-based operating system user authentication system of claim 5, wherein the display unit comprises an input box and a text display box, the input box is used for displaying the specific character, the specific character is "+", the text display box is used for displaying the user authentication result, if the user authentication is correct, "correct" is displayed, and if the user authentication is wrong, "wrong" is displayed.

9. An electronic device comprising a processor and a memory, the memory having stored thereon a computer program which, when executed by the processor, implements the method of any of claims 1 to 4.

10. A readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method of any one of claims 1 to 4.

Technical Field

The invention belongs to the technical field of computer network application, and particularly relates to an operating system user identity authentication method based on a dual-system structure, an authentication system, electronic equipment and a readable storage medium.

Background

In the age of informatization becoming more and more popular and important, the security requirements on information technology are also becoming higher and higher. However, with the development of informatization, malicious programs such as viruses and trojans are also more and more difficult to find and kill, wherein many viruses and trojans can monitor the keyboard input of a user, analyze sensitive information such as a user password by acquiring the keyboard input data of the user, and acquire key resources such as a user password storage file.

The dual architecture comprises a security architecture and a common architecture, wherein a hardware management module of the dual architecture is specifically used for respectively allocating hardware resources to the security architecture and the common architecture, and enabling the security architecture and the common architecture to work on different CPUs or CPU time slices, and the common architecture cannot access the CPU resources used by the security architecture.

Under the background of wide application of the dual-architecture, the role of the dual-architecture in the field of information security is more and more important, and it is more and more urgent to improve the security of the operating system by using the dual-architecture system, and the user identity authentication is the basis of the security of the operating system.

Therefore, on the basis of the dual-architecture, it is necessary to provide a method for authenticating the user identity of the operating system, which can fundamentally solve the problem that malicious programs such as viruses and trojans steal key resources such as user passwords.

Disclosure of Invention

The invention provides a method and a system for authenticating the user identity of an operating system based on a dual-system structure, which can fundamentally solve the problem that malicious programs such as viruses and trojans steal key resources such as user passwords.

In order to achieve the above objects and other related objects, the present invention provides a method for authenticating a user of an operating system based on a dual architecture, comprising:

a user inputs a user password in a common execution environment, a safe execution environment is triggered when the user password is input, characters of the user password are ensured to be in the safe execution environment, and each time the safe execution environment receives one character of the user password, a specific character is returned to the common execution environment;

after receiving the user password, the safe execution environment encrypts the user password, reads the stored encrypted password corresponding to the user, compares the encrypted user password with the encrypted password, if the comparison is consistent, the user identity authentication is correct, and if the comparison is inconsistent, the user identity authentication is wrong;

and the safe execution environment outputs the user identity authentication result to the common execution environment to finish authentication.

Optionally, the user identity authentication method is used for modifying and creating a user password, and includes: a user inputs a newly created or modified new user password in the common execution environment, the secure execution environment is triggered when inputting, characters of the new user password are ensured to be in the secure execution environment, and each time the secure execution environment receives one character of the new user password, a specific character is returned to the common execution environment;

and after the safe execution environment receives the new user password, encrypting the new user password, and then storing the ciphertext of the new user password or updating the corresponding encrypted password in the storage so as to generate and store the new encrypted password in the safe execution environment.

Optionally, the generic execution environment comprises an input box for entering the user password and displaying the specific character.

Optionally, the specific character is an "".

Based on the same invention conception, the invention also provides an operating system user identity authentication system based on a double-system structure, which comprises a safe operating module and a common operating module, wherein the safe operating module runs under a safe execution environment, and the common operating module runs under a common execution environment;

the safety operation module comprises a safety input unit, a safety authentication unit and a safety storage unit, and the common operation module comprises an input device and a display unit;

the input device is used for inputting a user password, and the safety input unit is triggered when the user password is input, so that characters of the user password are all input into the safety input unit, each time a character of the user password is input into the safety input unit, a specific character is returned to the common operation module, and the specific character is displayed on the display unit;

the security input unit is used for encrypting the user password and outputting the user password to the security authentication unit;

the safety authentication unit is used for reading the encrypted password in the safety storage unit, comparing the encrypted user password with the encrypted password, if the comparison is consistent, the user identity authentication is correct, and if the comparison is inconsistent, the user identity authentication is wrong, and outputting the user authentication result to the display unit to be displayed on the display unit.

Optionally, the input device comprises a user password creation key and a user password modification key, such that the input device is used to enter a new user password that is newly created or newly modified;

and the safety input unit receives the new user password and carries out password encryption processing to generate a new encrypted password, and the new encrypted password is output to the safety storage unit for storage.

Optionally, the input device is a keyboard.

Optionally, the display unit includes an input box and a text display box, the input box is used for displaying the specific character, the specific character is a "+", the text display box is used for displaying a user identity authentication result, if the user identity authentication is correct, the "correct" is displayed, and if the user identity authentication is wrong, the "wrong" is displayed.

Based on the same inventive idea, the invention provides an electronic device comprising a processor and a memory, the memory having stored thereon a computer program which, when executed by the processor, implements the method of any of the above.

Based on the same inventive idea, the invention also provides a readable storage medium having stored therein a computer program which, when executed by a processor, implements the method of any one of the preceding claims.

In summary, the present invention provides a method and a system for authenticating a user identity of an operating system based on a dual-architecture, in order to solve the input problems such as malicious program monitoring, the present invention puts the input into a secure execution environment, the input data is completely processed in the secure execution environment, and the real input data is not transmitted to a common execution environment, thereby fundamentally solving the possibility that the input data is stolen; further, in order to solve the problem that a malicious program steals the system key resources, such as user password files and the like, are stored in a safe storage area in a safe execution environment, and are completely isolated from general storage areas, such as a memory, a disk and the like, of a common execution environment, and any program cannot be accessed in the common execution environment, so that the purpose of protecting the system key resources is achieved.

Drawings

Fig. 1 is a schematic diagram illustrating steps of a user identity authentication method based on a dual-architecture operating system according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of a user identity authentication system based on a dual-architecture operating system according to an embodiment of the present invention;

fig. 3 is another schematic structural diagram of a dual-architecture-based operating system user identity authentication system according to an embodiment of the present invention.

Detailed Description

The method and system for operating system user identity authentication based on dual architecture according to the present invention will be described in further detail with reference to fig. 1-3 and the following detailed description. The advantages and features of the present invention will become more apparent from the following description. It is to be noted that the drawings are in a very simplified form and are all used in a non-precise scale for the purpose of facilitating and distinctly aiding in the description of the embodiments of the present invention. To make the objects, features and advantages of the present invention comprehensible, reference is made to the accompanying drawings. It should be understood that the structures, ratios, sizes, and the like shown in the drawings and described in the specification are only used for matching with the disclosure of the specification, so as to be understood and read by those skilled in the art, and are not used to limit the implementation conditions of the present invention, so that the present invention has no technical significance, and any structural modification, ratio relationship change or size adjustment should still fall within the scope of the present invention without affecting the efficacy and the achievable purpose of the present invention.

Referring to fig. 1, an embodiment of the present invention provides a method for authenticating a user identity of an operating system based on a dual architecture, including the following steps:

s100, a user inputs a user password in a common execution environment, a safe execution environment is triggered when the user password is input, characters of the user password are ensured to be in the safe execution environment, and each time the safe execution environment receives one character of the user password, a specific character is returned to the common execution environment.

In this embodiment, each character input by the user is in the secure execution environment, the secure execution environment is a secure environment independent of the normal execution environment, the input data is completely processed in the secure execution environment, and the real input data is not transmitted to the normal execution environment, so that the possibility that the input data is stolen is fundamentally solved. In order to let the user know the number of input characters, the secure execution environment may return a uniform specific character to the normal execution environment, e.g. "". The generic execution environment may include an input box to display the particular character.

S200, after receiving the user password, the safe execution environment encrypts the user password, reads the stored encrypted password corresponding to the user, compares the encrypted user password with the encrypted password, if the comparison is consistent, the user identity authentication is correct, and if the comparison is inconsistent, the user identity authentication is wrong.

Through encryption processing, the embodiment stores system key resources, such as user password files and the like, in a secure storage area in a secure execution environment, and is completely isolated from a general storage area of a memory, a disk and the like in a common execution environment, and any program cannot be accessed in the common execution environment, so that the purpose of protecting the system key resources is achieved.

S300, the safe execution environment outputs the user identity authentication result to the common execution environment to finish authentication.

The output result is displayed in the normal execution environment so as to be known by the user.

In the present embodiment, the above method can be also used when creating a new user password or modifying a previous user password. The method specifically comprises the following steps:

1. a user inputs a newly created or modified new user password in the common execution environment, the secure execution environment is triggered when inputting, characters of the new user password are ensured to be in the secure execution environment, and each time the secure execution environment receives one character of the new user password, a specific character is returned to the common execution environment;

2. and after the safe execution environment receives the new user password, encrypting the new user password, and then storing the ciphertext of the new user password or updating the corresponding encrypted password in the storage so as to generate and store the new encrypted password in the safe execution environment.

And the new encrypted password is created and stored in the safe execution environment and is used for comparison when the user authenticates the user later.

Based on the same inventive concept, this embodiment further provides an operating system user identity authentication system based on a dual-architecture, as shown in fig. 2, where the system is based on a dual-architecture system hardware platform, and includes a secure operating module and a normal operating module, where the secure operating module operates in the secure execution environment, and the normal operating module operates in the normal execution environment. The safety operation module comprises a safety input unit, a safety authentication unit and a safety storage unit, and the common operation module comprises an input device and a display unit. The input device is used for inputting a user password, and the safety input unit is triggered when the user password is input, so that characters of the user password are all input into the safety input unit, each time a character of the user password is input into the safety input unit, a specific character is returned to the common operation module, and the specific character is displayed on the display unit; the security input unit is used for encrypting the user password and outputting the user password to the security authentication unit; the safety authentication unit is used for reading the encrypted password in the safety storage unit, comparing the encrypted user password with the encrypted password, if the comparison is consistent, the user identity authentication is correct, and if the comparison is inconsistent, the user identity authentication is wrong, and outputting the user authentication result to the display unit to be displayed on the display unit.

In a specific implementation, a user inputs a user password through the input device, referring to fig. 2, the input user password enters the security input unit for input, and the security input unit returns a specific character, such as a 'x', to the display unit every time a character is input, and the display unit may include an input box and a text display box, and the specific character may be displayed in the input box to let a client know the number of input characters. And after the user password input by the safety input unit is encrypted, entering the safety authentication unit, reading the encrypted password stored in the safety storage unit by the safety authentication unit, comparing the encrypted password with the encrypted password, if the encrypted password is consistent with the encrypted password, the authentication is correct, the safety authentication unit replies 'correct' to the display unit and displays the result on the character display frame of the display unit, and if the encrypted password is inconsistent with the encrypted password, the safety authentication unit replies 'wrong' to the display unit and displays the result on the character display frame of the display unit.

In this embodiment, the system may also be used for creating a new user password and modifying a user password, and referring to fig. 3, the input device may include a creation key and a modification key of a user password, and when the creation key or the modification key is pressed, the creation and modification of the user password are performed. After the input device inputs a newly created or modified new user password, the security input unit receives the new user password and carries out password encryption processing to generate a new encrypted password, and the new encrypted password is output to the security storage unit to be stored for later comparison and authentication.

In this embodiment, the input device is a keyboard.

Based on the same inventive concept, the invention further provides an electronic device, which includes a processor and a memory, where the memory stores a computer program, and the computer program, when executed by the processor, implements the dual-architecture-based operating system user identity authentication method.

The processor may be, in some embodiments, a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor (e.g., a GPU), or other data Processing chip. The processor is typically used to control the overall operation of the electronic device. In this embodiment, the processor is configured to run a program code stored in the memory or process data, for example, a program code for running the rail transit safety integrity identification method.

The memory includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, the storage may be an internal storage unit of the electronic device, such as a hard disk or a memory of the electronic device. In other embodiments, the memory may also be an external storage device of the electronic device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the electronic device. Of course, the memory may also include both internal and external memory units of the electronic device. In this embodiment, the memory is generally used for storing an operating method installed in the electronic device and various types of application software, such as a program code of the rail transit safety integrity identification method. In addition, the memory may also be used to temporarily store various types of data that have been output or are to be output.

Based on the same idea, the invention further provides a readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the method for operating system user identity authentication based on a dual-architecture is implemented.

The invention has the advantages that the input data is input in the safe execution environment, the input data is completely processed in the safe execution environment, and the real input data is not transmitted to the common execution environment, thereby fundamentally solving the possibility that the input data is stolen; further, in order to solve the problem that a malicious program steals the system key resources, such as user password files and the like, are stored in a safe storage area in a safe execution environment, and are completely isolated from general storage areas, such as a memory, a disk and the like, of a common execution environment, and any program cannot be accessed in the common execution environment, so that the purpose of protecting the system key resources is achieved.

While the present invention has been described in detail with reference to the preferred embodiments, it should be understood that the above description should not be taken as limiting the invention. Various modifications and alterations to this invention will become apparent to those skilled in the art upon reading the foregoing description. Accordingly, the scope of the invention should be determined from the following claims.