System login method, edge node device and computer readable storage medium
By generating and dynamically changing random passwords, the system login security problem in a zero-trust environment is solved, realizing a secure login method without data transmission and improving the security and feasibility of system login.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHENZHEN YUNWANG WULIAN TECH CO LTD
- Filing Date
- 2023-03-09
- Publication Date
- 2026-07-03
AI Technical Summary
In a zero-trust environment, existing system login methods are at risk of passwords being intercepted during data transmission, resulting in low system login security.
Generate a random password, set the login password of the target system as a random password, and immediately change it to a new random password after successful login to avoid password data transmission. Automatic login and password management are performed through edge node devices.
This improves system login security, reduces the possibility of password interception, implements dynamic password protection, and enhances the feasibility and security of system login.
Smart Images

Figure CN116232588B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of system login, and more specifically, to system login methods, edge node devices, and computer-readable storage media. Background Technology
[0002] On zero-trust edge service nodes, there are various risks, such as data packet forgery, theft of sensitive files, and reverse engineering of binary files. Therefore, in order to ensure the security of system login, the "login password," which is the key to the operating system, is particularly important.
[0003] The existing system login method is a traditional key escrow model, in which passwords are stored on the server, and the target device can obtain the password from the server through data transmission, and then log in to the target system based on the obtained password.
[0004] However, in a zero-trust environment, if the original password is transmitted over the network, it will inevitably be the first step in the collapse of the entire system. Furthermore, with existing system login methods, passwords are easily intercepted during data transmission, and the intercepted password can be used to log into the target system, resulting in low system login security. Summary of the Invention
[0005] This application provides a system login method, an edge node device, and a computer-readable storage medium for performing system login while improving system login security.
[0006] In a first aspect, embodiments of this application provide a system login method, including:
[0007] Generate random passwords;
[0008] Set the login password for the target system to the random password;
[0009] Log in to the target system using the random password;
[0010] Change the login password of the target system so that no device can obtain the changed login password of the target system.
[0011] Optionally, logging into the target system using the random password includes:
[0012] The system will automatically log in to the target system based on the random password.
[0013] Optionally, the step of automatically logging into the target system based on the random password includes:
[0014] Obtain the registry entry containing the automatic login password;
[0015] The automatic login password of the registry is changed to the random password to obtain the target registry;
[0016] The system is automatically logged into based on the random password in the target registry.
[0017] Optionally, changing the login password of the target system includes:
[0018] Generate a random password for the target;
[0019] The login password of the target system is changed to the target random password; wherein, the target random password is not saved.
[0020] Optionally, before generating the random password, the method further includes:
[0021] Determine whether the edge node device meets the login conditions for the target system;
[0022] If the edge node device meets the login conditions, then the step of generating a random password is executed.
[0023] Optionally, determining whether the edge node device meets the login conditions for logging into the target system includes:
[0024] Send the login status request of the edge node device to the status server;
[0025] Obtain the login status information of the edge node device in response to the login status request from the status server, and determine whether the edge node device meets the login conditions based on the login status information;
[0026] If the edge node device meets the login conditions, it includes:
[0027] If the login status information indicates that the device is in a login-enabled state, then the edge node device is determined to meet the login conditions.
[0028] Optionally, sending the login status request of the edge node device to the status server includes:
[0029] The login status request of the edge node device is sent to the status server using a preset encrypted transmission method;
[0030] The step of obtaining the login status information of the edge node device in response to the login status request from the status server includes:
[0031] The login status information of the edge node device in response to the login status request is obtained through the preset encrypted transmission method.
[0032] Secondly, embodiments of this application provide an edge node device, including:
[0033] A generation unit, used to generate random passwords;
[0034] The setting unit is used to set the login password of the target system to the random password;
[0035] A login unit, used to log in to the target system according to the random password;
[0036] The modification unit is used to change the login password of the target system so that no device can obtain the modified login password of the target system.
[0037] Thirdly, embodiments of this application provide an edge node device, including:
[0038] Central processing unit, memory, input / output interfaces, wired or wireless network interfaces, and power supply;
[0039] The memory is either a short-term storage memory or a persistent storage memory;
[0040] The central processing unit is configured to communicate with the memory and execute instructions in the memory to perform the aforementioned system login method.
[0041] Fourthly, embodiments of this application provide a computer-readable storage medium including instructions that, when executed on a computer, cause the computer to perform the aforementioned system login method.
[0042] Fifthly, embodiments of this application provide a computer program product containing instructions that, when run on a computer, cause the computer to execute the aforementioned system login method.
[0043] As can be seen from the above technical solutions, the embodiments of this application have the following advantages: a random password can be generated, the login password of the target system can be set as a random password, the target system can be logged in according to the random password, and the login password of the target system can be changed so that no device can obtain the changed login password of the target system. During the system login process, no data transmission of the password is involved, which reduces the possibility of the password being intercepted during data transmission and improves the security of system login. Attached Figure Description
[0044] Figure 1 This is a schematic diagram of the architecture of a system login system disclosed in an embodiment of this application;
[0045] Figure 2 This is a flowchart illustrating a system login method disclosed in an embodiment of this application;
[0046] Figure 3 This is a flowchart illustrating another system login method disclosed in an embodiment of this application;
[0047] Figure 4 This is a schematic diagram of the structure of an edge node device disclosed in an embodiment of this application;
[0048] Figure 5 This is a schematic diagram of another edge node device disclosed in an embodiment of this application;
[0049] Figure 6 This is a schematic diagram of the structure of another edge node device disclosed in an embodiment of this application. Detailed Implementation
[0050] This application provides a system login method, an edge node device, and a computer-readable storage medium for performing system login while improving system login security.
[0051] Please see Figure 1 The architecture of the system login system in this application embodiment includes:
[0052] Edge node device 101 and state server 102. When logging into the system, edge node device 101 can connect to state server 102. Edge node device 101 can send a login status request to state server 102 and obtain login status information from state server 102. If the login status information indicates that login is possible, edge node device 101 generates a random password, sets the target system's login password to the random password, logs into the target system using the random password, and then changes the target system's login password.
[0053] based on Figure 1 Please refer to the system login system shown. Figure 2 , Figure 2 This is a flowchart illustrating a system login method disclosed in an embodiment of this application. The method includes:
[0054] 201. Generate a random password.
[0055] In this embodiment, a random password can be generated when logging into the system. It's important to understand that a random password ensures the randomness and irregularity of password generation. Using a random password reduces the likelihood of determining the generated password based on patterns, thus decreasing the possibility of the password being cracked and maximizing the security of system login.
[0056] 202. Set the login password for the target system to a random password.
[0057] After generating a random password, you can set the login password for the target system as a random password. It's important to understand that for each system login, a random password can be generated for that specific login session, and then the target system's login password can be set to this random password. This means that each system login will have a corresponding random password, improving system login security. This is equivalent to creating the login password only before logging in, preventing password leaks beforehand.
[0058] 203. Log in to the target system using the random password.
[0059] After setting the target system's login password to a random password, you can log in to the target system using that random password. Methods for logging in using a random password include automatic login, such as first obtaining the registry entry containing the automatic login password, then modifying the automatic login password in the registry to a random password to obtain the target registry entry, and finally automatically logging in using the random password from the target registry entry. Other reasonable methods can also be used; specific methods are not limited here. It's important to understand that the password used to log in to the target system must match the target system's login password. Since the target system's login password has been set to a generated random password, you can log in to the target system using that generated random password.
[0060] 204. Change the login password of the target system so that no device can obtain the changed login password of the target system.
[0061] After logging into the target system using a random password, the login password can be changed, preventing any device from obtaining the modified password. It's important to understand that after successful login, the current system password can be changed, ensuring the target system's login password remains a new, random string. This password changes with each login attempt, preventing any device from accessing it. The password is not saved; it only exists during the specific login session. Before and after login, the password is changed to a secret that no one else knows, reducing the possibility of other devices obtaining the random password and achieving a secure login system, thus improving its feasibility.
[0062] In this embodiment of the application, a random password can be generated, and the login password of the target system can be set as a random password. Login to the target system based on the random password, and change the login password of the target system so that no device can obtain the changed login password of the target system. During the system login process, no data transmission of the password is involved, which reduces the possibility of the password being intercepted during data transmission and improves the security of system login.
[0063] In this embodiment of the application, before generating a random password, it can be determined whether the edge node device meets the login conditions for the target system. If the edge node device meets the login conditions, the step of generating a random password is executed. There are various methods for determining whether the edge node device meets the login conditions for the target system, based on... Figure 2 The system login methods shown are described below, and one of them is described in detail below.
[0064] In this embodiment, system login can be performed in a zero-trust environment, where zero trust means that the network, operating system, and hardware environment in the operating environment are not 100% secure. When performing system login, it can first be determined whether the edge node device meets the login conditions of the target system.
[0065] One method to determine whether an edge node device meets the login conditions for the target system is to first send a login status request to the status server, then obtain the login status information of the edge node device in response to the login status request from the status server, and finally determine whether the edge node device meets the login conditions based on the login status information. If the login status information indicates that the edge node device is in a login-available state, then the edge node device is determined to meet the login conditions.
[0066] One method for sending a login status request from an edge node device to a state server is to send the login status request to the state server using a preset encrypted transmission method. Another method for obtaining the login status information of the edge node device in response to the login status request from the state server is to obtain the login status information of the edge node device in response to the login status request from the state server using a preset encrypted transmission method.
[0067] For details, please refer to Figure 3 , Figure 3 This is a flowchart illustrating another system login method disclosed in an embodiment of this application. Figure 3As can be seen, edge nodes can invoke secAgent to request login status from the state server. secAgent (sec agent) runs on the edge node, and data transmission between secAgent and the state server is based on the HTTPS protocol. Furthermore, in addition to HTTPS, transmission can also be carried out through a tunnel. A tunnel is a private protocol that allows for encrypted transmission of information. Figure 3 As can be seen, when an edge node calls secAgent to send a login status request to the state server via Tunnel, Tunnel can parse the login status request using its private protocol. After parsing, Tunnel can forward the parsed login status request to the state server, enabling the state server to respond and send the edge node's login status information to Tunnel. Tunnel can then parse the edge node's login status information using its private protocol and forward it to the edge node's secAgent. It's important to understand that secAgent and the state server transmit data via HTTPS, and the transmitted content is further encrypted using Tunnel's private protocol on top of HTTPS security, thus improving data transmission security. It's understood that Tunnel can be configured only on the state server or the edge node, or both; the specific Tunnel configuration is not limited here.
[0068] Once it is determined that the edge node device meets the login requirements, the step of generating a random password can be performed.
[0069] Specifically, the method for generating random passwords can be that the edge node calls secAgent to generate random passwords. The generated random password can be a random password string or other reasonable passwords. The specific format of the random password is not limited here. Secondly, the method for generating random passwords can also be a password generated randomly by a password generator. The method for generating random passwords can also be other reasonable methods. The specific method for generating random passwords is not limited here.
[0070] After generating a random password, you can set the login password for the target system as a random password.
[0071] It's important to understand that a random password can be generated for each system login, and then the target system's login password is set to this random password. This means that each system login has a corresponding random password, improving system login security. This is equivalent to creating the login password only before logging in, preventing password leaks in advance.
[0072] After setting the login password for the target system to a random password, you can log in to the target system using the random password.
[0073] One method for logging into the target system using a random password is to automatically log in using a random password. This can be achieved by first obtaining a registry entry containing the automatic login password, then modifying the automatic login password in the registry to a random password to obtain the target registry entry, and finally automatically logging into the target system using the random password from the target registry entry.
[0074] For details, please continue reading. Figure 3 The method for logging into the target system using the random password can be as follows: First, the first login can be set to automatic login in the registry. Specifically, this setting can be modified in the first location of the registry, which can be: SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon\\AutoAdminLogon, or any other reasonable location. Then, secAgent can be called to restart the edge node by modifying the registry. After the edge node restarts, it can automatically log in. Specifically, the generated random password can be written to the second location of the registry, which can be: SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon\\DefaultPassword, or any other reasonable location.
[0075] After logging into the target system with a random password, the login password of the target system can be changed so that no device can obtain the changed login password of the target system.
[0076] One method for changing the login password of the target system is to first generate a target random password, and then change the target system's login password to the target random password; wherein, the target random password is not saved. It is important to understand that after a successful login to an edge node, the current login password of the target system can be immediately modified, ensuring that the target system's login password remains a new random password. This login method achieves dynamic password protection. Dynamic password means that the password changes periodically and is not saved; the login password only exists during the specific time period of each login attempt. Before and after login, the login password is changed to a password that no one knows, thus reducing the possibility of the random password being obtained by other devices. The target system's login password changes dynamically with each login, ensuring that no device can obtain the changed login password, achieving a secure login system and improving its feasibility.
[0077] It is worth mentioning that after logging into the target system, the edge node can also perform various types of environmental monitoring. Once an anomaly is detected, it will immediately return to the locked screen or power-off state, exposing the logged-in screen to the outside world, which further improves the security of system login.
[0078] It is understandable that, in addition to the methods described above for logging into the target system with a random password; in addition to the methods described above for automatically logging into the target system with a random password; in addition to the methods described above for changing the login password of the target system; in addition to the methods described above for determining whether the edge node device meets the login conditions for logging into the target system; in addition to the methods described above for sending a login status request of the edge node device to the status server and obtaining the login status information of the edge node device in response to the login status request from the status server; other reasonable methods may also be used, and specific methods are not limited here.
[0079] In this embodiment, a random password can be generated and set as the login password for the target system. Login to the target system using this random password allows the target system's login password to be changed, ensuring that no device can obtain the modified password. During the login process, no password data is transmitted, reducing the possibility of password interception and improving system login security. Secondly, when the edge device's login status is "loginable," it can still perform effective login and data transmission even if no device knows the password, improving the feasibility of system login. Furthermore, after successful login, the current system password can be changed, ensuring the target system's login password remains a new random password. The target system's login password changes with each login, preventing any device from obtaining the modified password. This achieves dynamic password protection; the login password only exists during the specific login period. Before and after login, the password is changed to a password unknown to anyone, reducing the possibility of other devices obtaining the random password and achieving a secure login system, thus improving its feasibility. Finally, login can be performed through state modification. After login, various types of environmental monitoring can be conducted. If any anomalies are detected, the system will immediately revert to a locked screen or power-off state, exposing the login screen to the outside world, further enhancing system login security. Therefore, this embodiment can protect the system even in an extreme zero-trust environment, reducing the possibility of password interception during data transmission and subsequent machine compromise.
[0080] The system login method in the embodiments of this application has been described above. The edge node device in the embodiments of this application is described below. Please refer to [link / reference]. Figure 4 One embodiment of the edge node device in this application includes:
[0081] Generation unit 401 is used to generate random passwords;
[0082] Setting unit 402 is used to set the login password of the target system to the random password;
[0083] Login unit 403 is used to log in to the target system according to the random password;
[0084] The modification unit 404 is used to change the login password of the target system so that no device can obtain the modified login password of the target system.
[0085] In this embodiment, a random password can be generated, and the login password of the target system can be set as the random password. Login to the target system using the random password and change the login password of the target system so that no device can obtain the changed login password of the target system. During the system login process, no data transmission of the password is involved, which reduces the possibility of the password being intercepted during data transmission and improves the security of system login.
[0086] The edge node devices in the embodiments of this application are described in detail below. Please refer to [link / reference]. Figure 5 Another embodiment of the edge node device in this application includes:
[0087] Generation unit 501 is used to generate random passwords;
[0088] Setting unit 502 is used to set the login password of the target system to the random password;
[0089] Login unit 503 is used to log in to the target system according to the random password;
[0090] The modification unit 504 is used to change the login password of the target system so that no device can obtain the modified login password of the target system.
[0091] The login unit 503 is specifically used to automatically log in to the target system based on the random password.
[0092] The login unit 503 is specifically used to obtain a registry that records the automatic login password, modify the automatic login password in the registry to the random password to obtain the target registry, and automatically log in to the target system according to the random password in the target registry.
[0093] The modification unit 504 is specifically used to generate a target random password and change the login password of the target system to the target random password; wherein, the target random password is not saved.
[0094] The edge node device also includes:
[0095] The judgment unit 505 is used to determine whether the edge node device meets the login conditions for logging into the target system;
[0096] The execution unit 506 is configured to execute the step of generating a random password if the edge node device meets the login conditions.
[0097] The judgment unit 505 is specifically used to send a login status request of the edge node device to the status server, obtain the login status information of the edge node device in response to the login status request from the status server, and determine whether the edge node device meets the login conditions based on the login status information.
[0098] The execution unit 506 is specifically used to determine that the edge node device meets the login conditions if the login status information is in a login-available state.
[0099] The judgment unit 505 is specifically used to send a login status request of the edge node device to the status server through a preset encrypted transmission method, and to obtain the login status information of the edge node device in response to the login status request by the status server through the preset encrypted transmission method.
[0100] In this embodiment, each unit in the edge node device performs as described above. Figure 2 The operation of the edge node device in the illustrated embodiment will not be described in detail here.
[0101] Please refer to the following: Figure 6 Another embodiment of the edge node device 600 in this application includes:
[0102] Central processing unit 601, memory 605, input / output interface 604, wired or wireless network interface 603, and power supply 602;
[0103] Memory 605 is either a short-term storage memory or a persistent storage memory;
[0104] The central processing unit 601 is configured to communicate with the memory 605 and execute instructions stored in the memory 605 to perform the aforementioned operations. Figure 2 The method in the illustrated embodiment.
[0105] This application also provides a computer-readable storage medium, which includes instructions that, when executed on a computer, cause the computer to perform the aforementioned actions. Figure 2 The method in the illustrated embodiment.
[0106] This application also provides a computer program product containing instructions, which, when run on a computer, causes the computer to perform the aforementioned... Figure 2 The method in the illustrated embodiment.
[0107] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.
[0108] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0109] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection between apparatuses or units through some interfaces, and may be electrical, mechanical, or other forms.
[0110] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0111] Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.
[0112] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
Claims
1. A system login method for a target device, characterized in that, Applied to a target device, the method includes: Generate random passwords; Set the login password of the target system of the target device to the random password; Log in to the target system using the random password; Change the login password of the target system so that no device can obtain the changed login password of the target system.
2. The method according to claim 1, characterized in that, The step of logging into the target system using the random password includes: The system will automatically log in to the target system based on the random password.
3. The method according to claim 2, characterized in that, The automatic login to the target system based on the random password includes: Obtain the registry entry containing the automatic login password; The automatic login password of the registry is changed to the random password to obtain the target registry; The system is automatically logged into based on the random password in the target registry.
4. The method according to claim 1, characterized in that, Changing the login password of the target system includes: Generate a random password for the target; The login password of the target system is changed to the target random password; wherein, the target random password is not saved.
5. The method according to claim 1, characterized in that, The target device is an edge node device, and before the target device generates a random password, the method further includes: Determine whether the edge node device meets the login conditions for logging into the target system; If the edge node device meets the login conditions, then the step of generating a random password is executed.
6. The method according to claim 5, characterized in that, The step of determining whether the edge node device meets the login conditions for logging into the target system includes: Send the login status request of the edge node device to the status server; Obtain the login status information of the edge node device in response to the login status request from the status server, and determine whether the edge node device meets the login conditions based on the login status information; If the edge node device meets the login conditions, it includes: If the login status information indicates that the device is in a login-enabled state, then the edge node device is determined to meet the login conditions.
7. The method according to claim 6, characterized in that, Sending the login status request of the edge node device to the status server includes: The login status request of the edge node device is sent to the status server using a preset encrypted transmission method; The step of obtaining the login status information of the edge node device in response to the login status request from the status server includes: The login status information of the edge node device in response to the login status request is obtained through the preset encrypted transmission method.
8. A target device, characterized in that, include: A generation unit, used to generate random passwords; The setting unit is used to set the login password of the target system of the target device to the random password; A login unit, used to log in to the target system according to the random password; The modification unit is used to change the login password of the target system so that no device can obtain the modified login password of the target system.
9. A target device, characterized in that, include: Central processing unit and memory; The memory is either a short-term storage memory or a persistent storage memory; The central processing unit is configured to communicate with the memory and execute instructions in the memory to perform the method according to any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium includes instructions that, when executed on a computer, cause the computer to perform the method as described in any one of claims 1 to 7.