CN107426235B

CN107426235B - Authority authentication method, device and system based on equipment fingerprint

Info

Publication number: CN107426235B
Application number: CN201710671447.5A
Authority: CN
Inventors: 阚志刚; 陈彪; 杨承育; 卢佐华; 方宁
Original assignee: Beijing Bang Bang Safety Technology Co Ltd
Current assignee: Beijing Bang Bang Safety Technology Co Ltd
Priority date: 2017-08-08
Filing date: 2017-08-08
Publication date: 2020-01-24
Anticipated expiration: 2037-08-08
Also published as: CN107426235A

Abstract

The application relates to the technical field of computers, in particular to a permission authentication method, device and system based on device fingerprints, which are used for solving the problem that permission verification in the prior art is unsafe. This application mainly includes: the authority authentication device sends the received first verification code and the equipment fingerprint generated by the authority authentication device to the authentication server for authentication twice, wherein the equipment fingerprint is obtained by combining after bit operation is carried out on the Hash value determined according to the hardware information, therefore, the complexity of character strings is increased, the reliability and the accuracy of determining the equipment fingerprint are improved, the situation that the equipment fingerprints determined by different electronic equipment are repeated is avoided, and the uniqueness of the equipment fingerprint is ensured. Meanwhile, compared with the scheme of performing permission verification only by adopting the short message verification code in the prior art, the permission verification method has the advantages that verification levels or contents are more, difficulty is increased for cracking work of attackers, and safety and reliability of permission authentication are improved.

Description

Authority authentication method, device and system based on equipment fingerprint

Technical Field

The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, and a system for authority authentication based on device fingerprints.

Background

With the rise of the internet, more and more matters related to personal information, transaction processing or property collection can be completed on the internet. However, in consideration of the sharing characteristics of the internet, there may be hacking attacks, and therefore, in order to ensure the security of the personal information and property of the user, user authentication is required in most of the event processing scenarios, and the corresponding service and account can be allowed to be used after the authentication is passed.

However, in the current user identity authentication, only the user account and the password are generally authenticated, or the authentication of the short message authentication code of the mobile phone is added, but once an attacker such as a hacker cracks the password corresponding to the user account, and a telecommunication interception technology or an interference technology is used, or a Trojan program is used for intercepting the short message authentication code; the user can be disguised as passing the user identity authentication smoothly, and then the user information and even the user property are stolen.

Therefore, in view of the insecurity of the current privilege authentication scheme, it is highly desirable to find a new privilege authentication scheme.

Disclosure of Invention

The embodiment of the application provides a method, a device and a system for authority authentication based on device fingerprints, which are used for solving the problem of insecurity in the prior art.

The embodiment of the application adopts the following technical scheme:

a permission authentication method based on device fingerprints comprises the following steps:

sending an authority authentication request carrying an account identifier to an authentication server;

receiving a first verification code returned by the authentication server, wherein the first verification code corresponds to the account identification;

respectively determining a first hash value and a second hash value according to a plurality of pieces of hardware information of the electronic equipment; combining results obtained by respectively performing bit operations on the first hash value and the second hash value to determine the results as the device fingerprint of the electronic device;

sending the device fingerprint and the first verification code to the authentication server, so that the authentication server performs first verification on the device fingerprint, and performs second verification on the received first verification code after the first verification is successful;

and receiving a permission confirmation notice returned after the second check is successful.

Optionally, before sending the permission authentication request, the method further includes:

sending a binding request carrying an account identifier to an authentication server;

receiving a second verification code returned by the authentication server, wherein the second verification code corresponds to the account identification;

sending the second verification code and the account identification to the authentication server for verification;

receiving a binding notification sent by the authentication server after the authentication is successful;

respectively determining a first hash value and a second hash value according to a plurality of pieces of hardware information of the electronic equipment; and combining results obtained by performing bit operation on the first hash value and the second hash value respectively, determining the results as the device fingerprint of the electronic device, and sending the device fingerprint to the authentication server.

Optionally, the determining the first hash value and the second hash value according to multiple hardware information of the mobile terminal respectively includes:

respectively carrying out remainder processing on the plurality of pieces of hardware information, and determining a first character string according to obtained remainders; performing hash operation on the first character string to obtain a first hash value; and

selecting any hardware information with the character string length meeting a threshold value from the plurality of hardware information; and carrying out hash operation on any selected hardware information to obtain the second hash value.

Optionally, each piece of hardware information corresponds to a preset remainder algorithm;

the method includes the steps of respectively conducting remainder processing on the plurality of pieces of hardware information, determining a first character string according to obtained remainders, and specifically including:

respectively searching a corresponding remainder algorithm for each piece of hardware information;

performing remainder operation on corresponding hardware information according to the found remainder algorithm;

and splicing the remainder after the remainder processing is carried out on the plurality of pieces of hardware information according to a preset splicing rule to obtain the first character string.

Optionally, combining results obtained by performing bit operations on the first hash value and the second hash value respectively, and determining the result as the device fingerprint of the electronic device, specifically including:

performing bit operation on the first hash value to obtain a character string with a first preset number of bits;

performing bit operation on the second hash value to obtain a character string with a second preset number of bits;

and splicing the character string with the first preset digit and the character string with the second preset digit end to form a new character string which is used as the equipment fingerprint of the electronic equipment.

receiving an authority authentication request carrying an account identifier;

generating a first verification code corresponding to the account identification and sending the first verification code to the authority authentication device;

receiving an equipment fingerprint carrying an account identification and a first verification code, performing first verification on the equipment fingerprint, and performing second verification on the first verification code after the first verification is successful;

and returning a permission confirmation notice to the permission authentication device after the second check is successful.

Optionally, the first verification is performed on the device fingerprint, and the second verification is performed on the first verification code after the first verification is successful, specifically including:

searching for a device fingerprint which is stored locally and has the same account identification with the device fingerprint, and verifying the device fingerprint according to the searched device fingerprint;

and searching a first verification code which is stored locally and has the same account identification with the first verification code, and verifying the searched first verification code and the first verification code.

Optionally, before receiving the permission authentication request, the method further includes:

receiving a binding request carrying an account identifier;

generating a second verification code corresponding to the account identification and sending the second verification code to the authority authentication device;

receiving the second verification code and the corresponding account identification, and verifying the second verification code;

sending a binding notification to the authority authentication device after the verification is successful;

and receiving the device fingerprint sent by the authority authentication device.

An authority authentication apparatus comprising:

the first sending unit is used for sending an authority authentication request carrying an account identifier to the authentication server;

a first receiving unit, configured to receive a first verification code returned by the authentication server, where the first verification code corresponds to the account id;

the determining unit is used for respectively determining a first hash value and a second hash value according to a plurality of pieces of hardware information of the electronic equipment; combining results obtained by respectively performing bit operations on the first hash value and the second hash value to determine the results as the device fingerprint of the electronic device;

the first sending unit is further configured to send the device fingerprint and the first verification code to the authentication server, so that the authentication server performs a first verification on the device fingerprint, and performs a second verification on the received first verification code after the first verification is successful;

the first receiving unit is further configured to receive an authority confirmation notification returned after the second check is successful.

An authority authentication server comprising:

the second receiving unit is used for receiving an authority authentication request carrying an account identifier;

the second sending unit is used for generating a first verification code corresponding to the account identification and sending the first verification code to the authority authentication device;

the second receiving unit is further configured to receive a device fingerprint carrying an account identifier and a first verification code, perform first verification on the device fingerprint, and perform second verification on the first verification code after the first verification is successful;

the second sending unit is further configured to return an authority confirmation notification to the authority authentication device after the second verification is successful.

An authority authentication system comprising: an authority authentication device and an authority authentication server; wherein the content of the first and second substances,

the authority authentication device is used for sending an authority authentication request carrying an account identifier to an authentication server, receiving a first verification code returned by the authentication server, wherein the first verification code corresponds to the account identifier, and respectively determining a first hash value and a second hash value according to a plurality of hardware information of the electronic equipment; combining results obtained by respectively performing bit operation on the first hash value and the second hash value to determine the combined result as a device fingerprint of the electronic device, sending the device fingerprint and the first verification code to the authentication server so that the authentication server performs first verification on the device fingerprint, performs second verification on the received first verification code after the first verification is successful, and receives a returned permission confirmation notice after the second verification is successful;

the authority authentication server is used for receiving an authority authentication request carrying an account identification, generating a first verification code corresponding to the account identification, sending the first verification code to an authority authentication device, receiving a device fingerprint carrying the account identification and the first verification code, performing first verification on the device fingerprint, performing second verification on the first verification code after the first verification is successful, and returning an authority confirmation notice to the authority authentication device after the second verification is successful.

The embodiment of the application adopts at least one technical scheme which can achieve the following beneficial effects:

according to the information interaction related to the technical scheme, the terminal equipment sends the first verification code and the equipment fingerprint to the authentication server for authority authentication, the authority authentication comprises two layers of authentication, the first layer is the authentication of the equipment fingerprint, if the comparison is the same, the first layer is verified successfully, and the second layer is verified again, namely the verification of the first verification code; the device fingerprint increases the complexity of the obtained character string by adopting the spare-taking processing on the hardware information, and simultaneously, the bit operation processing is further carried out on the obtained first hash value and the second hash value respectively, so that the inherent character string of the hardware information is further disturbed, the complexity of the determined character string is improved, and the device fingerprints determined by different electronic devices are prevented from being repeated. Therefore, the reliability and the accuracy of determining the device fingerprint of the electronic device are improved, and the uniqueness of the device fingerprint is ensured; furthermore, the uniqueness of the device fingerprint inevitably enhances the verification difficulty, the permission authentication can be confirmed to pass only after the double-layer verification is successful, and the payment password verification or the login password verification and the like can be subsequently carried out according to specific service contents. Compared with the scheme of performing permission verification only by adopting the short message verification code in the prior art, the permission verification method has the advantages that verification levels or contents are more, difficulty is increased for cracking work of attackers, safety and reliability of permission authentication are improved, and further performance safety and information safety of users during service use are guaranteed.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a schematic diagram of a system architecture in an application scenario to which the authority authentication scheme is applied in the present application;

fig. 2 is a schematic diagram illustrating a procedure of a method for authenticating a right according to an embodiment of the present application;

fig. 3 is a second schematic diagram illustrating steps of a method for right authentication according to an embodiment of the present application;

fig. 4 is a third schematic diagram illustrating a third step of the method for authenticating a right according to the embodiment of the present application;

FIG. 5 is a fourth step diagram illustrating a method for right authentication according to an embodiment of the present application;

fig. 6 is an interaction flowchart of a rights authentication method according to an embodiment of the present application;

fig. 7 is a second interaction flowchart of the method for authenticating a right according to the embodiment of the present application;

fig. 8 is a block diagram of a rights authentication device according to an embodiment of the present application;

fig. 9 is a block diagram of an authentication server according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a rights authentication system according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.

In the present application, the scheme involved is mainly applicable to the scenarios of authority authentication, for example: bank transactions, account login, bill payment and the like relate to practical scenes in which user identity information needs to be verified.

Further, the authority authentication scheme involved may be applied to the system architecture shown in fig. 1, and the system mainly includes: the terminal device 11 and the authentication server 12, wherein the authentication server 12 may be compatible in a server corresponding to an operation performed by a user, for example, deployed in a bank system server, or deployed in a login system server of a certain chat tool; the authentication server 12 may also be understood as a bank system server or a login system server of a chat tool. The terminal device 11 and the authentication server 12 perform information interaction through the established wireless communication link or wired communication link to realize authentication of the user authority of the service request using the terminal device 11.

The following describes the authorization scheme according to the present application in detail with reference to the embodiments, and it should be noted that all the contents related to the following are only provided for explaining the scheme of the present application, and the usage scenario and the implementation of the scheme are not limited.

Example one

Fig. 2 is a schematic diagram illustrating steps of a method for authenticating a right according to an embodiment of the present application, where the method is mainly performed based on a device fingerprint, an execution subject of the method is a right authenticating apparatus, and the present application mainly takes a terminal device as an example, for example, the terminal device may be a mobile phone, a pad, or another computer device, and the method mainly includes the following steps:

step 21: and sending an authority authentication request carrying the account identification to an authentication server.

The account id in step 21 may be understood as an id that can distinguish a user, for example: a mobile phone number, an identification number and the like, or a serial number, a two-dimensional code and the like which can distinguish a user and are generated according to user information.

In addition, the authority authentication request in this step may be initiated by the user when making a service request such as login or payment, and the authority authentication request may be generated specifically according to a user clicking a control of the display interface or inputting a voice.

Step 22: and receiving a first verification code returned by the authentication server, wherein the first verification code corresponds to the account identification.

And at the authentication server side, the first verification code corresponds to an account identifier carried in the authority authentication request received by the authentication server. The first verification code may specifically include any permutation and combination of characters such as numbers, letters, special symbols, and the like, or may individually include numbers, letters, or special symbols; and the number of characters included is not limited. For example, the first verification code may be: 1ac 4.

Step 23: respectively determining a first hash value and a second hash value according to a plurality of pieces of hardware information of the electronic equipment; and combining results obtained by respectively performing bit operation on the first hash value and the second hash value to determine the result as the device fingerprint of the electronic device.

In the embodiment of the present application, the hardware information involved may be character strings of a preset length, and the character strings may be a combination of letters or numbers. Wherein the plurality of hardware information in the electronic device may include: equipment mainboard information, system customizer information, CPU instruction set information, equipment parameter information, hardware manufacturer information, and mobile phone manufacturer information. For example, the device motherboard information may be a serial number of the device motherboard, for example: 201700004563, respectively; or a serial number formed by splicing the serial number of the equipment mainboard and the manufacturer identifier of the equipment mainboard, for example: 201700004563HWP2, wherein 201700004563 is the device motherboard serial number and HWP2 is the device manufacturer identification. The hardware manufacturer information refers to manufacturer identification of the electronic equipment, and is different from the equipment mainboard manufacturer identification related in the equipment mainboard information.

Optionally, in this step 23, when the first hash value and the second hash value are respectively determined according to a plurality of hardware information of the step, the specific implementation is:

firstly, respectively carrying out remainder processing on the plurality of pieces of hardware information, and determining a first character string according to obtained remainders; performing hash operation on the first character string to obtain a first hash value; and

secondly, any hardware information with the character string length meeting a threshold value is selected from the plurality of hardware information; and carrying out hash operation on any selected hardware information to obtain the second hash value.

In fact, in the application, various remainder algorithms can be stored in advance, and each piece of hardware information corresponds to a corresponding preset remainder algorithm; for example, a remainder taking algorithm with a remainder taken as 0, a remainder taking algorithm with a remainder taken as 3, or the like may be used; the type of the remainder taking algorithm can be larger than that of the hardware information, so that the flexibility and the adjustability of the remainder taking mode of the hardware information can be ensured. The type of the remainder algorithm may also be smaller than the type of the hardware information, and then, it may be preset that a plurality of pieces of hardware information commonly use one remainder algorithm, and other pieces of hardware information may use another one or more remainder algorithms. In fact, the type of the remainder algorithm may also be equal to the type of the hardware information, so that the remainder algorithm and the hardware information are mapped one to one.

The above-mentioned one-to-one mapping relationship or one-to-many, many-to-one mapping relationship may be stored in a table, in which the corresponding relationship between the identifier of the hardware information and the corresponding remainder algorithm is recorded, for example: the device motherboard information in the hardware information can be marked as information a, the remainder taking algorithm with remainder taking 0 in the remainder taking algorithm is marked as A, and the two are mapped and correspond to each other.

According to the pre-stored mapping relationship, in the first step, when the remainder is respectively performed on the plurality of pieces of hardware information and the first character string is determined according to the obtained remainder, the following steps are specifically performed:

(1) respectively searching a corresponding remainder algorithm for each piece of hardware information; specifically, the corresponding remainder algorithm can be searched according to the identifier of the hardware information according to a pre-stored mapping relationship.

(2) And performing remainder operation on the corresponding hardware information according to the found remainder algorithm.

A remainder processing: and the plurality of hardware information search the same remainder algorithm, and then the same remainder processing mode is adopted for the hardware information to obtain the remainder corresponding to each hardware information.

And the other type of residue taking treatment: and searching different remainder algorithms for the plurality of hardware information, and then performing remainder processing according to the respective searched remainder algorithms respectively to obtain the remainder corresponding to each hardware information.

(3) And splicing the remainder after the remainder processing is carried out on the plurality of pieces of hardware information according to a preset splicing rule to obtain the first character string.

In fact, in the present application, the preset splicing rule may be set according to the requirement of the user, for example, the obtained remainders corresponding to the plurality of hardware information are spliced according to the splicing sequence of the character string lengths of the hardware information from long to short. Thus, a character string with disordered information and a certain length is obtained and is determined as a first character string.

Therefore, through the residue taking processing, the character string information of the hardware information can be disordered according to the preset rule, the first character string with certain complexity is obtained, the character string is subjected to the residue taking processing, and the processing of different residue taking algorithms is possible, so that the obtained character string is high in complexity, the uniqueness of the first character string obtained in the mode is reliable, and the situation that different electronic devices obtain the same first character string is almost avoided.

In fact, considering the character string length of the hardware information, accuracy and reliability of the device fingerprint are affected, if the character string length is longer, the repetition rate of the hardware information of different electronic devices will be lower, and otherwise, if the character string length is shorter, the repetition rate of the hardware information of different electronic devices will be higher. Therefore, the hardware information having the longest string length can be selected to determine the second hash value. The threshold in the second step may be determined empirically or may be any length, e.g., sixteen bits, as the threshold. All the hardware information with the length of the character string larger than sixteen bits can be used as the hardware information for determining the second hash value, and then the hardware information is selected from one of the hardware information.

It should be noted that, in the present application, the order of the first step and the second step may not be limited, that is, the two steps may be executed simultaneously, or the content of the second step may be executed first and then the content of the first step may be executed.

In fact, after the processing of the residue taking algorithm, the obtained first hash value and the second hash value are respectively subjected to bit operation, and then the results of the bit operation are combined to determine the result as the device fingerprint of the electronic device.

Optionally, in this application, in the step 23, the results obtained by performing bit operation on the first hash value and the second hash value respectively are combined to determine the result as the device fingerprint of the electronic device, which is a preferred implementation manner: performing bit operation on the first hash value to obtain a character string with a first preset number of bits; performing bit operation on the second hash value to obtain a character string with a second preset number of bits; and splicing the character string with the first preset digit number and the character string with the second preset digit number end to form a new character string, and determining the new character string as the equipment fingerprint of the electronic equipment.

Specifically, after 32-bit operation is performed on the first hash value C, an 8-bit character string is obtained; meanwhile, 16-bit operation is performed on the first hash value C to obtain a 4-bit character string. After performing two bit operations on the first hash value C, the first hash value C is combined into a 12-bit character string as a first character string C' with a preset number of bits.

Assuming that 64-bit operation is performed on the second hash value D to obtain a 12-bit character string; meanwhile, 32-bit operation is carried out on the second hash value D to obtain an 8-bit character string. After performing two bit operations on the second hash value D, the two hash values are combined into a 20-bit character string as a second predetermined-bit character string D'.

And finally, splicing the character string C 'and the character string D' end to form a new character string F, wherein the character string F is the equipment fingerprint of the electronic equipment to be determined. The head-to-tail splicing sequence can be according to the first and second sequence or a preset splicing sequence.

Therefore, in the technical scheme, the complexity of the obtained character string is increased by adopting the surplus processing on the hardware information, meanwhile, the bit operation processing is further carried out on the obtained first hash value and the obtained second hash value respectively, the inherent character string of the hardware information is further disturbed, the complexity of the determined character string is improved, and the repetition of the device fingerprints determined by different electronic devices is avoided. Therefore, reliability and accuracy of determining the device fingerprint of the electronic device are improved, and uniqueness of the device fingerprint is guaranteed.

Step 24: and sending the equipment fingerprint and the first verification code to the authentication server so that the authentication server performs first verification on the equipment fingerprint and performs second verification on the received first verification code after the first verification is successful.

Step 25: and receiving a permission confirmation notice returned after the second check is successful.

In fact, the permission confirmation notification is only a permission confirmation feedback to the user, and informs that the user has successfully passed the permission authentication, or has performed corresponding services after passing the permission authentication, such as confirming payment, confirming login, and the like.

According to the information interaction related to the technical scheme, the terminal equipment sends the first verification code and the equipment fingerprint to the authentication server for authority authentication, the authority authentication comprises two layers of authentication, the first layer is the authentication of the equipment fingerprint, if the comparison is the same, the first layer is verified successfully, and the second layer is verified again, namely the verification of the first verification code; the device fingerprint increases the complexity of the obtained character string by adopting the spare-taking processing on the hardware information, and simultaneously, the bit operation processing is further carried out on the obtained first hash value and the second hash value respectively, so that the inherent character string of the hardware information is further disturbed, the complexity of the determined character string is improved, and the device fingerprints determined by different electronic devices are prevented from being repeated. Therefore, the reliability and the accuracy of determining the device fingerprint of the electronic device are improved, and the uniqueness of the device fingerprint is ensured; furthermore, the uniqueness of the device fingerprint inevitably enhances the verification difficulty, the permission authentication can be confirmed to pass only after the double-layer verification is successful, and the payment password verification or the login password verification and the like can be subsequently carried out according to specific service contents. Compared with the scheme of performing permission verification only by adopting the short message verification code in the prior art, the permission verification method has the advantages that verification levels or contents are more, difficulty is increased for cracking work of attackers, safety and reliability of permission authentication are improved, and further performance safety of users when using services is guaranteed. In addition, in the application, the device fingerprint is not stored in the terminal device, but is cleared after the binding is finished and sent to the authentication server, and during subsequent authentication, the same device fingerprint is regenerated and sent to the authentication server along with the first verification code for permission verification. Therefore, malicious rewriting of the fingerprint in the terminal device is avoided, and the security of the fingerprint of the device is improved.

Optionally, before step 21, as shown in fig. 3, the method for authenticating the right further includes:

step 31: sending a binding request carrying an account identifier to an authentication server;

step 32: receiving a second verification code returned by the authentication server, wherein the second verification code corresponds to the account identification;

step 33: sending the second verification code and the account identification to the authentication server for verification;

step 34: receiving a binding notification sent by the authentication server after the authentication is successful;

step 35: respectively determining a first hash value and a second hash value according to a plurality of pieces of hardware information of the electronic equipment; and combining results obtained by performing bit operation on the first hash value and the second hash value respectively, determining the results as the device fingerprint of the electronic device, and sending the device fingerprint to the authentication server.

It should be noted that, in the present application, the device fingerprint is generated in real time according to the requirement without being stored, and therefore, after being sent to the authentication server, the device fingerprint is not retained by the authority authentication server.

Optionally, in step 22 of the present application, the receiving of the first verification code returned by the authentication server may be specifically implemented by a manner of returning from the base station. For example, the authentication server sends the first verification code to the base station, and the base station sends a short message notification or a voice notification to the terminal device corresponding to the mobile phone number by searching for the corresponding mobile phone number (which may be used as an account identifier). In fact, the transmission mode of the first verification code in the present application is not limited to the mode of using the base station backhaul, and may include other transmission modes based on the communication link.

As shown in fig. 4, a schematic diagram of another authorization authentication method provided in the embodiment of the present application is shown, where authorization authentication is performed mainly based on device fingerprints, an execution subject of the method is an authentication server, and the method mainly includes:

step 41: and receiving an authority authentication request carrying an account identification.

It should be noted that the account id can be recognized by the authentication server, and matches the content that the user wishes to authenticate according to the account id. For example, in a bank transaction scenario, the account identifier may be a mobile phone number, the mobile phone number may be sent to the authentication server along with a payment request initiated by the user, and the authentication server matches, according to the mobile phone number, information of a bank card that is set by the user earlier and used for payment, so as to facilitate subsequent confirmation payment.

Step 42: and generating a first verification code corresponding to the account identification and sending the first verification code to the authority authentication device.

In fact, in this step, the authentication server may randomly generate a first verification code, and the format of the first verification code is the same as that in the scheme corresponding to fig. 2.

Step 43: the method comprises the steps of receiving a device fingerprint carrying an account identification and a first verification code, carrying out first verification on the device fingerprint, and carrying out second verification on the first verification code after the first verification is successful.

Optionally, when performing the first verification on the device fingerprint and performing the second verification on the first verification code after the first verification is successful, step 43 may specifically be performed as: searching for a device fingerprint which is stored locally and has the same account identification with the device fingerprint, and verifying the device fingerprint according to the searched device fingerprint; and searching a first verification code which is stored locally and has the same account identification with the first verification code, and verifying the searched first verification code and the first verification code.

In the application, the device fingerprint and the first verification code received by the authentication server are not determined to be sent by the terminal device corresponding to the account id, and therefore, whether the device fingerprint corresponding to the account id is prestored before searching according to the account id is required, and if not, it is determined that the permission authentication request is illegal, and the user sending the request is not allowed to enjoy further services. If the verification result is found, important two times of verification in the application are started:

checking for the first time: whether a device fingerprint corresponding to the account identifier is prestored is searched according to the account identifier, if the device fingerprint is not searched, the permission authentication request is determined to be illegal, if the device fingerprint is searched, the searched device fingerprint is compared with the received device fingerprint, if the device fingerprint is the same as the received device fingerprint, the verification is successful, and the received first verification code is allowed to be verified; otherwise, the check fails.

And (4) second checking: and searching whether a first verification code corresponding to the account identifier is prestored before according to the account identifier, if not, determining that the authority authentication request is illegal, if so, comparing the searched first verification code with the received first verification code, if the first verification code is the same as the received first verification code, successfully verifying, determining that the authority authentication is passed, and allowing subsequent bill payment or account login. Otherwise, the check fails.

In fact, after each verification failure, a notification of the failure of the authority authentication can be returned to the terminal equipment.

Step 44: and returning a permission confirmation notice to the permission authentication device after the second check is successful.

It should be noted that, in the present application, after the second check is successful, the authority authentication can be confirmed to be successful, and the user is allowed to perform the corresponding service. In general, the above-mentioned authorization authentication process may be performed before a user initiates a service request. In fact, considering that it is possible to isolate the authorization authentication from the service request, even after the authorization authentication is passed, the hacker can attack the service request by performing an attack at the service request stage. Therefore, the service request and the authority authentication can be combined, that is, when the user initiates the service request, the user considers that the authority authentication request is initiated at the same time, and at the same time, the terminal device returns the verification code and submits the service information, for example: bill details and payment passwords; account nicknames, login passwords, and the like. And then, the service information is sent to the authentication server, and after the authentication of the authority of the authentication server is passed, bill payment or account login service can be carried out according to the service information.

Therefore, the permission confirmation notification returned in this step can be understood as a notification message sent only after passing the permission authentication, for example: "Authority authentication succeeds! Alternatively, it can be understood as a notification message sent after passing through the authority authentication and performing the service processing, for example: "Payment success! ", here, information that the authority authentication is successful is implicit.

Optionally, before step 41, as shown with reference to fig. 5, the method further includes:

step 51: receiving a binding request carrying an account identifier;

step 52: generating a second verification code corresponding to the account identification and sending the second verification code to the authority authentication device;

step 53: receiving a second verification code and a corresponding account identification, and verifying the second verification code;

step 54: sending a binding notification to the authority authentication device after the verification is successful;

step 55: and receiving the device fingerprint sent by the authority authentication device.

The following takes a specific application scenario as an example to further explain the above-mentioned authorization authentication scheme.

Referring to fig. 6, an interaction flowchart of authority authentication in a bank transaction scenario is shown, where the interaction scenario of authority authentication mainly includes: the system comprises a terminal device (provided with a device binding device) A, a bank server B, a security server C and a base station D. The specific implementation process is as follows:

step 601: the terminal equipment A initiates a payment request to hope to pay a bill a;

step 602: the bank server B generates a first verification code and sends the first verification code;

step 603: the base station D sends a first verification code through a short message or voice;

step 604: the terminal device A confirms the payment password and the bill a;

step 605: the terminal equipment A sends the first verification code and the equipment fingerprint to a server C; simultaneously sending a payment password and a bill a to a bank server B; (both transmissions have account id) the step of sending the first verification code and the step of sending the payment password and the bill a are shown in sequence, but actually, the sequence of the two steps is not limited.

Step 606: the security server C checks the device fingerprint;

specifically, in this step, the security server C finds the device fingerprint corresponding to the account id according to the account id, and compares and verifies the found device fingerprint with the received device fingerprint.

Step 607: the security server C sends a first verification code after the fingerprint of the equipment is successfully verified;

step 608: the bank server B finds the first verification code corresponding to the account identification according to the previously received account identification, and compares and verifies the found first verification code with the received first verification code. In fact, the payment password can be simultaneously verified in the step. Thus, the reliability and safety of the verification are increased.

Step 609: and after the first verification code and the payment password are successfully verified, the bill payment is completed, and a payment confirmation notice is returned.

Referring to fig. 7, an interaction flowchart of authority authentication in an account login scenario is shown, where the interaction scenario of authority authentication mainly includes: a terminal device (with a device binding device deployed) A, a service server B, a security server C and a base station D. The specific implementation process is as follows:

step 701: the terminal equipment A initiates a login request;

step 702: the service server B generates a first verification code and sends the first verification code;

step 703: the base station D sends a first verification code through a short message or voice;

step 704: the terminal equipment A confirms the login password;

step 705: the terminal equipment A sends the first verification code, the equipment fingerprint and the login password to the security server C;

step 706: the security server C checks the device fingerprint;

specifically, in this step, the security server C finds the device fingerprint corresponding to the account id according to the account id, and compares and verifies the found device fingerprint with the decrypted device fingerprint.

Step 707: the security server C sends a first verification code and a login password after the fingerprint of the equipment is successfully verified;

step 708: the bank server B finds the first verification code corresponding to the account identification according to the previously received account identification, and compares and verifies the found first verification code with the received first verification code. And meanwhile, the login password is verified. Thus, the reliability and safety of the verification are increased.

Step 709: and after the first verification code and the login password are verified successfully, the account is logged in, and a login confirmation notice is returned.

Example two

The invention also provides a device for executing the method, which belongs to the same inventive concept as the authority authentication method.

Referring to fig. 8, an authority authentication apparatus includes:

a first sending unit 81, configured to send an authority authentication request carrying an account id to an authentication server;

a first receiving unit 82, configured to receive a first verification code returned by the authentication server, where the first verification code corresponds to the account id;

a determining unit 83, configured to determine a first hash value and a second hash value according to a plurality of pieces of hardware information of the electronic device, respectively; combining results obtained by respectively performing bit operations on the first hash value and the second hash value to determine the results as the device fingerprint of the electronic device;

the first sending unit 81 is further configured to send the device fingerprint and the first verification code to the authentication server, so that the authentication server performs a first verification on the device fingerprint, and performs a second verification on the received first verification code after the first verification is successful;

the first receiving unit 82 is further configured to receive a permission confirmation notification returned after the second check is successful.

Optionally, the first sending unit 81 is further configured to send a binding request carrying an account identifier to an authentication server before sending the permission authentication request; the first receiving unit 82 is further configured to receive a second verification code returned by the authentication server, where the second verification code corresponds to the account id; the first sending unit 81 is further configured to send the second verification code and the account id to the authentication server for verification; the first receiving unit 82 is configured to receive a binding notification sent by the authentication server after the verification is successful; the first sending unit 81 is configured to determine a first hash value and a second hash value according to a plurality of pieces of hardware information of the electronic device; and combining results obtained by performing bit operation on the first hash value and the second hash value respectively, determining the results as the device fingerprint of the electronic device, and sending the device fingerprint to the authentication server.

Optionally, when the determining unit 83 determines the first hash value and the second hash value according to the multiple pieces of hardware information of the determining unit, it is specifically configured to: respectively carrying out remainder processing on the plurality of pieces of hardware information, and determining a first character string according to obtained remainders; performing hash operation on the first character string to obtain a first hash value; and selecting any hardware information with the character string length meeting a threshold value from the plurality of hardware information; and carrying out hash operation on any selected hardware information to obtain the second hash value.

Optionally, each piece of hardware information corresponds to a preset remainder algorithm; the determining unit 83 is specifically configured to, when performing remainder processing on the plurality of pieces of hardware information and determining the first character string according to the obtained remainder: respectively searching a corresponding remainder algorithm for each piece of hardware information; performing remainder operation on corresponding hardware information according to the found remainder algorithm; and splicing the remainder after the remainder processing is carried out on the plurality of pieces of hardware information according to a preset splicing rule to obtain the first character string.

Optionally, when the determining unit combines the results obtained by performing the bit operation on the first hash value and the second hash value respectively, and determines that the result is the device fingerprint of the electronic device, the determining unit is specifically configured to: performing bit operation on the first hash value to obtain a character string with a first preset number of bits; performing bit operation on the second hash value to obtain a character string with a second preset number of bits; and splicing the character string with the first preset digit and the character string with the second preset digit end to form a new character string which is used as the equipment fingerprint of the electronic equipment.

As shown in fig. 9, a schematic block diagram of an authority authentication server provided in an embodiment of the present application is shown, where the authority authentication server includes:

a second receiving unit 91, configured to receive an authority authentication request carrying an account id;

a second sending unit 92, configured to generate a first verification code corresponding to the account id, and send the first verification code to the authority authentication device;

the second receiving unit 91 is further configured to receive a device fingerprint carrying an account id and a first verification code, perform a first verification on the device fingerprint, and perform a second verification on the first verification code after the first verification is successful;

the second sending unit 92 is further configured to return an authorization confirmation notification to the authorization authentication apparatus after the second verification is successful.

Optionally, when the second receiving unit 91 performs the first verification on the device fingerprint and performs the second verification on the first verification code after the first verification is successful, the second receiving unit is specifically configured to:

Optionally, before receiving the authority authentication request, the second receiving unit 91 is further configured to receive a binding request carrying an account identifier; the second sending unit 92 is configured to generate a second verification code corresponding to the account id, and send the second verification code to the authority authentication device; the second receiving unit 91 is configured to verify the second verification code and the corresponding account id; and the second sending unit 92 is configured to send a binding notification to the authority authentication device after the verification is successful; and the second receiving unit 91, configured to receive the device fingerprint sent by the authority authentication apparatus.

EXAMPLE III

An embodiment of the present application further provides an authority authentication system, shown in fig. 10, including: an authority authentication device 1001 and an authentication server 1002; wherein the content of the first and second substances,

the authority authentication device 1001 is configured to send an authority authentication request carrying an account id to an authentication server; receiving a first verification code returned by the authentication server, wherein the first verification code corresponds to the account identification; respectively determining a first hash value and a second hash value according to a plurality of pieces of hardware information of the electronic equipment; combining results obtained by respectively performing bit operations on the first hash value and the second hash value to determine the results as the device fingerprint of the electronic device; sending the device fingerprint and the first verification code to the authentication server, so that the authentication server performs first verification on the device fingerprint, and performs second verification on the received first verification code after the first verification is successful; receiving a permission confirmation notice returned after the second check is successful;

the authority authentication server 1002 is configured to receive an authority authentication request carrying an account id; generating a first verification code corresponding to the account identification and sending the first verification code to the authority authentication device; receiving an equipment fingerprint carrying an account identification and a first verification code, performing first verification on the equipment fingerprint, and performing second verification on the first verification code after the first verification is successful; and returning a permission confirmation notice to the permission authentication device after the second check is successful.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. An authority authentication method based on device fingerprints is characterized by comprising the following steps:

respectively determining a first hash value and a second hash value according to a plurality of pieces of hardware information of the electronic equipment; combining results obtained by respectively performing bit operations on the first hash value and the second hash value, determining the results to be the device fingerprint of the electronic device, sending the device fingerprint to the authentication server, and removing the device fingerprint from the electronic device;

sending an authority authentication request carrying an account identifier to the authentication server;

sending the device fingerprint carrying the account identifier and the first verification code to the authentication server, so that the authentication server performs first verification on the device fingerprint according to the account identifier, and performs second verification on the received first verification code according to the account identifier after the first verification is successful;

2. The method of claim 1, wherein determining the first hash value and the second hash value according to a plurality of hardware information of the mobile device respectively comprises:

3. The method of claim 2, wherein each of the hardware messages corresponds to a predetermined remainder algorithm;

4. The method of claim 1, wherein combining results obtained by performing a bit operation on the first hash value and the second hash value, respectively, to determine the result as the device fingerprint of the electronic device specifically comprises:

5. An authority authentication method based on device fingerprints is characterized by comprising the following steps:

receiving a binding request carrying an account identifier;

receiving the device fingerprint sent by the authority authentication device;

receiving an authority authentication request carrying an account identifier;

receiving a device fingerprint carrying an account identification and a first verification code, performing first verification on the device fingerprint according to the account identification, and performing second verification on the first verification code according to the account identification after the first verification is successful;

6. The method of claim 5, wherein performing a first check on the device fingerprint and performing a second check on the first verification code according to the account id after the first check is successful comprises:

7. An authority authentication apparatus, comprising:

the first sending unit is further configured to send the device fingerprint carrying the account id and the first verification code to the authentication server, so that the authentication server performs a first verification on the device fingerprint according to the account id, and performs a second verification on the received first verification code according to the account id after the first verification is successful;

the first receiving unit is further configured to receive a permission confirmation notification returned after the second check is successful;

the first sending unit is further configured to send a binding request carrying an account identifier to the authentication server before sending the permission authentication request; then the process of the first step is carried out,

the first receiving unit is further configured to receive a second verification code returned by the authentication server, where the second verification code corresponds to the account id;

the first sending unit is further configured to send the second verification code and the account id to the authentication server for verification;

the first receiving unit is further configured to receive a binding notification sent by the authentication server after the authentication is successful;

the first sending unit is further configured to determine a first hash value and a second hash value according to a plurality of pieces of hardware information of the electronic device; and combining results obtained by performing bit operation on the first hash value and the second hash value respectively, determining the results to be the device fingerprint of the electronic device, sending the device fingerprint to the authentication server, and removing the device fingerprint from the electronic device.

8. An authority authentication server, comprising:

the second receiving unit is further configured to receive a device fingerprint carrying an account identifier and a first verification code, perform first verification on the device fingerprint according to the account identifier, and perform second verification on the first verification code according to the account identifier after the first verification is successful;

the second sending unit is further configured to return an authority confirmation notification to the authority authentication device after the second verification is successful;

the second receiving unit is further configured to receive a binding request carrying an account id before receiving the permission authentication request; then the process of the first step is carried out,

the second sending unit is further configured to generate a second verification code corresponding to the account id, and send the second verification code to the authority authentication device;

the second receiving unit is further configured to receive the second verification code and the corresponding account id, and verify the second verification code;

the second sending unit is further configured to send a binding notification to the authority authentication device after the verification is successful;

the second receiving unit is further configured to receive the device fingerprint sent by the authority authentication apparatus.

9. An authority authentication system, comprising: an authority authentication device and an authority authentication server; wherein the content of the first and second substances,

the authority authentication device is used for sending a binding request carrying an account identifier to an authentication server; receiving a second verification code returned by the authentication server, wherein the second verification code corresponds to the account identification; sending the second verification code and the account identification to the authentication server for verification; receiving a binding notification sent by the authentication server after the authentication is successful; respectively determining a first hash value and a second hash value according to a plurality of pieces of hardware information of the electronic equipment; combining results obtained by respectively performing bit operations on the first hash value and the second hash value, determining the results to be the device fingerprint of the electronic device, sending the device fingerprint to the authentication server, and removing the device fingerprint from the electronic device; sending an authority authentication request carrying an account identifier to an authentication server, receiving a first verification code returned by the authentication server, wherein the first verification code corresponds to the account identifier, and respectively determining a first hash value and a second hash value according to a plurality of hardware information of electronic equipment; combining results obtained by performing bit operation on the first hash value and the second hash value respectively to determine the results to be device fingerprints of the electronic device, sending the device fingerprints carrying account identification and the first verification code to the authentication server, so that the authentication server performs first verification on the device fingerprints according to the account identification, performs second verification on the received first verification code according to the account identification after the first verification is successful, and receives a returned permission confirmation notice after the second verification is successful;

the authority authentication server is used for receiving a binding request carrying an account identifier; generating a second verification code corresponding to the account identification and sending the second verification code to the authority authentication device; receiving the second verification code and the corresponding account identification, and verifying the second verification code; sending a binding notification to the authority authentication device after the verification is successful; receiving the device fingerprint sent by the authority authentication device; the method comprises the steps of receiving a permission authentication request carrying an account identification, generating a first verification code corresponding to the account identification, sending the first verification code to a permission authentication device, receiving a device fingerprint carrying the account identification and the first verification code, performing first verification on the device fingerprint according to the account identification, performing second verification on the first verification code according to the account identification after the first verification is successful, and returning a permission confirmation notice to the permission authentication device after the second verification is successful.