CN108199852B - Authentication method, authentication system and computer readable storage medium - Google Patents

Authentication method, authentication system and computer readable storage medium Download PDF

Info

Publication number
CN108199852B
CN108199852B CN201810282990.0A CN201810282990A CN108199852B CN 108199852 B CN108199852 B CN 108199852B CN 201810282990 A CN201810282990 A CN 201810282990A CN 108199852 B CN108199852 B CN 108199852B
Authority
CN
China
Prior art keywords
request
authorization
calling
signature
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201810282990.0A
Other languages
Chinese (zh)
Other versions
CN108199852A (en
Inventor
张军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Qiyue Information Technology Co Ltd
Original Assignee
Shanghai Qiyue Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Qiyue Information Technology Co Ltd filed Critical Shanghai Qiyue Information Technology Co Ltd
Priority to CN201810282990.0A priority Critical patent/CN108199852B/en
Publication of CN108199852A publication Critical patent/CN108199852A/en
Application granted granted Critical
Publication of CN108199852B publication Critical patent/CN108199852B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Abstract

The application discloses an authentication method, an authentication system and a computer readable storage medium. The authentication method comprises the steps that a calling terminal sends request information and a first request signature to a server, the server obtains the address of the calling terminal according to the request information and the first request signature, generates authorization information and a first authorization signature when the server is checked to store an authority record of calling a target terminal of the calling terminal, and then sends the authorization information and the first authorization signature to the calling terminal; the calling terminal sends a calling request to the target terminal, and the target terminal generates a second authorization signature according to the authorization information; and if the first authorization signature is the same as the second authorization signature, the target terminal executes a processing request text. The method and the system generate the signature through the key pair to realize authentication and authorization between the micro services, so that the safety of the whole architecture is improved.

Description

Authentication method, authentication system and computer readable storage medium
Technical Field
The present application relates to the field of information security technologies, and in particular, to an authentication method, an authentication system, and a computer-readable storage medium.
Background
Under the micro-service architecture, an application can be split into a plurality of micro-services, each micro-service in the system can be independently deployed, and the micro-services are loosely coupled. Each microservice requires authentication of access to ascertain the current accessing user and access rights. Meanwhile, under the micro-service architecture, a variety of authentication scenarios, such as a scenario of external application access, authentication between a user and a micro-service, authentication between a micro-service and a micro-service, and the like, need to be considered.
At present, the authentication scheme between the user (including browser and APP) and the micro-service is very mature, and in the distributed multi-system environment, the security protocol represented by OAUTH 2.0 has become the current industry standard. However, for the micro-service architecture adopted by the large-scale distributed system, due to the change of the software system structure, once a malicious program is added into the whole micro-service architecture, an illegal or unauthorized operation may be completed by using a call interface inside the micro-service architecture, thereby threatening the internal security of the micro-service architecture.
Disclosure of Invention
In view of this, the present application provides an authentication method, an authentication system, and a computer-readable storage medium, which can implement authentication and authorization between micro services, thereby improving the security of the micro service architecture and preventing malicious program intrusion.
In a first aspect of the present application, an authentication method is provided, including:
the calling terminal sends request information and a first request signature to the server, and the first request signature is generated by calling a terminal private key;
the server receives the request information and a first request signature;
the server acquires the address of the calling terminal according to the request information and the first request signature;
when the server detects that the authority record of the calling terminal calling the target terminal is stored in the server, generating authorization information and a first authorization signature, wherein the first authorization signature is generated through a target terminal public key;
the server sends the authorization information and the first authorization signature to a calling terminal;
the calling terminal receives the authorization information and the first authorization signature sent by the server;
the method comprises the steps that a calling terminal sends a calling request to a target terminal, wherein the calling request comprises an authorization request head, authorization information, a first authorization signature and a request text;
the target terminal receives the calling request and generates a second authorization signature according to the authorization information;
and if the first authorization signature is the same as the second authorization signature, the target terminal executes processing of the request text.
Preferably, the obtaining, by the server, the address of the calling terminal according to the request information and the first request signature includes:
the server acquires a calling terminal public key according to the request information and generates a second request signature according to the calling terminal public key;
and if the first request signature is the same as the second request signature, acquiring the address of the calling terminal according to a hypertext transfer protocol.
Preferably, the generating a second authorization signature according to the authorization information includes:
and the target terminal acquires a target terminal private key according to the authorization information and generates a second authorization signature according to the target terminal private key.
Preferably, the request information includes an identifier of the calling terminal, an identifier of the target terminal, and a timestamp;
and the timestamp is the time when the calling terminal generates the request information.
Preferably, the obtaining, by the server, the call terminal public key according to the request information includes:
and when the difference value between the timestamp and the current time of the server is within a time threshold, acquiring a calling terminal public key corresponding to the calling terminal private key according to the calling terminal identifier.
Preferably, the authorization information includes an identifier of the calling terminal, an address of the calling terminal, an identifier of the target terminal, and an expiration time.
Preferably, the obtaining, by the target terminal according to the authorization information, a private key of the target terminal includes:
and when the address of the calling terminal in the authorization information is the same as the called remote address, the identification of the target terminal in the authorization information is the same as the identification of the current target terminal, and the current time of the target terminal is less than the expiration time, acquiring the private key of the target terminal according to the identification of the target terminal.
Preferably, the method further comprises:
after the target terminal completes processing the request text, sending the calling request to the calling terminal;
and the calling terminal receives and caches the calling request sent by the target terminal.
In a second aspect, an authentication system is provided, including:
the system comprises a calling terminal, a target terminal and a server, wherein the calling terminal is used for sending request information and a first request signature to the server, receiving authorization information and the first authorization signature sent by the server and sending a calling request to the target terminal, the first request signature is generated by calling a terminal private key, and the calling request comprises an authorization request header, authorization information, the first authorization signature and a request text;
the server is used for receiving the request information and the first request signature, acquiring the address of the calling terminal according to the request information and the first request signature, generating authorization information and a first authorization signature when the server is checked to store the authority record of the calling terminal for calling the target terminal, and sending the authorization information and the first authorization signature to the calling terminal, wherein the first authorization signature is generated through a target terminal public key;
and the target terminal is used for receiving the calling request and generating a second authorization signature according to the calling request, and if the first authorization signature is the same as the second authorization signature, executing processing of the request text.
In a third aspect, there is provided a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the method as described above.
The application discloses an authentication method, an authentication system and a computer readable storage medium. The authentication method comprises the steps that a calling terminal sends request information and a first request signature to a server, the server obtains the address of the calling terminal according to the request information and the first request signature, generates authorization information and a first authorization signature when the server is checked to store an authority record of calling a target terminal of the calling terminal, and then sends the authorization information and the first authorization signature to the calling terminal; the calling terminal sends a calling request to the target terminal, and the target terminal generates a second authorization signature according to the authorization information; and if the first authorization signature is the same as the second authorization signature, the target terminal executes a processing request text. The method and the system generate the signature through the key pair to realize authentication and authorization between the micro services, so that the safety of the whole architecture is improved.
Drawings
The above and other objects, features and advantages of the present application will become more apparent from the following description of embodiments thereof with reference to the accompanying drawings, in which:
fig. 1 is a schematic flow chart of an authentication method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a server acquiring a calling terminal address according to an embodiment of the present application;
fig. 3 is a schematic diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The present application is described below based on examples, but the present application is not limited to only these examples. In the following detailed description of the present application, certain specific details are set forth in detail. It will be apparent to one skilled in the art that the present application may be practiced without these specific details. Well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the present application.
Further, those of ordinary skill in the art will appreciate that the drawings provided herein are for illustrative purposes and are not necessarily drawn to scale.
Unless the context clearly requires otherwise, throughout the description and the claims, the words "comprise", "comprising", and the like are to be construed in an inclusive sense as opposed to an exclusive or exhaustive sense; that is, what is meant is "including, but not limited to".
In the description of the present application, it is to be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. In addition, in the description of the present application, "a plurality" means two or more unless otherwise specified.
The present application will be described in detail below with reference to the accompanying drawings.
The micro-service architecture of the embodiment of the application comprises a plurality of micro-services and a server. The plurality of microservices may be a functional service, in particular, in a large complex software application. Each microservice is only concerned with completing one task and well completing the task. In all cases, each task represents a small business capability. Each micro service can be independently developed by different teams without mutual influence, and the market promotion speed is accelerated. For example, the flight reservation application may be implemented as a split of seven microservices. Seven microservices are scheduled flights, schedule queries, calculating fares, assigning seats, managing rewards, updating customers and adjusting inventory, respectively. For the micro-service architecture adopted by the large-scale distributed system, once a malicious program is added into the whole micro-service architecture due to the change of the software structure, illegal or unauthorized operation can be completed by utilizing an internal calling interface.
In this embodiment, the authentication system includes a calling terminal, a server, and a target terminal. The server comprises a public key storage unit, a calling permission unit and an authorization unit. The public key storage unit is used for storing public keys of a plurality of terminals and corresponds to private keys of the plurality of terminals one to one. The calling permission unit is used for storing the calling relation between the terminals. The authorization unit is used for storing and executing authorization processing of the request information.
In this embodiment, in order to improve the internal security of the microservice architecture, each individual microservice has a key pair based on an asymmetric cryptographic algorithm, where the private key is stored in the microservice and the public key is stored in the server. The key pair may be used as a cryptographic key pair or a signature verification key pair.
Fig. 1 is a flowchart illustrating an authentication method according to an embodiment of the present application. As shown in fig. 1, the authentication method includes:
step S110, the calling terminal sends request information and a first request signature to the server, and the first request signature is generated by calling a terminal private key.
Specifically, the calling terminal generates request information according to a calling requirement, and encrypts the request information by using a calling terminal private key stored in the calling terminal to generate a first request signature. The request information and the first request signature are then sent to a server.
And the calling terminal private key is distributed to the calling terminal by the server. In this embodiment, an encryption algorithm is preset between the server and the calling terminal, and the calling terminal encrypts the request information by using a calling terminal private key according to the preset encryption algorithm to generate a first request signature. Alternatively, the encryption Algorithm may be an RSA Algorithm, a Data Signature Algorithm (DSA) proposed by the national standards institute, or the like. The RSA algorithm is named by names of three inventors, namely Rivest, Shamir and Adleman.
The request information comprises an identification of the calling terminal, an identification of the target terminal and a time stamp. The calling terminal identifier is used for marking the calling terminal. The identification of the target terminal is used for marking the called terminal, and the server carries out authorization according to the identification of the target terminal. A timestamp (timestamp) is a complete, verifiable piece of data, usually a sequence of characters, that can indicate that a piece of data existed before a certain time, and is primarily intended to provide an electronic proof to a user to prove the time of generation of some data of the user. In the present embodiment, the time stamp is used to indicate the generation time of the request information.
Step S120, the server receives the request information and the first request signature.
And the server receives the request information and the first request signature, and stores and processes the request information and the first request signature.
Step S130, the server obtains the address of the calling terminal according to the request information and the first request signature.
Specifically, as shown in fig. 2, the obtaining, by the server, the address of the calling terminal according to the received request information and the first request signature includes:
step S131, the server obtains a calling terminal public key according to the request information, and generates a second request signature according to the calling terminal public key.
After the server receives the request information, judging whether the difference value between the timestamp in the request information and the current time of the server is within a time threshold value or not, so as to prevent a malicious program from being added into the request information in the process of receiving the request information by the server, and constructing a potential safety hazard for a micro-service rack, and meanwhile, the server operation pressure is increased due to repeated authorization operation caused by receiving repeated data due to the time delay of equipment or a network. The time threshold value can be set according to the response demand time of the server or manually set.
And when the difference value between the timestamp and the current time of the server is within a time threshold, the server queries and acquires a calling terminal public key corresponding to the calling terminal private key in the server according to the calling terminal identifier in the request information. And the calling terminal public key stored by the server corresponds to the calling terminal and is matched with the calling terminal private key stored by the calling terminal. Optionally, the server may store the calling terminal public key and the identifier of the calling terminal in a corresponding manner. And after receiving the request information, the server searches for a calling terminal public key corresponding to the calling terminal identification.
Optionally, when the difference between the timestamp and the current time of the server exceeds a time threshold, the server determines that the request information is illegal, and stops operations such as authorization on the request information. The server may send a message to the calling terminal that the requested information does not pass, e.g., the time expires. The calling terminal can resend the request information to the server for authorization according to the feedback information.
Further, the server encrypts the call request by using the stored call terminal public key to generate a second request signature. And the second request signature is used for comparing with the received first request signature so as to determine whether the calling terminal is legal or not.
Step S132, if the first request signature is the same as the second request signature, the address of the calling terminal is obtained according to a hypertext transfer protocol.
Specifically, the server matches a received first request signature with a generated second request signature, and if the first request signature matches the second request signature consistently, the server acquires the address of the calling terminal according to a HyperText Transfer Protocol (HTTP). The HyperText Transfer Protocol (HTTP) is the most widely used network Protocol on the internet, and all WWW files must comply with this standard.
Optionally, if the first request signature and the second request signature are not matched and consistent, the calling terminal is illegal, and the server stops performing subsequent authorization and other processing on the request information. The server may send invalid signature information to the invoking terminal identifying that the first request signature is invalid. The calling terminal can resend the request information and the first request signature to the server for authorization processing according to the feedback information.
Step S140, when the server checks that the authority record of the calling terminal calling the target terminal is stored in the server, the server generates authorization information and a first authorization signature, wherein the first authorization signature is generated through a target terminal public key.
After the server acquires the address of the calling terminal, whether the calling permission unit of the server stores the authority record of calling the target terminal of the calling terminal or not is checked. And when the calling permission unit of the server stores the authority record of the calling terminal calling the target terminal, the server generates authorization information according to the request information. The authorization information comprises an identifier of a calling terminal, an address of the calling terminal, an identifier of a target terminal and expiration time.
Take a transaction scenario as an example: after the order micro service completes the order, the account micro service needs to be called to complete the deduction operation of the account. Firstly, a server authorization center is required to firstly confirm that the order micro service has the authority of calling an account micro service interface, and meanwhile, a mechanism is also required to ensure that the order micro service is real and not forged as a calling terminal.
The expiration time is a basis for judging when the target terminal receives the calling request containing the authorization information, so that the processing of repeated data which is maliciously intercepted or delayed when the calling terminal sends information to the target terminal is avoided. The expiration time may be a preset time difference, and the target terminal may compare the difference between the current time when the call request is received and the time when the server generates the authorization information with the preset time difference to determine whether the call request is legal. Optionally, the expiration time may be a time threshold added by the server based on the time when the authorization information is generated. When the target terminal receives the authorization information, the current time is compared with the expiration time according to the received current time, and whether the current time exceeds the expiration time is judged.
Further, the server queries and acquires a target terminal public key according to the identifier of the target terminal in the request information, and encrypts the authorization information according to the target terminal public key to generate a first authorization signature. And the target terminal public key stored by the server corresponds to the target terminal and is matched with the target terminal private key stored by the target terminal. Optionally, the server may store the public key of the target terminal and the identifier of the target terminal in a corresponding manner. In this embodiment, an encryption algorithm is also preset between the server and the target terminal, and is the same as the encryption algorithm between the server and the calling terminal.
Optionally, if the calling permission unit of the server does not have the authority record of the calling terminal for calling the target terminal, the server may send unauthorized access information to the calling terminal, and the calling terminal stops the calling request.
And step S150, the server sends the authorization information and the first authorization signature to a calling terminal.
Specifically, the server sends the authorization information and the first authorization signature generated according to the request information to the calling terminal, so that the calling terminal can perform subsequent calling processing.
And step S160, the calling terminal receives the authorization information and the first authorization signature sent by the server.
Step S170, the calling terminal sends a calling request to the target terminal, wherein the calling request comprises an authorization request head, authorization information, a first authorization signature and a request text.
After receiving the authorization information and the first authorization signature, the calling terminal adds an authorization request header into the calling request and sends the authorization request header to the target terminal so that the target terminal receives the calling request and processes the calling request. Specifically, the invocation request comprises an authorization request header, authorization information, a first authorization signature and a request body.
And step S180, the target terminal receives the calling request and generates a second authorization signature according to the authorization information.
Specifically, the target terminal receives the call request, and analyzes the call request to obtain an authorization request header, authorization information, and a first authorization signature. And acquiring the identifier of the calling terminal, the address of the calling terminal, the identifier of the target terminal and the expiration time from the authorization information.
And the target terminal checks whether the identification of the target terminal in the authorization information is consistent with the identification of the target terminal currently receiving the authorization information so as to determine whether the received calling request information is correct information.
The target terminal judges whether the current time of the target terminal is within the expiration time according to the expiration time, and the target terminal is used for filtering repeated calling request data received by the target terminal due to the delay of equipment or a network in the process of receiving the calling request, so that the same calling request can be prevented from being repeatedly processed, and the running pressure and the storage memory of the target terminal are increased.
And the target terminal judges whether the calling terminal address is the same as the called remote address or not according to the address of the calling terminal in the authorization information so as to determine whether the received calling request information is correct information or not.
And when the received identification of the target terminal is consistent with the identification of the current target terminal, the address of the calling terminal in the authorization information is judged to be the same as the called remote address and the current time of the target terminal is within the expiration time, and the authorization information is encrypted according to a target terminal private key stored in the target terminal to generate a second authorization signature. And the target terminal private key stored by the target terminal corresponds to the target terminal and corresponds to the target terminal public key stored by the server. And the second authorization signature is used for comparing with the received first authorization signature so as to determine whether the calling terminal is legal or not.
Taking an interface for calling account microservice by order microservice as an example for explanation: for order microservices, firstly, by requesting identity authentication to an authorization center of a server, the authorization center can include an address of the order microservices, which is called an address of a calling terminal, in a returned authorization token, namely authorization information. Then when the order micro service requests the account micro service interface, the order micro service sends the address of the order micro service and the authorization information to the account micro service when the order micro service requests, wherein the address of the order micro service when the order micro service requests is a called remote address. Namely, whether the address of the calling terminal in the authorization information is the same as the called remote address is judged, and the address is the address when the order micro service request is judged and the address of the order micro service in the authorization information is judged, so that the authorization information is prevented from being stolen.
Optionally, when the received identifier of the target terminal is not consistent with the identifier of the current target terminal, invalid information may be sent to the calling terminal, specifically, it may be stated that the target terminal receiving the calling request is incorrect or the identifier of the target terminal in the authorization information is incorrect, and then the calling terminal may regenerate the calling request and send or terminate the calling.
Optionally, when the current time of the target terminal exceeds the expiration time, the target terminal determines that the call request is invalid, and stops processing the call request. The target terminal may send expiration request information to the calling terminal. And the calling terminal can resend the calling request to the target terminal according to the feedback information.
Optionally, when the address of the calling terminal in the authorization information is different from the called remote address, the target terminal may return, to the calling terminal, information that the address of the calling terminal is an invalid address.
In this embodiment, the determination sequence for determining whether the identifier of the target terminal is consistent with the identifier of the target terminal currently receiving the authorization information, whether the address determination of the calling terminal is the same as the called remote address, and whether the current time of the target terminal is within the expiration time may be set arbitrarily, and as long as the three determination conditions are met, the target terminal encrypts the authorization information according to the private key of the target terminal to generate the second authorization signature.
Step S190, if the first authorization signature is the same as the second authorization signature, the target terminal executes processing of the request text.
Specifically, the target terminal matches the received first authorization signature with the generated second authorization signature, and if the first authorization signature is consistent with the second authorization signature, the target terminal executes processing of the request text.
Optionally, if the first authorization signature is not matched with the second authorization signature, the calling terminal is illegal, and the target terminal may send invalid signature information to the calling terminal to identify that the first authorization signature is invalid. The calling terminal can resend the request information and the first request signature to the server for authorization processing according to the feedback information.
Optionally, the method further comprises:
and step S200, sending the calling request to the calling terminal after the target terminal completes the processing of the request text.
And step S210, the calling terminal receives and caches the calling request sent by the target terminal.
The calling terminal caches the received calling request, the calling request can be directly sent to the target terminal when the calling terminal calls the target terminal again, the process of server authorization is omitted, and the calling efficiency is improved on the premise that security holes are not caused.
The application discloses an authentication method, which comprises the steps that a calling terminal sends request information and a first request signature to a server, the server obtains the address of the calling terminal according to the request information and the first request signature and generates authorization information and a first authorization signature when the server is checked to store an authority record of calling a target terminal of the calling terminal, and then the authorization information and the first authorization signature are sent to the calling terminal; the calling terminal sends a calling request to the target terminal, and the target terminal generates a second authorization signature according to the authorization information; and if the first authorization signature is the same as the second authorization signature, the target terminal executes a processing request text. The method and the system have the advantages that the signature is generated through the key pair to realize the authentication and authorization between the micro services, so that the safety of the whole framework is improved, and the invasion of malicious programs is prevented.
Fig. 3 is a schematic diagram of an electronic device of an embodiment of the invention. The electronic device shown in fig. 3 is a general-purpose data processing apparatus comprising a general-purpose computer hardware structure including at least a processor 31 and a memory 32. The processor 31 and the memory 32 are connected by a bus 33. The memory 32 is adapted to store instructions or programs executable by the processor 31. The processor 31 may be a stand-alone microprocessor or may be a collection of one or more microprocessors. Thus, the processor 31 implements the processing of data and the control of other devices by executing instructions stored by the memory 32 to perform the method flows of embodiments of the present invention as described above. The bus 33 connects the above components together, and also connects the above components to a display controller 34 and a display device and an input/output (I/O) device 35. Input/output (I/O) devices 35 may be a mouse, keyboard, modem, network interface, touch input device, motion sensing input device, printer, and other devices known in the art. Typically, the input/output device 35 is connected to the system through an input/output (I/O) controller 36. Preferably, the electronic device of the present embodiment is a server.
Also, as will be appreciated by one skilled in the art, various aspects of the embodiments of the present application may be embodied as a system, method or computer program product. Accordingly, various aspects of embodiments of the present application may take the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a "circuit," module "or" system. Further, aspects of the present application may take the form of: a computer program product embodied in one or more computer readable media having computer readable program code embodied thereon.
Any combination of one or more computer-readable media may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of embodiments of the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to: electromagnetic, optical, or any suitable combination thereof. The computer readable signal medium may be any of the following computer readable media: is not a computer readable storage medium and may communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including: object oriented programming languages such as Java, Smalltalk, C + +, and the like; and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package; executing in part on a user computer and in part on a remote computer; or entirely on a remote computer or service authentication center. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The above-described flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application describe various aspects of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (9)

1. An authentication method, comprising:
the calling terminal sends request information and a first request signature to the server, and the first request signature is generated by calling a terminal private key;
the server receives the request information and a first request signature;
the server acquires a calling terminal public key according to the request information and generates a second request signature according to the calling terminal public key;
if the first request signature is the same as the second request signature, acquiring the address of the calling terminal according to a hypertext transfer protocol;
when the server detects that the authority record of the calling terminal calling the target terminal is stored in the server, generating authorization information and a first authorization signature, wherein the first authorization signature is generated through a target terminal public key;
the server sends the authorization information and the first authorization signature to a calling terminal;
the calling terminal receives the authorization information and the first authorization signature sent by the server;
the method comprises the steps that a calling terminal sends a calling request to a target terminal, wherein the calling request comprises an authorization request head, authorization information, a first authorization signature and a request text;
the target terminal receives the calling request and generates a second authorization signature according to the authorization information;
and if the first authorization signature is the same as the second authorization signature, the target terminal executes processing of the request text.
2. The method of claim 1, wherein generating a second authorization signature based on the authorization information comprises:
and the target terminal acquires a target terminal private key according to the authorization information and generates a second authorization signature according to the target terminal private key.
3. The method of claim 1, wherein the request information comprises an identification of the calling terminal, an identification of the target terminal, and a timestamp;
and the timestamp is the time when the calling terminal generates the request information.
4. The method of claim 3, wherein the server obtaining the calling terminal public key according to the request information comprises:
and when the difference value between the timestamp and the current time of the server is within a time threshold, acquiring a calling terminal public key corresponding to the calling terminal private key according to the calling terminal identifier.
5. The method of claim 1, wherein the authorization information comprises an identification of the calling terminal, an address of the calling terminal, an identification of the target terminal, and an expiration time.
6. The method of claim 2, wherein the obtaining, by the target terminal, a target terminal private key according to the authorization information comprises:
and when the address of the calling terminal in the authorization information is the same as the called remote address, the identification of the target terminal in the authorization information is the same as the identification of the current target terminal, and the current time of the target terminal is less than the expiration time, acquiring the private key of the target terminal according to the identification of the target terminal.
7. The method of claim 1, further comprising:
after the target terminal completes processing the request text, sending the calling request to the calling terminal;
and the calling terminal receives and caches the calling request sent by the target terminal.
8. An authentication system, comprising:
the system comprises a calling terminal, a target terminal and a server, wherein the calling terminal is used for sending request information and a first request signature to the server, receiving authorization information and the first authorization signature sent by the server and sending a calling request to the target terminal, the first request signature is generated by calling a terminal private key, and the calling request comprises an authorization request header, authorization information, the first authorization signature and a request text;
the server is used for receiving the request information and the first request signature, acquiring a calling terminal public key according to the request information, generating a second request signature according to the calling terminal public key, acquiring the address of the calling terminal according to a hypertext transfer protocol if the first request signature is the same as the second request signature, generating authorization information and a first authorization signature when the server is checked to store an authority record of calling a target terminal by the calling terminal, and sending the authorization information and the first authorization signature to the calling terminal, wherein the first authorization signature is generated through the target terminal public key;
and the target terminal is used for receiving the calling request and generating a second authorization signature according to the calling request, and if the first authorization signature is the same as the second authorization signature, executing processing of the request text.
9. A computer-readable storage medium on which computer program instructions are stored, which computer program instructions, when executed by a processor, implement the method of any one of claims 1-7.
CN201810282990.0A 2018-04-02 2018-04-02 Authentication method, authentication system and computer readable storage medium Expired - Fee Related CN108199852B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810282990.0A CN108199852B (en) 2018-04-02 2018-04-02 Authentication method, authentication system and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810282990.0A CN108199852B (en) 2018-04-02 2018-04-02 Authentication method, authentication system and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN108199852A CN108199852A (en) 2018-06-22
CN108199852B true CN108199852B (en) 2021-02-26

Family

ID=62596543

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810282990.0A Expired - Fee Related CN108199852B (en) 2018-04-02 2018-04-02 Authentication method, authentication system and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN108199852B (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109359449B (en) * 2018-10-17 2020-10-30 苏州浪潮智能科技有限公司 Authentication method, device, server and storage medium based on micro service
CN109522682A (en) * 2018-11-15 2019-03-26 郑州云海信息技术有限公司 A kind of method for authenticating and device
CN109660988B (en) * 2019-01-02 2021-09-28 百度在线网络技术(北京)有限公司 Communication authentication processing method and device and electronic equipment
CN109995773B (en) * 2019-03-21 2022-02-25 北京旷视科技有限公司 Data processing method and device
CN110138741B (en) * 2019-04-15 2022-06-17 平安科技(深圳)有限公司 Micro-service management method and device based on unified management platform and computer equipment
CN110809023B (en) * 2019-09-25 2022-08-19 视联动力信息技术股份有限公司 Communication connection establishing method and device based on video networking
CN110943995A (en) * 2019-12-03 2020-03-31 浪潮软件股份有限公司 Method for realizing session forwarding in micro-service architecture
CN111031037A (en) * 2019-12-12 2020-04-17 北京金山云网络技术有限公司 Authentication method and device for object storage service and electronic equipment
CN111600899A (en) * 2020-05-25 2020-08-28 华人运通(上海)云计算科技有限公司 Micro-service access control method and device, electronic equipment and storage medium
CN111769939B (en) * 2020-06-29 2021-02-09 北京海泰方圆科技股份有限公司 Business system access method and device, storage medium and electronic equipment
CN112989325A (en) * 2021-03-12 2021-06-18 远光软件股份有限公司 Service calling method and device, storage medium and electronic equipment
CN113259566B (en) * 2021-05-19 2022-08-19 山东起跑线母婴健康管理有限公司 System convenient for family members and doctors to acquire childbirth information in real time
CN113505382A (en) * 2021-06-18 2021-10-15 杭州华橙软件技术有限公司 Micro-service authentication method, electronic device and storage medium
CN113543123B (en) * 2021-07-23 2024-02-20 闻泰通讯股份有限公司 Method and device for dynamically setting authority of wireless network
CN113704789A (en) * 2021-08-31 2021-11-26 中汽创智科技有限公司 Vehicle-mounted communication safety processing method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150577A (en) * 2007-11-02 2008-03-26 珠海金山软件股份有限公司 A system and method for secure Internet local function call
CN103001976A (en) * 2012-12-28 2013-03-27 中国科学院计算机网络信息中心 Safe network information transmission method
CN105740376A (en) * 2016-01-27 2016-07-06 北京铭万智达科技有限公司 API (Application Program Interface) calling statistics and monitoring method in micro-service
CN107124431A (en) * 2017-06-22 2017-09-01 浙江数链科技有限公司 Method for authenticating, device, computer-readable recording medium and right discriminating system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080040281A1 (en) * 2006-07-11 2008-02-14 Dipanjan Chakraborty User-vendor matching based on request from mobile wireless device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150577A (en) * 2007-11-02 2008-03-26 珠海金山软件股份有限公司 A system and method for secure Internet local function call
CN103001976A (en) * 2012-12-28 2013-03-27 中国科学院计算机网络信息中心 Safe network information transmission method
CN105740376A (en) * 2016-01-27 2016-07-06 北京铭万智达科技有限公司 API (Application Program Interface) calling statistics and monitoring method in micro-service
CN107124431A (en) * 2017-06-22 2017-09-01 浙江数链科技有限公司 Method for authenticating, device, computer-readable recording medium and right discriminating system

Also Published As

Publication number Publication date
CN108199852A (en) 2018-06-22

Similar Documents

Publication Publication Date Title
CN108199852B (en) Authentication method, authentication system and computer readable storage medium
CN108923908B (en) Authorization processing method, device, equipment and storage medium
CN109558748B (en) Data processing method and device, electronic equipment and storage medium
US10091230B1 (en) Aggregating identity data from multiple sources for user controlled distribution to trusted risk engines
CN107135073B (en) Interface calling method and device
CN104134021B (en) The anti-tamper verification method of software and device
US10032037B1 (en) Establishing application trust levels using taint propagation as a service
JP6800147B2 (en) Methods, devices, terminals and servers for verifying the security of service operations
US9578004B2 (en) Authentication of API-based endpoints
CN111478910B (en) User identity authentication method and device, electronic equipment and storage medium
US10893038B2 (en) Attributed network enabled by search and retrieval of privity data from a registry and packaging of the privity data into a digital registration certificate for attributing the data of the attributed network
US10015171B1 (en) Authentication using metadata from posts made to social networking websites
CN111767578B (en) Data inspection method, device and equipment
CN112333198A (en) Secure cross-domain login method, system and server
CN108681676B (en) Data management method and apparatus, system, electronic device, program, and storage medium
CN109547426B (en) Service response method and server
CN109743161B (en) Information encryption method, electronic device and computer readable medium
CN110324416B (en) Download path tracking method, device, server, terminal and medium
US11824850B2 (en) Systems and methods for securing login access
CN111552928A (en) Authentication method and device
CN113032837A (en) Anonymous authentication method and system for open platform
CN111294337A (en) Token-based authentication method and device
CN113259429B (en) Session maintenance management and control method, device, computer equipment and medium
CN114268487A (en) Authority control method and device based on industrial identification node
CN108965335B (en) Method for preventing malicious access to login interface, electronic device and computer medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210226