CN110035035B - Secondary authentication method and system for single sign-on - Google Patents

Secondary authentication method and system for single sign-on Download PDF

Info

Publication number
CN110035035B
CN110035035B CN201810029296.8A CN201810029296A CN110035035B CN 110035035 B CN110035035 B CN 110035035B CN 201810029296 A CN201810029296 A CN 201810029296A CN 110035035 B CN110035035 B CN 110035035B
Authority
CN
China
Prior art keywords
client
counter value
server
authentication
service request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810029296.8A
Other languages
Chinese (zh)
Other versions
CN110035035A (en
Inventor
陈旭武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Feinno Communication Technology Co Ltd
Original Assignee
Beijing Feinno Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Feinno Communication Technology Co Ltd filed Critical Beijing Feinno Communication Technology Co Ltd
Priority to CN201810029296.8A priority Critical patent/CN110035035B/en
Publication of CN110035035A publication Critical patent/CN110035035A/en
Application granted granted Critical
Publication of CN110035035B publication Critical patent/CN110035035B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a secondary authentication method and a secondary authentication system for single sign-on, wherein after the single sign-on authentication is completed, a client encrypts a counter value and a first current time to generate a session certificate; the client sends a service request carrying the session certificate to a server; the server side decrypts the session certificate to obtain the counter value and the first current time, and performs secondary authentication on the client side; and if the secondary authentication is passed, forwarding the service request to a service end. According to the technical scheme provided by the application, even if the process of single sign-on authentication is cracked by an attacker, the attacker cannot forge the client to carry out service request; moreover, because the counter value in the application is dynamically changed, even if an attacker cracks the session certificate, secondary authentication cannot be performed; therefore, compared with the prior art, the technical scheme provided by the embodiment of the application can improve the security of single sign-on and better protect user data and benefits.

Description

Secondary authentication method and system for single sign-on
Technical Field
The application relates to the technical field of internet information security, in particular to a secondary authentication method and system for single sign-on.
Background
Single Sign On (SSO) refers to that in a plurality of application systems, a user only needs to log On once to access all mutually trusted application systems, and the Single Sign On (SSO) comprises a mechanism which can map one log On to other applications so as to be used for logging On by the same user. The single sign-on can realize that a user can obtain the trust of all other systems in the environment after logging in one place under the environment with coexisting multiple systems without logging in other systems again. For example, the implementation of a certain service needs a plurality of subsystems to assist, and if a single sign-on authentication mode is not adopted, a user needs to authenticate each subsystem when logging in, so that the operation of the user becomes very complicated, and the use experience of the user is seriously influenced; in addition, the repeated authentication of each subsystem also makes the authentication and authorization logic in the service very complicated, and reduces the operation efficiency of the system.
There are two main single sign-on schemes in the prior art. One scheme is a scheme based on HTTP authentication caching, as shown in fig. 1, in the scheme, first login authentication is completed by calling an HTTP authentication interface, and an authentication result is cached, when other systems need to perform authentication, the cached authentication result is accessed and verified to complete authentication, and if the cache is expired, the HTTP interface is called again to complete authentication; the scheme has the problems that the security is poor, and the parameters of the authentication cache are easily acquired by an attacker through packet capture, so that the identity of a user is forged for logging in. The other scheme is an encryption authentication scheme based on an asymmetric cryptographic algorithm, in the scheme, user information is encrypted at a client through a group of asymmetric keys, and a server decrypts and verifies the user information to realize login authentication; the problem with this scheme is that the client key is easily broken by an attacker, thus forging the user identity to log in.
The single sign-on scheme in the prior art has poor safety and is easily broken by an attacker, so that the identity of a user is forged to log in, the loss of user data and benefits is caused, and the normal operation of system services is influenced. Therefore, how to provide a single sign-on scheme with higher security becomes a technical problem to be solved urgently by those skilled in the art.
Disclosure of Invention
The embodiment of the application provides a secondary authentication method and a secondary authentication system for single sign-on, which aim to solve the problems in the prior art.
In a first aspect, an embodiment of the present application provides a secondary authentication method for single sign-on, where the method includes:
after the single sign-on authentication is completed, the client encrypts the counter value and the first current time to generate a session certificate;
the client sends a service request carrying the session certificate to a server;
the server side decrypts the session certificate to obtain the counter value and the first current time, and performs secondary authentication on the client side;
if the secondary authentication is passed, the service request is forwarded to a service end;
the server side maintains the upper limit value of the counter value; the client generates the counter value, the initial value of the counter value is smaller than the upper limit value, and the counter value is increased according to the increase of the service request times; and the server side generates a counter value queue according to the counter value of each service request.
In a second aspect, an embodiment of the present application provides a single sign-on secondary authentication system, where the system includes:
the system comprises a client and a server, wherein the client is in communication connection with the server;
wherein the content of the first and second substances,
the client is configured to:
after the single sign-on authentication is completed, encrypting the counter value and the first current time to generate a session certificate;
sending a service request carrying the session certificate to the server;
generating the counter value, wherein the initial value of the counter value is smaller than the upper limit value and is increased according to the increase of the service request times;
the server is configured to:
decrypting the session certificate to obtain the counter value and the first current time, and performing secondary authentication on the client;
if the secondary authentication is passed, the service request is forwarded to a service end;
maintaining the counter value upper limit value;
and generating a counter value queue according to the counter value of each service request.
According to the technical scheme, after the single sign-on authentication is completed, the client encrypts the counter value and the first current time to generate a session certificate; the client sends a service request carrying the session certificate to a server; the server side decrypts the session certificate to obtain the counter value and the first current time, and performs secondary authentication on the client side; and if the secondary authentication is passed, forwarding the service request to a service end. According to the technical scheme provided by the application, even if the process of single sign-on authentication is cracked by an attacker, the attacker cannot forge the client to carry out service request, and can log in only after accurate counter values are acquired to complete secondary authentication; moreover, the counter value in the application changes along with the increase of the number of service requests, even if an attacker cracks the session certificate, the attacker cannot perform secondary authentication on other clients through the cracked session certificate, and the session certificate also changes along with the change of the counter value; therefore, compared with the prior art, the technical scheme provided by the embodiment of the application can improve the security of single sign-on, better protect user data and benefits, and improve the overall security and stability of the service system.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without any creative effort.
FIG. 1 is a schematic diagram of a single sign-on scheme of the prior art;
fig. 2 is a flowchart of a secondary authentication method for single sign-on according to an embodiment of the present disclosure;
fig. 3 is a flowchart illustrating a method for generating an asymmetric key by a secondary authentication method of single sign-on according to an embodiment of the present disclosure;
fig. 4 is a flowchart illustrating a client login of a single sign-on secondary authentication method according to an embodiment of the present disclosure;
fig. 5 is a flowchart of a secondary authentication method step S110 of single sign-on according to an embodiment of the present application;
fig. 6 is a flowchart of a secondary authentication method step S130 of single sign-on according to an embodiment of the present application;
fig. 7 is a flowchart of a secondary authentication method step S135 of single sign-on according to an embodiment of the present application;
fig. 8 is a flowchart illustrating a method for generating random numbers by a secondary authentication method of single sign-on according to an embodiment of the present disclosure;
fig. 9 is a flowchart of step S060 of a single sign-on secondary authentication method according to an embodiment of the present application;
fig. 10 is a flowchart of a method for secondary authentication of single sign-on to regenerate an asymmetric key according to an embodiment of the present application;
fig. 11 is a working schematic diagram of a single sign-on secondary authentication system according to an embodiment of the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Single Sign On (SSO) refers to that in a plurality of application systems, a user only needs to log On once to access all mutually trusted application systems, and the Single Sign On (SSO) comprises a mechanism which can map one log On to other applications so as to be used for logging On by the same user. Single sign-on is very frequently used in large business systems, such as: in an enterprise management office platform system, a plurality of subsystems such as a telephone conference, short message group sending, an enterprise address book, attendance card punching, an enterprise network disk and public opinion analysis are integrated, when an enterprise user uses the platform system, the cooperative cooperation among the systems is usually involved, if each subsystem needs the user to log in for authentication, the user experience is extremely poor, and each subsystem becomes logically complex due to repeated authentication and authorization. Therefore, in such an application system including cooperation of multiple subsystems, a single sign-on technique is generally applied to achieve that, in an environment where multiple systems coexist, a user can obtain trust of all other systems in the environment after logging in one place, and does not need to log in again in other systems.
The prior art mainly provides two technical schemes of single sign-on:
one solution is a solution based on HTTP authentication caching, see fig. 1, which is a schematic diagram of a single sign-on solution of the prior art shown in this application, first sign-on authentication is completed by calling an HTTP authentication interface, in a large application system, the authentication interface is often provided by an independent third party authentication platform, and after the user completes first sign-on, an authentication result is cached, for example: after the user finishes the first login, generating encrypted tokens (tokens) or Cookies and the like according to an authentication result; when the client needs to log in other subsystems, the single sign-on authentication is realized by checking the cached authentication results such as Cookies and the like. However, the technical solution of single sign-on has the following problems: the security is poor, and data generated in the authentication process is easily acquired by packet capturing, so that an attacker can cache and forge a client to pass the authentication through the captured authentication result; the timeliness is poor, because the authentication result cache has a time limit, when the set time limit is too short, the client needs to frequently call the authentication interface of the third party authentication platform, the burden of the third party authentication platform is increased, the efficiency is reduced, and when the set time limit is too long, the application system environment may change in the period, so that the authentication result cannot be accurate.
The other scheme is an encryption authentication scheme based on an asymmetric cryptographic algorithm, after the authentication step of a third-party authentication platform, user information is encrypted at a client through a group of asymmetric keys, and the user information is decrypted and verified at a server to realize login authentication; the problems with this solution are: the security is poor, and the client-side secret key is easy to be seized and cracked by an attacker, so that the identity of the client-side is forged to log in.
Therefore, the single sign-on technical scheme provided by the prior art has the problems of poor safety and the like, and is easily broken by an attacker, so that the identity of the user is forged to log in, the loss of user data and benefits is caused, and the normal operation of system services is influenced.
In order to solve the problems existing in the single sign-on technical scheme in the prior art, the application provides a secondary authentication method for single sign-on.
In the single sign-on secondary authentication method provided by the application, a client and a server jointly maintain a set of count value system, wherein the counter value is generated by the client, the server maintains the upper limit value of the counter value, the initial value of the count value generated by the client is smaller than the upper limit value, and the count value is increased according to the increase of the service request times of the client, so that the difference of the counter values of each service request is realized; the server generates a count value queue according to the count value of each service request, so that the count value queue contains all the used counter values. The counter value is used in the present application to generate a session credential for use in secondary authentication. Since the counter value changes with the number of service requests, even if an attacker can obtain the counter value of the client when the client requests a service, the counter value taken by the attacker is an expired invalid value, so that the attacker cannot forge the identity of the client to perform secondary authentication by using the taken counter value, and therefore when the counter value in the application is used in secondary authentication, the security of single sign-on can be improved.
Fig. 2 is a flowchart of a secondary authentication method for single sign-on according to an embodiment of the present application, and as shown in fig. 2, the method includes the following steps:
step S110, after the single sign-on authentication is completed, the client encrypts the counter value and the first current time to generate a session credential.
In the present application, after the single sign-on authentication is completed (for the secondary authentication of the present application, after the single sign-on authentication is completed, that is, after the single sign-on authentication is completed using the single sign-on authentication scheme of the prior art, before the service request is initiated), the client may encrypt the counter value at the current time and the first current time by using the encryption key to generate the session credential, and the counter value of the present application is generated by the client and is increased along with the increase of the number of service requests, so that the session credentials generated by the client at each time are different. In the application, each session certificate can only be used once in secondary authentication and is invalid immediately, and a new session certificate must be used in the next secondary authentication so as to prevent an attacker from forging a client to perform secondary authentication after cracking out the session certificate through packet capturing or splicing. In addition, because the session certificate of the application is obtained by encrypting the timer value, if an attacker wants to obtain the counter value from the session certificate, the attacker needs to obtain the encryption and decryption rules of the session certificate and master the decryption key, otherwise, the attacker cannot perform secondary authentication through the session certificate. The first current time is used for recording the generation time of the session certificate, so that the setting of the validity period of the encryption key can be realized, whether the encryption key is invalid or not is judged according to the first current time, and the encryption key is prevented from being stolen by an attacker. Therefore, the session voucher improves the security of single sign-on.
Step S120, the client sends a service request carrying the session certificate to a server.
In the application, when a client needs to request a service from a server, a service request carrying a session certificate is sent to the server, and the session certificate is used for the server to perform secondary authentication. After the primary authentication is completed, in the subsequent service request, the server only needs to send the session certificate to the server, and the server verifies the session certificate to complete the subsequent secondary authentication service, so that the connection of external authentication services such as a third-party authentication platform and the like is not needed, the primary authentication of the external platform is realized, the subsequent secondary authentication is performed in an independent system formed by the client and the server, the dependence of single sign-on authentication on the third-party service is reduced, the possibility that authentication information is attacked by an intermediary in the communication process with the third-party service is reduced, and the authentication safety and the authentication efficiency are improved.
Step S130, the server decrypts the session credential to obtain the counter value and the first current time, and performs secondary authentication on the client.
In the application, the server decrypts the counter value and the first current time from the session certificate through the decryption key, and then performs secondary login authentication according to the decrypted counter value and the first current time as well as the counter value upper limit and the counter value queue maintained by the server. Such as: whether the session voucher is expired or not is judged according to the first current time, whether the session voucher is used or not is judged according to the counter value (if the counter value is used, the same value exists in the counter value), the counter value is dynamically changed and the session voucher is effective at one time, the session voucher acquired by the server side every time is different from the decrypted counter value, the possibility that an attacker conducts deception authentication by forging the session voucher and the counter value is eliminated, and the security of single sign-on is improved.
Step S140, if the secondary authentication is passed, the service request is forwarded to the service end.
In the application, if the secondary authentication between the server and the client is passed, the server forwards the service request sent by the client to the service, and the service responds to the service request and provides the service for the client. According to the method and the system, in the service request after single sign-on authentication, the session certificate of the client is used for secondary authentication at the server, so that the dependence of single sign-on a third-party authentication platform can be reduced while the single sign-on authentication security is improved, and independent authentication in an independent system formed by the client and the server is realized; in addition, after the secondary authentication is completed, the service requests forwarded to the server are all valid requests passing through the client, and the cheating requests sent by an attacker cannot reach the service end, so that the service end is protected, and the authentication efficiency is improved.
In an alternative embodiment, the present application uses asymmetric keys in encrypting the counter value to generate the session credential and decrypting the session credential, wherein a set of asymmetric keys comprises a public key and a private key, the asymmetric keys have a validity period, and the server is responsible for maintaining the validity period of the asymmetric keys, and the asymmetric keys will expire after the validity period is exceeded.
Fig. 3 is a flowchart of generating an asymmetric key by a single sign-on secondary authentication method according to an embodiment of the present application, and as shown in fig. 3, the step of generating the asymmetric key includes:
step S050, the client sends a first service request for obtaining the public key to the server in the single sign-on authentication process.
In the secondary authentication, the counter value of the client is encrypted by using a public key, the session certificate is decrypted by using a private key, and in order to enable the client to have a usable public key in the secondary authentication, the client sends a first service request for obtaining the public key to the server in the single sign-on authentication process.
Step S060, the server checks the validity of the client according to the first service request.
Before the server generates the asymmetric key, the validity of the client is checked according to the first service request, so that an attacker is prevented from initiating a cheating request to the server, cheating a public key and improving the security of secondary authentication.
Step S070, when the client is valid, the server generates an asymmetric key, where the asymmetric key includes a public key and a private key.
The asymmetric key generated by the server side of the application comprises a public key and a private key, wherein the public key is different from the private key. The public key and the private key in the application can be generated by using an RSA encryption algorithm, wherein the RSA encryption algorithm is an asymmetric cryptographic algorithm which generates a public key and a private key, wherein the public key is used for encryption, and the private key is used for decryption; the public key is allowed to be public and the private key is required to be secret. Thereby improving the security of single sign-on
And step S080, the server caches the private key and sends the public key to the client.
In the application, the server side caches the generated private key in a secret mode and sends the public key to the client side so that the client side can encrypt data for use. According to the method and the system, the client only obtains the public key, the private key is cached in the server in an unpublished way, the server timely expires the old key by setting the validity period of the symmetric key and generates a new asymmetric key, an attacker is prevented from obtaining the public key and forging the client to perform deceptive login, and therefore the security of single-point login is improved.
Fig. 4 is a flowchart of a client login of a single sign-on secondary authentication method according to an embodiment of the present application, and as shown in fig. 4, in an alternative implementation, after step S080, the process of the client login may include the following steps:
step S091, the client generates a random seed, and encrypts the random seed and the second current time of the client according to the public key to generate the authentication credential.
In the present application, the client generates a Random Seed (Random Seed), which is a Random number that takes a true Random number (Seed) as an initial condition and takes the Random number as an object. The random seed takes a true random number (seed) as an initial condition, then a certain algorithm is used for continuously iterating to generate the random number, and in order to improve the security of single sign-on, the random seed can use a 16-bit random seed. The random seed and the second current time are encrypted by using the public key acquired from the server side to generate the verification certificate, and the verification certificate is used for login authentication of the client side, wherein the second current time is the time for generating the verification certificate through encryption. The random seed in the application can be used as an encryption key for generating the session certificate in secondary authentication, so that the encryption key can be continuously changed in an iterative manner, and the security of single sign-on is improved. In addition, the public key of the client can be timely overdue by comparing the second current time with the first current time and combining the validity period of the preset asymmetric key, so that the client is informed to request a new public key, and the client identity is prevented from being forged to carry out deceptive authentication after the public key of the client is illegally acquired by an attacker. The security of single sign-on is improved.
Step S092, the client sends a login request carrying the authentication credential to the server.
In the application, when the client requests to log in, the client sends a login request carrying the verification certificate to the server so that the server can verify the login request. The authentication certificate is encrypted by the public key, if the login request is to be authenticated by the server, the server must decrypt the login request by the private key, and the private key is secret, so that an attacker can be prevented from forging the server to cheat the login of the client, and the security of single sign-on is improved.
And step S093, the server side decrypts and verifies the verification certificate according to the cached private key.
In the application, the client decrypts the authentication voucher according to the private key, and if the random seed, the second current time and other information cannot be decrypted, the authentication voucher is invalid, and the login request of the client cannot be passed; if the random seed, the second current time and other information can be decrypted, whether the public key is expired or not can be judged according to the second current time and the preset validity period of the public key, if the public key is not expired, the verification is passed, and the client login is successful. Because the private key used for decrypting and verifying the certificate is secret, an attacker can be prevented from forging the server to cheat the login of the client, and the security of single sign-on is improved.
And step S094, if the decryption verification is passed, the server side records the random seed and the second current time, and returns login authentication completion information to the client side.
In the application, if the decryption verification is passed, the server records the random seed and the second current time so as to be used for decrypting the session certificate by using the random seed in the secondary authentication and judging whether the public key is expired by using the second current time.
In the client login process, the client generates a random seed, encrypts the random seed and the second current time of the client according to the public key to generate a verification certificate, then sends a login request carrying the verification certificate to the server, the server decrypts the verification certificate through the private key to verify the login request, and if the decryption verification is passed, the server records the random seed and the second current time and returns login authentication completion information to the client. Because the private key used for decrypting the verification certificate is secret, an attacker can be prevented from forging the server to cheat the login of the client, and the security of single sign-on is improved.
Fig. 5 is a flowchart of step S110 of a single sign-on secondary authentication method provided in an embodiment of the present application, and as shown in fig. 5, in an alternative implementation, step S110 includes the following steps:
step S111, obtaining the counter value and the first current time.
In the application, the counter value is dynamically changed, and the current counter value and the current first time can be obtained when a service request needs to be sent. The counter value generated by the client is a dynamically-changed one-time numerical value, the counter value can only be used once in secondary authentication, the server can store all the used counter values, and the counter value is invalid after being used, so that an attacker cannot forge the identity of the client to perform secondary authentication by using the counter value at a certain moment acquired by packet capture, and the security of single sign-on can be improved when the counter value in the application is used in the secondary authentication.
And step S112, encrypting the counter value and the first current time once according to the random seed.
In the application, the counter value and the first current time can be encrypted by using an Advanced Encryption Standard (AES) algorithm, the AES Encryption technology adopts a block Encryption mode to encrypt and decrypt data, the size of each block is 128 bits, and the same key is used by the AES key in the Encryption and decryption processes.
And step S113, carrying out secondary encryption on the primary encryption result according to the public key acquired from the server side to generate the session certificate.
According to the method and the device, after the random seed is used for encrypting the counter value for the first time, the public key acquired from the server is used for encrypting the encryption result for the first time for the second time. After the counter value is encrypted for the second time, even if an attacker hijacks transmission data or the attacker captures a packet to obtain a public key in the transmission process, the attacker can only decrypt the transmission data once and still cannot obtain the counter value, so that a client cannot be forged to cheat a server, and the security of single sign-on is improved.
Fig. 6 is a flowchart of step S130 of a single sign-on secondary authentication method provided in an embodiment of the present application, and as shown in fig. 6, in an alternative implementation, step S130 includes the following steps:
step S131, obtaining the session credential from the service request.
According to the method and the device, when the client side initiates a service request to perform secondary authentication, the process of secondary authentication is completed through the verification of the session certificate, so that external authentication services such as a third-party verification platform do not need to be connected, primary authentication is performed on the external platform, subsequent secondary authentication is performed inside an independent system formed by the client side and the server side, the dependence of single sign-on authentication on the third-party service is reduced, the possibility that authentication information is attacked by a man-in-the-middle in the communication process with the third-party service is reduced, and the authentication safety and the authentication efficiency are improved.
Step S132, the session voucher is decrypted once according to the private key cached by the server.
In the application, the server side obtains the cached private key, the private key and the public key of the client side are a pair of asymmetric keys, and the private key is used for decrypting the session certificate once. The private key is generated by the server side, cached in the server side, not disclosed, not transmitted outwards and provided with confidentiality, so that an attacker cannot acquire the private key and cannot decrypt a session certificate, and the security of single sign-on is improved.
And step S133, performing secondary decryption on the primary decryption result according to the random seed to obtain the counter value and the first current time.
According to the method and the device, after the session certificate is decrypted for the first time by using the private key, the primary decryption result is decrypted for the second time by using the random seed, so that the counter value and the first current time are obtained. Because the random seed is a random number with iterative change and is generated in the process of generating the asymmetric key, the random seed can be updated as long as the public key is updated due to expiration, so that an attacker forges the client to carry out deception authentication after illegally breaking the public key or the random seed, and the security of secondary authentication is improved.
And step S134, analyzing whether the public key is expired according to the second current time and the first current time.
In this application, the validity period of the public key may be set, for example: such as setting the public key to expire 30 minutes after the second current time. When whether the public key is expired is analyzed, the verification certificate cached by the server side is decrypted through the private key, a second current time in the verification certificate is obtained, and then a time difference between the first current time and the second current time is obtained, for example: the public key expires if the first current time is more than 30 minutes later than the second current time. According to the method and the device, the validity period of the public key is set, and even if the old public key is expired, a new public key is generated, so that an attacker can be prevented from forging the client side to carry out deception authentication after cracking the public key, and the security of single sign-on is improved.
And step S135, if the public key is not expired, performing authentication verification according to the counter value.
In the application, the server maintains the upper limit value of the counter value, and the count value queue of the server includes all the counter values that have been used, so the authentication check is performed by checking whether the counter value exceeds the upper limit value and whether the counter value has the same value in the counter value queue. Since the counter value changes with the number of service requests, even if an attacker can obtain the counter value of the client when the client requests a service, the counter value taken by the attacker is an expired invalid value, so that the attacker cannot forge the identity of the client to perform secondary authentication by using the taken counter value, and therefore when the counter value in the application is used in secondary authentication, the security of single sign-on can be improved.
Fig. 7 is a flowchart of step S135 of a single sign-on secondary authentication method provided in an embodiment of the present application, and as shown in fig. 7, in an alternative implementation, step S135 includes the following steps:
step S1351, analyzing whether the counter value is greater than any value in the counter value queue and is less than or equal to the upper limit value.
In the application, the server sets the upper limit value of the counter value, which is equivalent to the allowable range of the counter value, and the counter value larger than the upper limit value is inevitably an illegal counter value and is probably a counter value forged by an attacker; further, if the counter value is greater than any value in the counter value queue, it is indicated that the counter value is an unused counter value.
And step S1352, if yes, the secondary authentication is passed, and the counter value is added into the counter value queue.
In the present application, if the analysis result is yes, that is, the counter value is smaller than the upper limit value and larger than any value in the counter value queue, it indicates that the counter value is legal and has not been verified, and therefore the secondary authentication is passed. The server adds the counter value into the count value queue, so that in the subsequent secondary authentication, if the same counter value appears, the server can judge that the same counter value is verified.
Step S1353, if not, and the counter value is greater than the upper limit value, the secondary authentication fails.
If the counter value is larger than the upper limit value, the counter value is an illegal value, and therefore, the secondary verification fails.
Step S1354, if not, and the counter value is less than or equal to the maximum value in the counter value queue, then analyzing whether the same value exists in the counter value queue.
In this application, if the counter value is less than or equal to the maximum value in the counter value queue, it is indicated that the counter value may be verified, or the counter value may be generated earlier, so that it is further analyzed whether the same value exists in the counter value queue.
Step S1355, if there is no identical value, the secondary authentication is passed, and the counter value is added to the counter value queue.
If the same value does not exist, the counter value is not verified, and the secondary authentication is passed. The server adds the counter value into the count value queue, so that in the subsequent secondary authentication, if the same counter value appears, the server can judge that the same counter value is verified.
In step S1356, if the same value exists, the secondary authentication fails.
If the same value exists, the counter value is verified, and therefore the secondary authentication fails.
According to the method and the device, the verification authentication is carried out according to the counter value in the session certificate, the upper limit value of the counter value maintained by the server and the counter value queue, the process of secondary authentication of the client is completed, and because the counter value is increased along with the increase of the service request times, the same counter value can only be used for the process of primary verification, so that an attacker can be prevented from forging the session certificate to carry out secondary authentication after illegally obtaining the counter value, and the security of single sign-on is improved.
In an alternative embodiment, before step S050, generating random numbers of the client and the server is further included. Fig. 8 is a flowchart of generating random numbers by a secondary authentication method of single sign-on according to an embodiment of the present application, and as shown in fig. 8, the step of generating random numbers of a client and a server includes:
step S010, the client generates a first random number and stores the first random number into a cache of the server.
In the application, the first random number generated by the client can be a Nonce random number, and the Nonce random number can be used only once in encrypted communication, so that each generated Nonce random number can be used for one-time verification, thereby preventing an attacker from forging the identity of the client to perform deceptive verification by using the first random number after illegally obtaining the first random number, and improving the security of single sign-on authentication. The client sends the first random number to a third party authentication platform, the third party authentication platform checks a token (token) of the client, and after the token (token) passes the check, the third party authentication platform sends a verification passing receipt to the client and stores the first random number in a server cache.
Step S020, the client sends a second service request for obtaining a second random number to the server.
In the application, after receiving the verification passing receipt, the client sends a second service request for obtaining a second random number to the server so as to verify the client.
Step S030, the server generates and caches the second random number according to the second service request, and sends the second random number to the client.
In the application, the second random number generated by the server can be a Nonce random number, so that an attacker is prevented from forging the identity of the server by using the second random number to perform deception verification after illegally obtaining the second random number, and the security of single sign-on authentication is improved. And after the server generates the second random number, recording the second random number in the server cache, and sending the second random number to the client.
In the application, after the client and the server generate the first random number and the second random number, the client not only stores the first random number generated by the client, but also acquires the second random number from the server; and the server side not only generates and caches the second random number, but also acquires and caches the first random number from the client side. The first random number and the second random number can be used for authentication between the client and the server so as to improve the security of single sign-on.
Fig. 9 is a flowchart of step S060 of a single sign-on secondary authentication method provided in an embodiment of the present application, in an alternative implementation, a first service request includes a first random number and a second random number stored by a client, as shown in fig. 9, step S060 may include the following steps:
step S061, the first random number and the second random number cached by the server are obtained.
Step S062, the first random number and the second random number in the first service request and the first random number and the second random number cached by the server are checked by MD5, if the check of MD5 is passed, the client is valid.
If the MD5 values of the first random number and the second random number in the first service request are the same as the MD5 values of the first random number and the second random number cached by the server, the MD5 checks to pass, and the client is valid.
The method and the device verify the validity of the client side by performing MD5 verification on the first random number and the second random number in the first service request and the first random number and the second random number cached by the server side. Because the second random number in the first service request is obtained by the client from the server; the first random number cached by the server is acquired from the client; therefore, if the client is valid, the MD5 values of the first random number and the second random number in the first service request and the MD5 values of the first random number and the second random number cached by the server should be the same; if not, the client is an invalid client forged by an attacker. According to the method and the system, the client is verified before the asymmetric key is generated by the server, so that an attacker is prevented from initiating a cheating request to the server, cheating a public key and improving the security of single sign-on.
In steps S010 to S070, the client and the server obtain the random numbers from each other, and the server performs MD5 verification and matching on the first random number and the second random number obtained from the first service request and the first random number and the second random number cached by the server, thereby actually completing the authentication of both the client and the server.
Fig. 10 is a flowchart of a method for re-generating an asymmetric key by using a single sign-on secondary authentication according to an embodiment of the present application, as shown in fig. 10, in an alternative embodiment, the re-generating an asymmetric key occurs after the asymmetric key expires, and includes the following steps:
step S201, the client sends the first service request for obtaining the public key to the server again.
When the asymmetric key is expired, the client abandons the expired public key, and sends the first service request for obtaining the public key to the server again to wait for receiving a new public key.
Step S202, the server side checks the validity of the client side according to the first service request.
According to the method and the system, before the asymmetric key is generated again by the server, the validity of the client is checked according to the first service request, so that an attacker is prevented from initiating a cheating request to the server, cheating a public key and improving the security of single sign-on.
Step S203, when the client is valid, the asymmetric key is updated.
When the client is valid, the server updates a new set of asymmetric keys.
Step S204, the server caches the updated private key and sends the updated public key to the client.
And the server replaces the expired private key of the original cache with the newly generated private key and simultaneously sends the updated new public key to the client for the client to encrypt data.
In the application, the client sends the first service request to the server again, so that the server updates the asymmetric key, updates the cached private key and sends the updated public key to the client. Therefore, dynamic updating and maintenance of the client public key and the server private key are realized, even if an attacker cracks the asymmetric key, the attacker can not attack the asymmetric key because the cracked key is an expired key, and the security of single sign-on is improved.
According to the technical scheme, the client and the server maintain a set of dynamic counter values together; after the single sign-on authentication is completed, the client encrypts the counter value maintained by the client to generate a session certificate; the client sends a service request carrying a session certificate to a server; the server decrypts the counter value from the session certificate, performs matching verification with the counter value maintained by the server, and forwards the service request to the service terminal if the matching verification is passed. According to the technical scheme provided by the application, even if the process of single sign-on authentication is cracked by an attacker, the attacker cannot forge the client to carry out service request, and can log in only after accurate counter values are acquired to complete secondary authentication; moreover, because the counter value in the application is dynamically changed, even if an attacker cracks the session credential, the attacker cannot perform secondary authentication on other clients through the cracked session credential, because the session credential is also changed along with the change of the counter value; therefore, compared with the prior art, the technical scheme provided by the embodiment of the application can improve the security of single sign-on, better protect user data and benefits, and improve the overall security and stability of the service system.
An embodiment of the present application further provides a secondary authentication system for single sign-on, where fig. 11 is a working schematic diagram of the secondary authentication system for single sign-on provided in the embodiment of the present application, and as shown in fig. 11, the system includes:
the client 300 and the server 400 are in communication connection, and the client 300 and the server 400 are in communication connection;
wherein the content of the first and second substances,
the client 300 is configured to:
after the single sign-on authentication is completed, encrypting the counter value and the first current time to generate a session certificate;
sending a service request carrying the session credential to the server 400;
generating the counter value, wherein the initial value of the counter value is smaller than the upper limit value and is increased according to the increase of the service request times;
the server 400 is configured to:
decrypting the session certificate to obtain the counter value and the first current time, and performing secondary authentication on the client 300;
if the second authentication is passed, the service request is forwarded to the service end 500;
maintaining the counter value upper limit value;
and generating a counter value queue according to the counter value of each service request.
According to the technical scheme, after the single sign-on authentication is completed, the client encrypts the counter value and the first current time to generate a session certificate; the client sends a service request carrying the session certificate to a server; the server side decrypts the session certificate to obtain the counter value and the first current time, and performs secondary authentication on the client side; and if the secondary authentication is passed, forwarding the service request to a service end. According to the technical scheme provided by the application, even if the process of single sign-on authentication is cracked by an attacker, the attacker cannot forge the client to carry out service request, and can log in only after accurate counter values are acquired to complete secondary authentication; moreover, the counter value in the application changes along with the increase of the number of service requests, even if an attacker cracks the session certificate, the attacker cannot perform secondary authentication on other clients through the cracked session certificate, and the session certificate also changes along with the change of the counter value; therefore, compared with the prior art, the technical scheme provided by the embodiment of the application can improve the security of single sign-on, better protect user data and benefits, and improve the overall security and stability of the service system.
In an alternative embodiment of the method according to the invention,
the client 300 is further configured to:
in the single sign-on authentication process, a first service request for obtaining a public key is sent to the server 400;
the server 400 is further configured to:
verifying the validity of the client 300 according to the first service request;
when the client 300 is valid, generating an asymmetric key, wherein the asymmetric key comprises a public key and a private key;
caching the private key and sending the public key to the client 300;
wherein, the server 400 maintains the validity period of the asymmetric key; the asymmetric key expires after a validity period.
The asymmetric key generated by the server side of the application comprises a public key and a private key, wherein the public key is different from the private key. The public key and the private key in the application can be generated by using an RSA encryption algorithm, wherein the RSA encryption algorithm is an asymmetric cryptographic algorithm which generates a public key and a private key, wherein the public key is used for encryption, and the private key is used for decryption; the public key is allowed to be public and the private key is required to be secret. In the present application. The client side obtains the public key for encrypting data, and the server side caches and keeps secret the private key for decrypting the encrypted data, so that the security of single sign-on is improved.
In an alternative embodiment of the method according to the invention,
the client 300 is further configured to:
generating a random seed, encrypting the random seed and the second current time of the client 300 according to the public key, and generating a verification certificate;
sending a login request carrying the authentication credential to the server 400;
the server 400 is further configured to:
decrypting and verifying the verification certificate according to the cached private key;
and if the decryption passes the verification, recording the random seed and the second current time, and returning login authentication completion information to the client 300.
In the client login process, the client generates a random seed, encrypts the random seed and the second current time of the client according to the public key to generate a verification certificate, then sends a login request carrying the verification certificate to the server, the server decrypts the verification certificate through the private key to verify the login request, and if the decryption verification is passed, the server records the random seed and the second current time and returns login authentication completion information to the client. Because the private key used for decrypting the verification certificate is secret, an attacker can be prevented from forging the server to cheat the login of the client, and the security of single sign-on is improved.
In an alternative embodiment, the client 300 is further configured to:
acquiring the counter value and the first current time;
encrypting the counter value and the first current time once according to the random seed;
and performing secondary encryption on the primary encryption result according to the public key acquired from the server 400 to generate the session certificate.
In the method, the random seed is used as the key, and is a random number with iterative change and generated in the process of generating the asymmetric key, so that the random seed can be updated as long as the public key is expired and updated, and therefore after an attacker illegally cracks the public key or the random seed, the client is forged to carry out deceptive authentication, and the security of secondary authentication is improved. According to the method and the device, after the random seed is used for encrypting the counter value for the first time, the public key acquired from the server is used for encrypting the encryption result for the first time for the second time. After the counter value is encrypted for the second time, even if an attacker hijacks transmission data or the attacker captures a packet to obtain a public key in the transmission process, the attacker can only decrypt the transmission data once and still cannot obtain the counter value, so that a client cannot be forged to cheat a server, and the security of single sign-on is improved.
In an alternative embodiment, the server 400 is further configured to:
obtaining the session certificate from the service request;
decrypting the session certificate once according to the private key cached by the server 400;
carrying out secondary decryption on the primary decryption result according to the random seed to obtain the counter value and the first current time;
analyzing whether a public key is expired according to the second current time and the first current time;
and if the public key is not expired, performing authentication verification according to the counter value.
According to the method and the device, the validity period of the public key is set, and even if the old public key is expired, a new public key is generated, so that an attacker can be prevented from forging the client side to carry out deception authentication after cracking the public key, and the security of single sign-on is improved. In addition, the authentication verification is carried out according to the counter value, and even if an attacker can obtain the counter value of the client when the client requests the service at a certain time due to the fact that the counter value changes along with the number of service requests, the counter value taken by the attacker is an expired invalid value, so that the attacker cannot forge the identity of the client to carry out secondary authentication by using the taken counter value, and therefore when the counter value is used in secondary authentication, the security of single sign-on can be improved.
In an alternative embodiment, the server 400 is further configured to:
analyzing whether the counter value is larger than any value in the counter value queue and is smaller than or equal to the upper limit value;
if so, passing the secondary authentication, and adding the counter value into the counter value queue;
if not, and the counter value is larger than the upper limit value, the secondary authentication fails;
if not, and the counter value is less than or equal to the maximum value in the counter value queue, analyzing whether the counter value has the same value in the counter value queue;
if the same value does not exist, the secondary authentication is passed, and the counter value is added into the counter value queue;
if the same value exists, the secondary authentication fails.
According to the method and the device, the verification authentication is carried out according to the counter value in the session certificate, the upper limit value of the counter value maintained by the server and the counter value queue, the process of secondary authentication of the client is completed, and because the counter value is increased along with the increase of the service request times, the same counter value can only be used for the process of primary verification, so that an attacker can be prevented from forging the session certificate to carry out secondary authentication after illegally obtaining the counter value, and the security of single sign-on is improved.
In an alternative embodiment of the method according to the invention,
the client 300 is further configured to:
generating a first random number, and storing the first random number in a cache of a server 400;
sending a second service request for acquiring a second random number to the server 400;
the server 400 is further configured to:
and generating and caching the second random number according to the second service request, and sending the second random number to the client.
In the application, after the client and the server generate the first random number and the second random number, the client not only stores the first random number generated by the client, but also acquires the second random number from the server; and the server side not only generates and caches the second random number, but also acquires and caches the first random number from the client side. The first random number and the second random number can be used for authentication between the client and the server so as to improve the security of single sign-on.
In an alternative embodiment, the server 400 is further configured to:
acquiring the first random number and the second random number cached by the server 400;
performing MD5 check on the first random number and the second random number in the first service request and the first random number and the second random number cached by the server 400, and if the MD5 check passes, the client 300 is valid.
The method and the device verify the validity of the client side by performing MD5 verification on the first random number and the second random number in the first service request and the first random number and the second random number cached by the server side. Because the second random number in the first service request is obtained by the client from the server; the first random number cached by the server is acquired from the client; therefore, if the client is valid, the MD5 values of the first random number and the second random number in the first service request and the MD5 values of the first random number and the second random number cached by the server should be the same; if not, the client is an invalid client forged by an attacker. According to the method and the system, the client is verified before the asymmetric key is generated by the server, so that an attacker is prevented from initiating a cheating request to the server, cheating a public key and improving the security of single sign-on.
In an alternative embodiment of the method according to the invention,
the client 300 is further configured to:
when the asymmetric key expires, resending the first service request for obtaining the public key to the server 400;
the server 400 is further configured to:
verifying the validity of the client 300 according to the first service request;
updating the asymmetric key when the client 300 is valid;
the updated private key is cached and the updated public key is sent to the client 300.
In the application, the client sends the first service request to the server again, so that the server updates the asymmetric key, updates the cached private key and sends the updated public key to the client. Therefore, dynamic updating and maintenance of the client public key and the server private key are realized, even if an attacker cracks the asymmetric key, the attacker can not attack the asymmetric key because the cracked key is an expired key, and the security of single sign-on is improved.
According to the technical scheme, after the single sign-on authentication is completed, the client encrypts the counter value and the first current time to generate a session certificate; the client sends a service request carrying the session certificate to a server; the server side decrypts the session certificate to obtain the counter value and the first current time, and performs secondary authentication on the client side; and if the secondary authentication is passed, forwarding the service request to a service end. According to the technical scheme provided by the application, even if the process of single sign-on authentication is cracked by an attacker, the attacker cannot forge the client to carry out service request, and can log in only after accurate counter values are acquired to complete secondary authentication; moreover, the counter value in the application changes along with the increase of the number of service requests, even if an attacker cracks the session certificate, the attacker cannot perform secondary authentication on other clients through the cracked session certificate, and the session certificate also changes along with the change of the counter value; therefore, compared with the prior art, the technical scheme provided by the embodiment of the application can improve the security of single sign-on, better protect user data and benefits, and improve the overall security and stability of the service system.
The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A secondary authentication method for single sign-on, the method comprising:
after the single sign-on authentication is completed, the client encrypts the counter value and the first current time to generate a session certificate;
the client sends a service request carrying the session certificate to a server;
the server side decrypts the session certificate to obtain the counter value and the first current time, and performs secondary authentication on the client side;
if the secondary authentication is passed, the service request is forwarded to a service end;
the server side maintains the upper limit value of the counter value; the client generates the counter value, the initial value of the counter value is smaller than the upper limit value, and the counter value is increased according to the increase of the service request times; and the server side generates a counter value queue according to the counter value of each service request.
2. The method of claim 1, further comprising:
the client sends a first service request for obtaining a public key to the server in the single sign-on authentication process;
the server side checks the validity of the client side according to the first service request;
when the client is valid, the server generates an asymmetric key, wherein the asymmetric key comprises a public key and a private key;
the server caches the private key and sends the public key to the client;
the server side maintains the validity period of the asymmetric key; the asymmetric key expires after a validity period.
3. The method of claim 2, wherein after the step of the server caching the private key and sending the public key to the client, the method further comprises:
the client generates a random seed, encrypts the random seed and the second current time of the client according to a public key, and generates a verification certificate;
the client sends a login request carrying the verification certificate to the server;
the server side decrypts and verifies the verification certificate according to the cached private key;
and if the decryption verification is passed, the server records the random seed and the second current time, and returns login authentication completion information to the client.
4. The method of claim 3, wherein after the single sign-on authentication is completed, the client encrypts the counter value and the first current time, and wherein generating the session credentials comprises:
acquiring the counter value and the first current time;
encrypting the counter value and the first current time once according to the random seed;
and carrying out secondary encryption on the primary encryption result according to the public key acquired from the server side to generate the session certificate.
5. The method of claim 3, wherein the server decrypts the session credentials to obtain the counter value and the first current time, and wherein performing secondary authentication on the client comprises:
obtaining the session certificate from the service request;
decrypting the session certificate once according to the private key cached by the server;
carrying out secondary decryption on the primary decryption result according to the random seed to obtain the counter value and the first current time;
analyzing whether a public key is expired according to the second current time and the first current time;
and if the public key is not expired, performing authentication verification according to the counter value.
6. The method of claim 5, wherein performing an authentication check based on the counter value if the public key is not expired comprises:
analyzing whether the counter value is larger than any value in the counter value queue and is smaller than or equal to the upper limit value;
if the counter value is smaller than or equal to the upper limit value, the secondary authentication is passed, and the counter value is added into the counter value queue;
if not, and the counter value is larger than the upper limit value, the secondary authentication fails;
if not, and the counter value is less than or equal to the maximum value in the counter value queue, analyzing whether the counter value has the same value in the counter value queue, if not, passing the secondary authentication, and adding the counter value into the counter value queue; if the same value exists, the secondary authentication fails.
7. The method according to claim 2, wherein before the client sends a first service request for obtaining a public key to the server during the single sign-on authentication, the method further comprises:
the client generates a first random number and stores the first random number into a server cache;
the client sends a second service request for acquiring a second random number to the server;
and the server side generates and caches the second random number according to the second service request, and sends the second random number to the client side.
8. The method according to claim 7, wherein the first service request includes the first random number and the second random number recorded by the client, and the server verifying the validity of the client according to the first service request includes:
acquiring the first random number and the second random number cached by the server;
and performing MD5 verification on the first random number and the second random number in the first service request and the first random number and the second random number cached by the server, wherein if the MD5 verification is passed, the client is valid.
9. The method of claim 2, wherein the asymmetric key expires after a validity period, the method further comprising:
the client sends the first service request for obtaining the public key to the server again;
the server side checks the validity of the client side according to the first service request;
updating an asymmetric key when the client is valid;
and the server caches the updated private key and sends the updated public key to the client.
10. A single sign-on, secondary authentication system, the system comprising:
the system comprises a client and a server, wherein the client is in communication connection with the server;
wherein the content of the first and second substances,
the client is configured to:
after the single sign-on authentication is completed, encrypting the counter value and the first current time to generate a session certificate;
sending a service request carrying the session certificate to the server;
generating the counter value, wherein the initial value of the counter value is smaller than the upper limit value of the counter value and is increased according to the increase of the service request times;
the server is configured to:
decrypting the session certificate to obtain the counter value and the first current time, and performing secondary authentication on the client;
if the secondary authentication is passed, the service request is forwarded to a service end;
maintaining the upper limit value;
and generating a counter value queue according to the counter value of each service request.
CN201810029296.8A 2018-01-12 2018-01-12 Secondary authentication method and system for single sign-on Active CN110035035B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810029296.8A CN110035035B (en) 2018-01-12 2018-01-12 Secondary authentication method and system for single sign-on

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810029296.8A CN110035035B (en) 2018-01-12 2018-01-12 Secondary authentication method and system for single sign-on

Publications (2)

Publication Number Publication Date
CN110035035A CN110035035A (en) 2019-07-19
CN110035035B true CN110035035B (en) 2021-09-17

Family

ID=67234385

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810029296.8A Active CN110035035B (en) 2018-01-12 2018-01-12 Secondary authentication method and system for single sign-on

Country Status (1)

Country Link
CN (1) CN110035035B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111585978B (en) * 2020-04-21 2023-09-26 微梦创科网络科技(中国)有限公司 Method, client, server and system for intercepting false request
CN112134881B (en) * 2020-09-22 2023-03-21 宏图智能物流股份有限公司 Network request tamper-proof method based on serial number
CN115514531B (en) * 2022-08-26 2024-05-10 苏州浪潮智能科技有限公司 Data hijacking alarm method, system, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1283631A2 (en) * 2001-08-06 2003-02-12 Sun Microsystems, Inc. Web based applications single sign on system and method
CN102201915A (en) * 2010-03-22 2011-09-28 中国移动通信集团公司 Terminal authentication method and device based on single sign-on
CN102694779A (en) * 2011-03-24 2012-09-26 中兴通讯股份有限公司 Combination authentication system and authentication method
CN102869010A (en) * 2011-07-04 2013-01-09 中兴通讯股份有限公司 Method and system for single sign-on
CN105430014A (en) * 2015-12-30 2016-03-23 福建亿榕信息技术有限公司 Single sign on method and system
CN106302479A (en) * 2016-08-18 2017-01-04 武汉斗鱼网络科技有限公司 A kind of single-point logging method for multi-service internet site and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5858796B2 (en) * 2012-01-16 2016-02-10 キヤノン株式会社 Authority delegation system, server system in the authority delegation system, and control method for controlling authority delegation system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1283631A2 (en) * 2001-08-06 2003-02-12 Sun Microsystems, Inc. Web based applications single sign on system and method
CN102201915A (en) * 2010-03-22 2011-09-28 中国移动通信集团公司 Terminal authentication method and device based on single sign-on
CN102694779A (en) * 2011-03-24 2012-09-26 中兴通讯股份有限公司 Combination authentication system and authentication method
CN102869010A (en) * 2011-07-04 2013-01-09 中兴通讯股份有限公司 Method and system for single sign-on
CN105430014A (en) * 2015-12-30 2016-03-23 福建亿榕信息技术有限公司 Single sign on method and system
CN106302479A (en) * 2016-08-18 2017-01-04 武汉斗鱼网络科技有限公司 A kind of single-point logging method for multi-service internet site and system

Also Published As

Publication number Publication date
CN110035035A (en) 2019-07-19

Similar Documents

Publication Publication Date Title
CN108471432B (en) Method for preventing network application program interface from being attacked maliciously
US7231526B2 (en) System and method for validating a network session
KR100811419B1 (en) Countermeasure Against Denial-of-Service Attack in Authentication Protocols Using Public-Key Encryption
US8245030B2 (en) Method for authenticating online transactions using a browser
US9491174B2 (en) System and method for authenticating a user
CN108243176B (en) Data transmission method and device
US20120284506A1 (en) Methods and apparatus for preventing crimeware attacks
CN106453361B (en) A kind of security protection method and system of the network information
CN110933078B (en) H5 unregistered user session tracking method
EP2052485A2 (en) Mutual authentication and secure channel establishment between two parties using consecutive one-time passwords
CN105553666B (en) Intelligent power terminal safety authentication system and method
CN113225352B (en) Data transmission method and device, electronic equipment and storage medium
CN114024710A (en) Data transmission method, device, system and equipment
CN111030814A (en) Key negotiation method and device
EP2414983B1 (en) Secure Data System
CN109218334B (en) Data processing method, device, access control equipment, authentication server and system
CN110035035B (en) Secondary authentication method and system for single sign-on
CN107888548A (en) A kind of Information Authentication method and device
CN111510288B (en) Key management method, electronic device and storage medium
CN106850592B (en) A kind of information processing method, server and terminal
CN106576050B (en) Three-tier security and computing architecture
CN108900595B (en) Method, device and equipment for accessing data of cloud storage server and computing medium
CN113539523B (en) Internet of things equipment identity authentication method based on domestic commercial cryptographic algorithm
CN111935164B (en) Https interface request method
CN105871788B (en) Password generation method and device for login server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Room 810, 8 / F, 34 Haidian Street, Haidian District, Beijing 100089

Applicant after: BEIJING D-MEDIA COMMUNICATION TECHNOLOGY Co.,Ltd.

Address before: 100089 Beijing city Haidian District wanquanzhuang Road No. 28 Wanliu new building block A room 602

Applicant before: BEIJING D-MEDIA COMMUNICATION TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant