CN110430043B - Authentication method, system and device and storage medium - Google Patents

Authentication method, system and device and storage medium Download PDF

Info

Publication number
CN110430043B
CN110430043B CN201910606236.2A CN201910606236A CN110430043B CN 110430043 B CN110430043 B CN 110430043B CN 201910606236 A CN201910606236 A CN 201910606236A CN 110430043 B CN110430043 B CN 110430043B
Authority
CN
China
Prior art keywords
information
terminal
node server
key
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910606236.2A
Other languages
Chinese (zh)
Other versions
CN110430043A (en
Inventor
董岩
杜小波
袁占涛
王艳辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Visionvera Information Technology Co Ltd
Original Assignee
Visionvera Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Visionvera Information Technology Co Ltd filed Critical Visionvera Information Technology Co Ltd
Priority to CN201910606236.2A priority Critical patent/CN110430043B/en
Publication of CN110430043A publication Critical patent/CN110430043A/en
Application granted granted Critical
Publication of CN110430043B publication Critical patent/CN110430043B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides an authentication method, an authentication system, a device and a computer readable storage medium, wherein the method comprises the following steps: the node server receives first authentication request information from a terminal, wherein the first authentication request information comprises a user name and identification information of a first U-Key; the node server inquires and obtains identification information of a second U-Key corresponding to the user name; when the identification information of the first U-Key is the same as that of the second U-Key, the node server generates and sends first authentication response information to the terminal; the terminal generates and sends second authentication request information to the node server according to the first authentication response information, wherein the second authentication request information comprises encrypted password information; and the node server authenticates the second authentication request information and returns an authentication result to the terminal. The embodiment of the invention improves the safety of the password information and reduces the probability that the user name and the password information are intercepted simultaneously.

Description

Authentication method, system and device and storage medium
Technical Field
The present invention relates to the field of video networking technologies, and in particular, to an authentication method, an authentication system, an authentication device, and a computer-readable storage medium.
Background
The video network is a special network for transmitting high-definition video and a special protocol at high speed based on Ethernet hardware, is a higher-level form of the Ethernet and is a real-time network. In a video conference based on video networking, if a video conference client logs in a video conference server, a user name and a password on the video conference client need to be sent to the video conference server, and the user name and the password are verified by the video conference server. And if the verification is passed, allowing the video conference client to log in the video conference server by the video conference server.
At present, in a video conference based on a video network, a video conference client sends a user name and a password to a video conference server in a plaintext mode, the user name and the password are easy to intercept, and the security of the video conference is not high.
Disclosure of Invention
In view of the above, embodiments of the present invention are proposed in order to provide an authentication method, system, and an apparatus and a computer-readable storage medium that overcome or at least partially solve the above-mentioned problems.
In order to solve the above problem, an embodiment of the present invention discloses an authentication method, which is applied to a video network, where the video network includes a terminal and a node server, the terminal is provided with a first U-Key, and the terminal is in communication connection with the node server; the method comprises the following steps: the node server receives first authentication request information from the terminal, wherein the first authentication request information comprises a user name and identification information of the first U-Key; the node server inquires and obtains identification information of a second U-Key corresponding to the user name according to the user name and a binding relationship between a preset user name and the U-Key; the node server generates and sends first authentication response information to the terminal when the identification information of the first U-Key is the same as the identification information of the second U-Key; the terminal is used for generating second authentication request information according to the first authentication response information and sending the second authentication request information to the node server, wherein the second authentication request information comprises encrypted password information; and the node server authenticates the second authentication request message and returns an authentication result to the terminal.
Optionally, the first authentication request information further includes: first random data, encrypted certificate data and identification information of the terminal; the step of the node server generating the first authentication response information includes: the node server generates second random data and a symmetric key; the node server extracts a public key from the encrypted certificate data and encrypts the symmetric key by using the public key; the node server signs the first random data, the second random data, the encrypted symmetric key, the identification information of the node server and the identification information of the terminal by using a preset first signature certificate to obtain first signature information; the node server determines the first random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information, and the first signature certificate as the first authentication response information.
Optionally, the terminal is configured to verify the first random data in the first authentication response information and the identification information of the terminal according to the first signature certificate, decrypt an encrypted symmetric key by using a preset private key when the verification passes to obtain the symmetric key, encrypt the password information by using the symmetric key, sign the first random data, the second random data, and the identification information of the node server by using a preset second signature certificate to obtain second signature information, and determine the first random data, the second random data, the encrypted password information, the identification information of the terminal, the identification information of the node server, the second signature information, and the second signature certificate as the second authentication request information.
Optionally, after the step of the node server receiving the first authentication request information from the terminal, the method further includes: and the node server inquires and obtains password information corresponding to the user name according to the binding relationship between the user name and a preset user name and password.
Optionally, the step of authenticating, by the node server, the second authentication request information includes: the node server verifies and signs the identification information of the node server and the second random data in the second authentication request information by using the second signature certificate; and the node server decrypts the encrypted password information by using the symmetric key under the condition that the signature verification passes to obtain the password information, and compares the password information with the password information.
The embodiment of the invention also discloses an authentication system, which is applied to a video network, wherein the video network comprises a terminal and a node server, the terminal is provided with a first U-Key, and the terminal is in communication connection with the node server; the node server includes: a receiving module, configured to receive first authentication request information from the terminal, where the first authentication request information includes a user name and identification information of the first U-Key; the query module is used for querying and obtaining identification information of a second U-Key corresponding to the user name according to the user name and a binding relationship between a preset user name and the U-Key; the response module is used for generating and sending first authentication response information to the terminal when the identification information of the first U-Key is the same as the identification information of the second U-Key; the terminal is used for generating second authentication request information according to the first authentication response information and sending the second authentication request information to the node server, wherein the second authentication request information comprises encrypted password information; and the authentication module is used for authenticating the second authentication request information and returning an authentication result to the terminal.
Optionally, the first authentication request information further includes first random data, encrypted certificate data, and identification information of the terminal; the response module comprises: the generating module is used for generating second random data and a symmetric key; the encryption module is used for extracting a public key from the encrypted certificate data and encrypting the symmetric key by using the public key; the signature module is used for signing the first random data, the second random data, the encrypted symmetric key, the identification information of the node server and the identification information of the terminal by using a preset first signature certificate to obtain first signature information; a determining module, configured to determine the first random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information, and the first signature certificate as the first authentication response information.
Optionally, the terminal is configured to verify the first random data in the first authentication response information and the identification information of the terminal according to the first signature certificate, decrypt an encrypted symmetric key by using a preset private key when the verification passes to obtain the symmetric key, encrypt the password information by using the symmetric key, sign the first random data, the second random data, and the identification information of the node server by using a preset second signature certificate to obtain second signature information, and determine the first random data, the second random data, the encrypted password information, the identification information of the terminal, the identification information of the node server, the second signature information, and the second signature certificate as the second authentication request information; the query module is further configured to, after the receiving module receives first authentication request information from the terminal, query and obtain password information corresponding to the user name according to a binding relationship between the user name and a preset password; the authentication module includes: the signature verification module is used for verifying the identification information of the node server and the second random data in the second authentication request information by using the second signature certificate; and the comparison module is used for decrypting the encrypted password information by using the symmetric key under the condition that the signature verification passes to obtain the password information and comparing the password information with the password information.
The embodiment of the invention also discloses a device, which comprises:
one or more processors; and
one or more machine-readable media having instructions stored thereon, which when executed by the one or more processors, cause the apparatus to perform one or more authentication methods as described in embodiments of the invention.
The embodiment of the invention also discloses a computer readable storage medium, which stores a computer program for enabling a processor to execute the authentication method according to the embodiment of the invention.
The embodiment of the invention has the following advantages:
the authentication scheme provided by the embodiment of the invention is applied to the video network, and the video network can comprise a terminal and a node server. The terminal can be used as a video conference client, a first U-Key is arranged on the terminal, the node server can be used as a food conference server, and the terminal and the node server can be connected.
In the embodiment of the invention, the terminal sends first authentication request information to the node server, wherein the first authentication request information may include a user name and identification information of the first U-key. And the node server searches the identification information of a second U-Key corresponding to the user name in the first request authentication information from the preset binding relationship between the user name and the U-Key, compares the identification information of the first U-Key with the identification information of the second U-Key, and generates and sends first authentication response information to the terminal if the identification information of the first U-Key is the same as the identification information of the second U-Key. And the terminal generates second authentication request information comprising the password information according to the first authentication response information and sends the second authentication request information to the node server. And the node server authenticates the second authentication request information and returns an authentication result to the terminal.
In the embodiment of the invention, on one hand, when the terminal sends the authentication request information to the node server, the password information is sent in an encrypted form, so that the security of the password information is improved. On the other hand, the terminal transmits the user name to the node server in the first authentication request information, and the terminal transmits the password information to the node server in the second authentication request information. The terminal separately sends the user name and the password information to the node server, so that the probability that the user name and the password information are simultaneously intercepted is reduced. On the other hand, after the terminal sends the first authentication request information to the node server, the node server judges whether the identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound by the user name, and if the identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound by the user name, first authentication response information is returned to the terminal. Namely, under the condition that the identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound by the user name, the terminal sends second authentication request information containing password information to the node server according to the first authentication response information. The node server verifies the identification information of the U-Key, so that the safety of the password information is improved.
Drawings
FIG. 1 is a schematic networking diagram of a video network of the present invention;
FIG. 2 is a schematic diagram of a hardware architecture of a node server according to the present invention;
fig. 3 is a schematic diagram of a hardware structure of an access switch of the present invention;
fig. 4 is a schematic diagram of a hardware structure of an ethernet protocol conversion gateway according to the present invention;
FIG. 5 is a flow chart of the steps of a method of authentication of an embodiment of the present invention;
FIG. 6 is an interaction diagram of a user login authentication method for a video conference based on a video network according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a node server in an authentication system according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention more comprehensible, the present invention is described in detail with reference to the accompanying drawings and the detailed description thereof.
The video networking is an important milestone for network development, is a real-time network, can realize high-definition video real-time transmission, and pushes a plurality of internet applications to high-definition video, and high-definition faces each other.
The video networking adopts a real-time high-definition video exchange technology, can integrate required services such as dozens of services such as high-definition video conferences, video monitoring, intelligent monitoring analysis, emergency command, digital broadcast television, delayed television, network teaching, live broadcast, VOD on demand, television mails, personal Video Recorder (PVR), intranet (self-office) channels, intelligent video broadcast control, information distribution and the like into a system platform, and realizes high-definition quality video broadcast through a television or a computer.
To better understand the embodiments of the present invention, the following description refers to the internet of view:
some of the techniques applied by the video network are as follows:
network Technology (Network Technology)
Network innovations in video networking have improved the traditional Ethernet (Ethernet) to face the potentially large first video traffic on the network. Unlike pure network Packet Switching (Packet Switching) or network Circuit Switching (Circuit Switching), the Packet Switching is adopted by the technology of the video networking to meet the Streaming requirement. The video networking technology has the advantages of flexibility, simplicity and low price of packet switching, and simultaneously has the quality and safety guarantee of circuit switching, thereby realizing the seamless connection of the whole network switching type virtual circuit and the data format.
Switching Technology (Switching Technology)
The video network adopts two advantages of asynchronism and packet exchange of the Ethernet, eliminates the Ethernet defect on the premise of full compatibility, and has end-to-end seamless connection of the whole network, direct connection with a user terminal and direct bearing of an IP data packet. The user data does not require any format conversion across the entire network. The video network is a higher-level form of the Ethernet, is a real-time exchange platform, can realize the large-scale high-definition video real-time transmission of the whole network which can not be realized by the current Internet, and pushes a plurality of network video applications to high-definition and unification.
Server Technology (Server Technology)
The server technology on the video network and the unified video platform is different from the traditional server, the streaming media transmission of the video network and the unified video platform is established on the basis of connection orientation, the data processing capability of the video network and the unified video platform is irrelevant to flow and communication time, and a single network layer can contain signaling and data transmission. For voice and video services, the complexity of video networking and unified video platform streaming media processing is much simpler than that of data processing, and the efficiency is greatly improved by over one hundred times compared with that of the traditional server.
Storage Technology (Storage Technology)
The super-high speed storage technology of the unified video platform adopts the most advanced real-time operating system in order to adapt to the media content with super-large capacity and super-large flow, the program information in the server instruction is mapped to the specific hard disk space, the media content is not passed through the server any more, and is directly sent to the user terminal instantly, and the general waiting time of the user is less than 0.2 second. The optimized sector distribution greatly reduces the mechanical motion of the magnetic head track seeking of the hard disk, the resource consumption only accounts for 20% of that of the IP internet of the same grade, but concurrent flow which is 3 times larger than that of the traditional hard disk array is generated, and the comprehensive efficiency is improved by more than 10 times.
Network Security Technology (Network Security Technology)
The structural design of the video network completely eradicates the network security problem disturbing the Internet from the structure by the modes of independent admission control of each service, complete isolation of equipment and user data and the like, generally does not need antivirus programs and firewalls, stops the attack of hackers and viruses and provides a structural carefree security network for users.
Service Innovation Technology (Service Innovation Technology)
The unified video platform integrates services and transmission, and is not only automatically connected once whether a single user, a private network user or a network aggregate. The user terminal, the set-top box or the PC are directly connected to the unified video platform to obtain various multimedia video services in various forms. The unified video platform adopts a menu type configuration table mode to replace the traditional complex application programming, can realize complex application by using very few codes, and realizes infinite new service innovation.
Networking of the video network is as follows:
an internet of view is a centrally controlled network structure, which may be of the tree, star, ring, etc. type, but on this basis a centralized control node is required in the network to control the entire network.
As shown in fig. 1, the video network is divided into an access network and a metropolitan network.
The devices of the access network part can be mainly classified into 3 types: node server, access switch, terminal (including various set-top boxes, coding boards, memories, etc.). The node server is connected to an access switch, which may be connected to a plurality of terminals and may be connected to an ethernet network.
The node server is a node which plays a centralized control function in the access network and can control the access switch and the terminal. The node server can be directly connected with the access switch or directly connected with the terminal.
Similarly, devices of the metropolitan network portion may also be classified into 3 types: metropolitan area server, node switch, node server. The metro server is connected to a node switch, which may be connected to a plurality of node servers.
The node server is a node server of the access network part, namely the node server belongs to both the access network part and the metropolitan area network part.
The metropolitan area server is a node which plays a centralized control function in the metropolitan area network and can control a node switch and a node server. The metropolitan area server can be directly connected with the node switch or directly connected with the node server.
Therefore, the whole video network is a network structure controlled by a hierarchical centralized way, and the network controlled by the node server and the metropolitan area server can be in various structures such as a tree, a star, a ring and the like.
The access network part can form a unified video platform (the part in the dotted circle), and a plurality of unified video platforms can form a video network; each unified video platform may interconnect and interwork via metropolitan and wide area video networks.
Video networking device classification
1.1 devices in the video network of the embodiment of the present invention can be mainly classified into 3 types: server, exchanger (including Ethernet protocol conversion gateway), terminal (including various set-top boxes, code board, memory, etc.). The video network as a whole can be divided into a metropolitan area network (or national network, global network, etc.) and an access network.
1.2 wherein the devices of the access network part can be mainly classified into 3 types: node server, access exchanger (including Ethernet protocol conversion gateway), terminal (including various set-top boxes, coding board, memory, etc.).
The specific hardware structure of each access network device is as follows:
a node server:
as shown in fig. 2, the system mainly includes a network interface module 201, a switching engine module 202, a CPU module 203, and a disk array module 204;
the packets coming from the network interface module 201, the CPU module 203, and the disk array module 204 all enter the switching engine module 202; the switching engine module 202 performs an operation of looking up the address table 205 on the incoming packet, thereby obtaining the direction information of the packet; and stores the packet in a queue of the corresponding packet buffer 206 according to the packet's steering information; if the queue of the packet buffer 206 is nearly full, it is discarded; the switching engine module 202 polls all packet buffer queues and forwards if the following conditions are met: 1) The port send buffer is not full; 2) The queue packet counter is greater than zero. The disk array module 204 mainly implements control over the hard disk, including initialization, read-write, and other operations on the hard disk; the CPU module 203 is mainly responsible for protocol processing with an access switch and a terminal (not shown in the figure), configuring an address table 205 (including a downlink protocol packet address table, an uplink protocol packet address table, and a data packet address table), and configuring the disk array module 204.
The access switch:
as shown in fig. 3, the network interface module mainly includes a network interface module (a downlink network interface module 301 and an uplink network interface module 302), a switching engine module 303 and a CPU module 304;
wherein, the packet (uplink data) coming from the downlink network interface module 301 enters the packet detection module 305; the packet detection module 305 detects whether the Destination Address (DA), the Source Address (SA), the packet type, and the packet length of the packet meet the requirements, and if so, allocates a corresponding stream identifier (stream-id) and enters the switching engine module 303, otherwise, discards the stream identifier; the packet (downstream data) coming from the upstream network interface module 302 enters the switching engine module 303; the incoming data packet of the CPU module 304 enters the switching engine module 303; the switching engine module 303 performs an operation of looking up the address table 306 on the incoming packet, thereby obtaining the direction information of the packet; if the packet entering the switching engine module 303 is from the downstream network interface to the upstream network interface, the packet is stored in the queue of the corresponding packet buffer 307 in association with the stream-id; if the queue of the packet buffer 307 is close to full, it is discarded; if the packet entering the switching engine module 303 does not go from the downlink network interface to the uplink network interface, the data packet is stored into the queue of the corresponding packet buffer 307 according to the packet guiding information; if the queue of the packet buffer 307 is close to full, it is discarded.
The switching engine module 303 polls all packet buffer queues, which may include two cases:
if the queue is from the downlink network interface to the uplink network interface, the following conditions are met for forwarding: 1) The port send buffer is not full; 2) The queued packet counter is greater than zero; 3) Obtaining a token generated by a code rate control module;
if the queue is not from the downlink network interface to the uplink network interface, the following conditions are met for forwarding: 1) The port send buffer is not full; 2) The queued packet counter is greater than zero.
The rate control module 308 is configured by the CPU module 304, and generates tokens for the packet buffer queues from all the downstream network interfaces to the upstream network interfaces at programmable intervals to control the rate of upstream forwarding.
The CPU module 304 is mainly responsible for protocol processing with the node server, configuration of the address table 306, and configuration of the code rate control module 308.
Ethernet protocol conversion gateway
As shown in fig. 4, the apparatus mainly includes a network interface module (a downlink network interface module 401 and an uplink network interface module 402), a switching engine module 403, a CPU module 404, a packet detection module 405, a rate control module 408, an address table 406, a packet buffer 407, a MAC adding module 409, and a MAC deleting module 410.
Wherein, the data packet coming from the downlink network interface module 401 enters the packet detection module 405; the packet detection module 405 detects whether the ethernet MAC DA, the ethernet MAC SA, the ethernet length or frame type, the video network destination address DA, the video network source address SA, the video network packet type, and the packet length of the packet meet the requirements, and if so, allocates a corresponding stream identifier (stream-id); then, the MAC deletion module 410 subtracts MAC DA, MAC SA, length or frame type (2 byte) and enters the corresponding receiving buffer, otherwise, discards it;
the downlink network interface module 401 detects the sending buffer of the port, and if there is a packet, obtains the ethernet MAC DA of the corresponding terminal according to the destination address DA of the packet, adds the ethernet MAC DA of the terminal, the MAC SA of the ethernet protocol gateway, and the ethernet length or frame type, and sends the packet.
The other modules in the ethernet protocol gateway function similarly to the access switch.
A terminal:
the system mainly comprises a network interface module, a service processing module and a CPU module; for example, the set-top box mainly comprises a network interface module, a video and audio coding and decoding engine module and a CPU module; the coding board mainly comprises a network interface module, a video and audio coding engine module and a CPU module; the memory mainly comprises a network interface module, a CPU module and a disk array module.
1.3 devices of the metropolitan area network part can be mainly classified into 2 types: node server, node exchanger, metropolitan area server. The node switch mainly comprises a network interface module, a switching engine module and a CPU module; the metropolitan area server mainly comprises a network interface module, a switching engine module and a CPU module.
2. Video networking packet definition
2.1 Access network packet definition
The data packet of the access network mainly comprises the following parts: destination Address (DA), source Address (SA), reserved byte, payload (PDU), CRC.
As shown in the following table, the data packet of the access network mainly includes the following parts:
DA SA Reserved Payload CRC
wherein:
the Destination Address (DA) is composed of 8 bytes (byte), the first byte represents the type of the data packet (such as various protocol packets, multicast data packets, unicast data packets, etc.), there are 256 possibilities at most, the second byte to the sixth byte are metropolitan area network addresses, and the seventh byte and the eighth byte are access network addresses;
the Source Address (SA) is also composed of 8 bytes (byte), defined as the same as the Destination Address (DA);
the reserved byte consists of 2 bytes;
the payload part has different lengths according to the types of different datagrams, 64 bytes if various protocol packets, 32+1024=1056 bytes if single-multicast data packets, and certainly not limited to the above 2 types;
the CRC consists of 4 bytes and is calculated in accordance with the standard ethernet CRC algorithm.
2.2 packet definition for metropolitan area networks
The topology of a metropolitan area network is a graph and there may be 2, or even more than 2, connections between two devices, i.e., there may be more than 2 connections between a node switch and a node server, a node switch and a node switch, and a node switch and a node server. However, the metro network address of the metro network device is unique, and in order to accurately describe the connection relationship between the metro network devices, parameters are introduced in the embodiment of the present invention: a label to uniquely describe a metropolitan area network device.
In this specification, the definition of the Label is similar to that of the Label of MPLS (Multi-Protocol Label Switch), and assuming that there are two connections between the device a and the device B, there are 2 labels for the packet from the device a to the device B, and 2 labels for the packet from the device B to the device a. The label is divided into an in label and an out label, and assuming that the label (in label) of the data packet entering the device a is 0x0000, the label (out label) of the data packet leaving the device a may become 0x0001. The network access process of the metro network is a network access process under centralized control, that is, address allocation and label allocation of the metro network are both dominated by the metro server, and the node switch and the node server are both passively executed, which is different from label allocation of MPLS, and label allocation of MPLS is a result of mutual negotiation between the switch and the server.
As shown in the following table, the data packet of the metro network mainly includes the following parts:
DA SA Reserved label (R) Payload CRC
Namely Destination Address (DA), source Address (SA), reserved byte (Reserved), tag, payload (PDU), CRC. The format of the tag may be defined by reference to the following: the tag is 32 bits with the upper 16 bits reserved and only the lower 16 bits used, and its position is between the reserved bytes and payload of the packet.
Referring to fig. 5, a flowchart illustrating steps of an authentication method according to an embodiment of the present invention is shown, where the method may be applied to a video network, and the video network may include a terminal and a node server, where the terminal is provided with a first U-Key, and the terminal may be in communication connection with the node server. The authentication method may specifically include the steps of:
in step 501, a node server receives first authentication request information from a terminal.
In the embodiment of the invention, the terminal can be pre-installed with the video conference client application program, namely the terminal can be used as a video conference client. The terminal may generate first authentication request information and transmit the first authentication request information to the node server through the video network. The node server can be pre-installed with a video conference server side application program, namely the node server can be used as a video conference server side.
In order to improve the security of the video conference, a first U-Key can be arranged on the terminal. It can be understood that the terminal provided with the first U-Key can only log in to the node server. The identification information of the first U-Key may be the identity information of the first U-Key used to uniquely determine the first U-Key. The U-Key is called USB Key. It is a hardware storage device of USB interface. The USB Key has a certain storage space and can store a private Key and a digital certificate of a user, and the authentication of the identity of the user can be realized by utilizing a public Key algorithm built in the USB Key.
In the embodiment of the present invention, the first authentication request information may include a user name input by the user on the terminal and identification information of the first U-Key. In addition, the first authentication request information may further include: the terminal randomly generates first random data, identification information of the terminal and encrypted certificate data. The encrypted certificate data may include a public key.
And 502, the node server inquires and obtains the identification information of a second U-Key corresponding to the user name according to the user name and the binding relationship between the preset user name and the U-Key.
In the embodiment of the invention, the node server can be preset with the binding relationship between the user name and the U-Key, and the binding relationship can be embodied by the one-to-one correspondence relationship between the user name and the identification information of the U-Key. After receiving the first authentication request message, the node server may search, in the binding relationship between the user name and the U-Key, for identification information of a second U-Key that has a one-to-one correspondence relationship with the user name in the first authentication request message. Furthermore, the node server can compare the identification information of the second U-Key found with the identification information of the first U-Key in the first authentication request information, and if the identification information of the second U-Key is the same as the identification information of the first U-Key, it indicates that the second U-Key and the first U-Key are the same U-Key. It can be understood that the first U-Key set on the terminal is a U-Key having a one-to-one correspondence relationship with the user name on the terminal.
In a preferred embodiment of the present invention, after receiving the first authentication request information, the node server may query, in addition to obtaining identification information of the second U-Key corresponding to the user name, password information corresponding to the user name according to a binding relationship between the user name and a preset user name and password. Besides the binding relationship between the user name and the U-Key, the node server can also be provided with the binding relationship between the user name and the password. After receiving the first authentication request information, the node server may search, in the binding relationship between the user name and the password, password information having a one-to-one correspondence relationship with the user name in the first authentication request information.
And step 503, the node server generates and sends first authentication response information to the terminal when the identification information of the first U-Key is the same as the identification information of the second U-Key.
In the embodiment of the invention, when the first U-Key set on the terminal is the U-Key corresponding to the user name one by one, the node server can generate the first authentication response information and send the first authentication response information to the terminal.
In practical application, when the node server generates the first authentication response information, the node server may generate second random data and a symmetric key, extract a public key from encrypted certificate data in the first authentication request information, encrypt the generated symmetric key by using the public key, sign the first random data, the second random data, the encrypted symmetric key, the identification information of the node server and the identification information of the terminal by using a private key in a preset first signature certificate to obtain first signature information, and determine the first random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information and the first signature certificate as the first authentication response information.
In the embodiment of the present invention, after receiving the first authentication response information, the terminal may perform a series of processing on the first authentication response information to generate second authentication request information, and further send the second authentication request information to the node server. When the terminal performs a series of processing on the first authentication response information, the public key of the first signature certificate in the first authentication response information may be used to verify that the first random data and the identification information of the terminal are not tampered, so as to prove that the first authentication response information originates from the node server. And under the condition that the signature verification passes, the terminal decrypts the encrypted symmetric key by using a preset private key to obtain the symmetric key. The preset private key may be a private key paired with the public key in the encrypted certificate data, and it is understood that only the preset private key may decrypt the encrypted symmetric key. After the terminal decrypts the symmetric key, the terminal may encrypt the password information of the user name by using the symmetric key to obtain the encrypted password information. The terminal signs the first random data, the second random data and the identification information of the node server by using a private key in a preset second signature certificate to obtain second signature information, and then the first random data, the second random data, the encrypted password information, the identification information of the terminal, the identification information of the node server, the second signature information and the second signature certificate are used as second authentication request information.
In step 504, the node server authenticates the second authentication request message and returns an authentication result to the terminal.
In this embodiment of the present invention, after receiving the second authentication request information, the node server may perform signature verification on the identification information of the node server and the second random data in the second authentication request information by using the public key in the second signature certificate, so as to verify that the identification information of the node server and the second random data are not tampered, and prove that the second authentication request information originates from the terminal. And under the condition that the signature verification passes, the node server can decrypt the encrypted password information by using the symmetric key to obtain the password information of the user name. Furthermore, the node server compares the password information obtained by decryption with the password information obtained by searching, if the password information is consistent with the password information, the node server indicates that the second authentication request information is authenticated, namely, the terminal is allowed to log in to the node server by using the input user name and the password information, and an authentication result indicating that the authentication is passed can be sent to the terminal; if the password information does not match the password information, it indicates that the node server fails to authenticate the second authentication request information, that is, the terminal is prohibited from logging in to the node server by using the input user name and password information, and an authentication result indicating that the authentication fails may be transmitted to the terminal.
Based on the above-mentioned related description about an authentication method, a user login authentication method for a video conference based on a video network is introduced below. As shown in fig. 6, an application program Pamir for controlling the video conference is installed on the client of the video conference. After the application program Pamir generates the random number RB, the ID of the U-Key on the client, the user name, the random number RB, the IDB of the client, and the encrypted certificate data are sent to the server. And after the server receives the ID of the U-Key, the user name, the random number RB, the IDB of the client and the encrypted certificate data, the ID and the password information of the U-Key bound with the user name are found according to the user name. If the ID of the U-Key bound with the user name matches the ID of the U-Key on the client, the server generates a random number RA and a symmetric Key S1. The server extracts the public key PKB from the encrypted certificate data, and then encrypts the symmetric key S1 by using the public key PKB to obtain E (PKB + S1). The server signs the random number RA, the random number RB, the random number E (PKB + S1), the IDB of the client and the IDA of the server by using the signature certificate of the server to obtain sign (RA + RB + E (PKB + S1) + IDA + IDB), and then sends the random number RA, the random number RB, the random number E (PKB + S1), the IDB of the client, the IDA of the server, the sign (RA + RB + E (PKB + S1) + IDA + IDB) and the signature certificate of the server to the client. The client side uses the signature certificate of the server side to verify the random number RB and the IDB of the client side, a local private key is used for decrypting the E (PKB + S1) to obtain a symmetric key S1, then the symmetric key S1 is used for encrypting the login password to obtain the E (S1 + login password), then the signature certificate of the client side is used for signing the random number RB, the random number RA and the IDA of the server to obtain sign (RB + RA + IDA), and the random number RB, the random number RA and the E (S1 + login password), the IDA of the server, the sign (RB + RA + IDA) and the signature certificate of the client side are sent to the server. And after the random number RA and the IDA of the server pass the signature verification, the server verifies whether the password information is consistent with the password information, and returns a verification result containing verification passing or verification failing to pass to the client.
The authentication scheme provided by the embodiment of the invention is applied to the video network, and the video network can comprise a terminal and a node server. The terminal can be used as a video conference client, a first U-Key is arranged on the terminal, the node server can be used as a food conference server, and the terminal and the node server can be connected.
In the embodiment of the invention, the terminal sends first authentication request information to the node server, wherein the first authentication request information may include a user name and identification information of the first U-key. And the node server searches identification information of a second U-Key corresponding to the user name in the first request authentication information from a binding relationship between a preset user name and the U-Key, compares the identification information of the first U-Key with the identification information of the second U-Key, and generates and sends first authentication response information to the terminal if the identification information of the first U-Key is the same as the identification information of the second U-Key. And the terminal generates second authentication request information comprising the password information according to the first authentication response information and sends the second authentication request information to the node server. And the node server authenticates the second authentication request information and returns an authentication result to the terminal.
In the embodiment of the invention, on one hand, when the terminal sends the authentication request information to the node server, the password information is sent in an encrypted form, so that the security of the password information is improved. On the other hand, the terminal transmits the user name to the node server in the first authentication request information, and the terminal transmits the password information to the node server in the second authentication request information. The terminal sends the user name and the password information to the node server separately, and the probability that the user name and the password information are intercepted simultaneously is reduced. On the other hand, after the terminal sends the first authentication request information to the node server, the node server judges whether the identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound by the user name, and if the identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound by the user name, first authentication response information is returned to the terminal. Namely, under the condition that the identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound by the user name, the terminal sends second authentication request information containing password information to the node server according to the first authentication response information. The node server verifies the identification information of the U-Key, so that the safety of the password information is improved.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those of skill in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the embodiments of the invention.
Referring to fig. 7, an authentication system according to an embodiment of the present invention is shown, where the system is applied to a video network, where the video network includes a terminal and a node server, the terminal is provided with a first U-Key, and the terminal is in communication connection with the node server; the node server may include the following modules:
a receiving module 701, configured to receive first authentication request information from the terminal, where the first authentication request information includes a user name and identification information of the first U-Key; the query module 702 is configured to query, according to the user name and a preset binding relationship between the user name and a U-Key, to obtain identification information of a second U-Key corresponding to the user name; a response module 703, configured to generate and send first authentication response information to the terminal when the identification information of the first U-Key is the same as the identification information of the second U-Key; the terminal is used for generating second authentication request information according to the first authentication response information and sending the second authentication request information to the node server, wherein the second authentication request information comprises encrypted password information; and the authentication module 704 is configured to authenticate the second authentication request information and return an authentication result to the terminal.
Optionally, the first authentication request information further includes first random data, encrypted certificate data, and identification information of the terminal; the response module 703 includes: a generating module 7031, configured to generate the second random data and the symmetric key; an encryption module 7032, configured to extract a public key from the encrypted certificate data, and encrypt the symmetric key by using the public key; the signature module 7033 is configured to sign the first random data, the second random data, the encrypted symmetric key, the identification information of the node server, and the identification information of the terminal by using a preset first signature certificate, to obtain first signature information; a determining module 7034, configured to determine the first random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information, and the first signature certificate as the first authentication response information.
Optionally, the terminal is configured to verify the first random data in the first authentication response information and the identification information of the terminal according to the first signature certificate, decrypt an encrypted symmetric key by using a preset private key when the verification passes to obtain the symmetric key, encrypt the password information by using the symmetric key, sign the first random data, the second random data, and the identification information of the node server by using a preset second signature certificate to obtain second signature information, and determine the first random data, the second random data, the encrypted password information, the identification information of the terminal, the identification information of the node server, the second signature information, and the second signature certificate as the second authentication request information.
The query module 702 is further configured to, after the receiving module receives the first authentication request information from the terminal, query, according to a binding relationship between the user name and a preset user name and a password, to obtain password information corresponding to the user name;
the authentication module 704 includes: an authentication module 7041, configured to authenticate, by using the second signed certificate, the identification information of the node server and the second random data in the second authentication request information; a comparing module 7042, configured to decrypt the encrypted password information by using the symmetric key when the signature verification passes, to obtain the password information, and compare the password information with the password information.
For the embodiment of the authentication system, since it is basically similar to the embodiment of the authentication method, the description is relatively simple, and for the relevant points, reference may be made to partial description of the embodiment of the authentication method.
An embodiment of the present invention further provides an apparatus, including:
one or more processors; and
one or more machine-readable media having instructions stored thereon, which when executed by the one or more processors, cause the apparatus to perform one or more authentication methods as described in embodiments of the invention.
Embodiments of the present invention further provide a computer-readable storage medium, which stores a computer program for enabling a processor to execute the authentication method according to the embodiments of the present invention.
The embodiments in the present specification are all described in a progressive manner, and each embodiment focuses on differences from other embodiments, and portions that are the same and similar between the embodiments may be referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or terminal device that comprises the element.
The authentication method, system, device and computer readable storage medium provided by the present invention are described in detail above, and the principle and the implementation of the present invention are explained by applying specific embodiments herein, and the description of the above embodiments is only used to help understand the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (8)

1. The authentication method is applied to a video network, wherein the video network comprises a terminal and a node server, the terminal is provided with a first U-Key, and the terminal is in communication connection with the node server; the method comprises the following steps:
the node server receives first authentication request information from the terminal, wherein the first authentication request information comprises a user name and identification information of the first U-Key;
the node server inquires and obtains identification information of a second U-Key corresponding to the user name according to the user name and a binding relationship between a preset user name and the U-Key;
the node server generates and sends first authentication response information to the terminal when the identification information of the first U-Key is the same as the identification information of the second U-Key; the terminal is used for generating second authentication request information according to the first authentication response information and sending the second authentication request information to the node server, wherein the second authentication request information comprises encrypted password information;
the node server authenticates the second authentication request message and returns an authentication result to the terminal;
the first authentication request information further includes: first random data, encrypted certificate data and identification information of the terminal;
the step of the node server generating the first authentication response information includes:
the node server generates second random data and a symmetric key;
the node server extracts a public key from the encrypted certificate data and encrypts the symmetric key by using the public key;
the node server signs the first random data, the second random data, the encrypted symmetric key, the identification information of the node server and the identification information of the terminal by using a preset first signature certificate to obtain first signature information;
the node server determines the first random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information, and the first signature certificate as the first authentication response information.
2. The authentication method according to claim 1, wherein the terminal is configured to verify the signature of the first random data in the first authentication response information and the identification information of the terminal according to the first signature certificate, decrypt an encrypted symmetric key with a preset private key to obtain the symmetric key if the signature passes, encrypt the password information with the symmetric key, sign the first random data, the second random data, and the identification information of the node server with a preset second signature certificate to obtain second signature information, and determine the first random data, the second random data, the encrypted password information, the identification information of the terminal, the identification information of the node server, the second signature information, and the second signature certificate as the second authentication request information.
3. The authentication method according to claim 2, wherein after the step of the node server receiving the first authentication request information from the terminal, the method further comprises:
and the node server inquires and obtains password information corresponding to the user name according to the binding relationship between the user name and a preset user name and password.
4. The authentication method according to claim 3, wherein the step of authenticating the second authentication request information by the node server includes:
the node server verifies and signs the identification information of the node server and the second random data in the second authentication request information by using the second signature certificate;
and the node server decrypts the encrypted password information by using the symmetric key under the condition that the signature verification passes to obtain the password information, and compares the password information with the password information.
5. An authentication system is applied to a video network, wherein the video network comprises a terminal and a node server, the terminal is provided with a first U-Key, and the terminal is in communication connection with the node server; the node server includes:
a receiving module, configured to receive first authentication request information from the terminal, where the first authentication request information includes a user name and identification information of the first U-Key;
the query module is used for querying and obtaining identification information of a second U-Key corresponding to the user name according to the user name and a binding relationship between a preset user name and the U-Key;
the response module is used for generating and sending first authentication response information to the terminal when the identification information of the first U-Key is the same as the identification information of the second U-Key; the terminal is used for generating second authentication request information according to the first authentication response information and sending the second authentication request information to the node server, wherein the second authentication request information comprises encrypted password information;
the authentication module is used for authenticating the second authentication request information and returning an authentication result to the terminal;
the first authentication request information further includes first random data, encrypted certificate data, and identification information of the terminal;
the response module includes:
the generating module is used for generating second random data and a symmetric key;
the encryption module is used for extracting a public key from the encrypted certificate data and encrypting the symmetric key by using the public key;
the signature module is used for signing the first random data, the second random data, the encrypted symmetric key, the identification information of the node server and the identification information of the terminal by using a preset first signature certificate to obtain first signature information;
a determining module, configured to determine the first random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information, and the first signature certificate as the first authentication response information.
6. The authentication system according to claim 5, wherein the terminal is configured to verify the first random data and the identification information of the terminal in the first authentication response information according to the first signature certificate, decrypt an encrypted symmetric key with a preset private key to obtain the symmetric key if the verification is passed, encrypt the password information with the symmetric key, sign the first random data, the second random data, and the identification information of the node server with a preset second signature certificate to obtain second signature information, and determine the first random data, the second random data, the encrypted password information, the identification information of the terminal, the identification information of the node server, the second signature information, and the second signature certificate as the second authentication request information;
the query module is further configured to, after the receiving module receives first authentication request information from the terminal, query to obtain password information corresponding to the user name according to a binding relationship between the user name and a preset user name and password;
the authentication module includes:
the signature verification module is used for verifying the identification information of the node server and the second random data in the second authentication request information by using the second signature certificate;
and the comparison module is used for decrypting the encrypted password information by using the symmetric key under the condition that the signature verification passes to obtain the password information and comparing the password information with the password information.
7. An apparatus, comprising:
one or more processors; and
one or more machine-readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform an authentication method of one or more of claims 1-4.
8. A computer-readable storage medium, characterized in that it stores a computer program causing a processor to execute the authentication method according to any one of claims 1 to 4.
CN201910606236.2A 2019-07-05 2019-07-05 Authentication method, system and device and storage medium Active CN110430043B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910606236.2A CN110430043B (en) 2019-07-05 2019-07-05 Authentication method, system and device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910606236.2A CN110430043B (en) 2019-07-05 2019-07-05 Authentication method, system and device and storage medium

Publications (2)

Publication Number Publication Date
CN110430043A CN110430043A (en) 2019-11-08
CN110430043B true CN110430043B (en) 2022-11-08

Family

ID=68410315

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910606236.2A Active CN110430043B (en) 2019-07-05 2019-07-05 Authentication method, system and device and storage medium

Country Status (1)

Country Link
CN (1) CN110430043B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147471B (en) * 2019-12-20 2023-02-28 视联动力信息技术股份有限公司 Terminal network access authentication method, device, system and storage medium
CN111131912B (en) * 2019-12-30 2023-04-18 视联动力信息技术股份有限公司 Communication method, broadcasting method, communication device and broadcasting device
CN111291043A (en) * 2020-01-09 2020-06-16 中国信息通信研究院 Identification value query method, identification resolution server and storage medium
CN111404680B (en) * 2020-03-11 2021-01-26 杭州海康威视数字技术股份有限公司 Password management method and device
CN111556376B (en) * 2020-03-23 2022-06-14 视联动力信息技术股份有限公司 Digital certificate signing and issuing method and device and computer readable storage medium
CN111835716B (en) * 2020-06-04 2023-05-30 视联动力信息技术股份有限公司 Authentication communication method, server, device and storage medium
CN111737679B (en) * 2020-06-29 2022-07-08 苏州浪潮智能科技有限公司 Security authentication method and device, electronic equipment and storage medium
CN114257387A (en) * 2020-09-11 2022-03-29 中移物联网有限公司 Login authentication method and device
CN112134881B (en) * 2020-09-22 2023-03-21 宏图智能物流股份有限公司 Network request tamper-proof method based on serial number
CN114760500A (en) * 2022-03-24 2022-07-15 海南乾唐视联信息技术有限公司 Audio and video data encryption method and device
CN114745115A (en) * 2022-04-25 2022-07-12 北京市商汤科技开发有限公司 Information transmission method and device, computer equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007121490A2 (en) * 2006-04-19 2007-10-25 Deepdive Technologies, Inc. System and method of identifying shared resources on a network
CN103581184A (en) * 2013-10-31 2014-02-12 中国电子科技集团公司第十五研究所 Method and system for mobile terminal to get access to intranet server
CN103929307A (en) * 2014-04-02 2014-07-16 天地融科技股份有限公司 Password input method, intelligent secret key device and client device
CN105262594A (en) * 2015-10-10 2016-01-20 山东超越数控电子有限公司 Method and device for identity authentication
CN108259407A (en) * 2016-12-28 2018-07-06 航天信息股份有限公司 A kind of symmetric encryption method and system based on timestamp
CN109672664A (en) * 2018-11-13 2019-04-23 视联动力信息技术股份有限公司 A kind of authentication method and system regarding networked terminals
CN109698966A (en) * 2018-11-30 2019-04-30 视联动力信息技术股份有限公司 A kind of method and apparatus logging in Streaming Media and data interaction encryption

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007033338A2 (en) * 2005-09-14 2007-03-22 O-Ya!, Inc. Networked information indexing and search apparatus and method
US8893243B2 (en) * 2008-11-10 2014-11-18 Sms Passcode A/S Method and system protecting against identity theft or replication abuse
CN102811203B (en) * 2011-06-01 2016-04-27 北京唯致动力网络信息科技有限公司 Method for identifying ID, system and user terminal in the Internet
CN106936760A (en) * 2015-12-30 2017-07-07 航天信息股份有限公司 A kind of apparatus and method of login Openstack cloud system virtual machines

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007121490A2 (en) * 2006-04-19 2007-10-25 Deepdive Technologies, Inc. System and method of identifying shared resources on a network
CN103581184A (en) * 2013-10-31 2014-02-12 中国电子科技集团公司第十五研究所 Method and system for mobile terminal to get access to intranet server
CN103929307A (en) * 2014-04-02 2014-07-16 天地融科技股份有限公司 Password input method, intelligent secret key device and client device
CN105262594A (en) * 2015-10-10 2016-01-20 山东超越数控电子有限公司 Method and device for identity authentication
CN108259407A (en) * 2016-12-28 2018-07-06 航天信息股份有限公司 A kind of symmetric encryption method and system based on timestamp
CN109672664A (en) * 2018-11-13 2019-04-23 视联动力信息技术股份有限公司 A kind of authentication method and system regarding networked terminals
CN109698966A (en) * 2018-11-30 2019-04-30 视联动力信息技术股份有限公司 A kind of method and apparatus logging in Streaming Media and data interaction encryption

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于USBKey网上认证系统设计;廖云等;《信息安全与通信保密》;20130910(第09期);全文 *

Also Published As

Publication number Publication date
CN110430043A (en) 2019-11-08

Similar Documents

Publication Publication Date Title
CN110430043B (en) Authentication method, system and device and storage medium
CN110557680B (en) Audio and video data frame transmission method and system
CN108574818B (en) Information display method and device and server
CN111107060B (en) Login request processing method, server, electronic equipment and storage medium
CN109672664B (en) Authentication method and system for video networking terminal
CN112333210B (en) Method and equipment for realizing data communication function of video network
CN110012322B (en) Method and system for initiating video networking service
CN110061962B (en) Method and device for transmitting video stream data
CN110661784B (en) User authentication method, device and storage medium
CN111786778A (en) Method and device for updating key
CN112291072B (en) Secure video communication method, device, equipment and medium based on management plane protocol
CN110719247B (en) Terminal network access method and device
CN112203149B (en) Video networking software updating method and device based on domestic password
CN110535856B (en) User authentication method, device and storage medium
CN111556376B (en) Digital certificate signing and issuing method and device and computer readable storage medium
CN109376507B (en) Data security management method and system
CN110012063B (en) Data packet processing method and system
CN110022353B (en) Service sharing method and video networking system
CN108965366B (en) Version information query method and device
CN112291592B (en) Control plane protocol-based secure video communication method, device, equipment and medium
CN110661783B (en) Terminal registration method, device and storage medium
CN110049007B (en) Video networking transmission method and device
CN109617858B (en) Encryption method and device for streaming media link
CN109639627B (en) Encryption mode switching method and device
CN110620936B (en) Video network video backup method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant