CN111181931B - Authorization system and method based on user terminal authentication - Google Patents

Authorization system and method based on user terminal authentication Download PDF

Info

Publication number
CN111181931B
CN111181931B CN201911310892.4A CN201911310892A CN111181931B CN 111181931 B CN111181931 B CN 111181931B CN 201911310892 A CN201911310892 A CN 201911310892A CN 111181931 B CN111181931 B CN 111181931B
Authority
CN
China
Prior art keywords
authentication
information
user terminal
resource
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911310892.4A
Other languages
Chinese (zh)
Other versions
CN111181931A (en
Inventor
孙溢
张引
林昭文
郑旭
蔡晓红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN201911310892.4A priority Critical patent/CN111181931B/en
Publication of CN111181931A publication Critical patent/CN111181931A/en
Application granted granted Critical
Publication of CN111181931B publication Critical patent/CN111181931B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The embodiment of the invention provides an authorization system and method based on user terminal authentication. And the resource controller is used for carrying out digital signature on the authentication certificate corresponding to the user terminal to obtain the authentication information of the user terminal. When a user terminal sends an authorization request to a resource manager, the resource manager sends the authorization request to a resource controller when user terminal information carried by the user terminal is the same as user terminal information of the authorization request and environmental parameters of the user terminal meet environmental conditions met by operating resources in an authentication certificate, and the resource controller generates information for responding to the authorization request when a digital signature of the authentication certificate is verified to be the same as an undetermined digital signature. Thus, the system enables dynamic authorization.

Description

Authorization system and method based on user terminal authentication
Technical Field
The invention relates to the technical field of control, in particular to an authorization system and an authorization method based on user terminal authentication.
Background
With the development of the internet of things and the generation of a sharing mode, resources stored in the same environment are shared for multiple users through the internet of things, and in the sharing mode, an enterprise or a user can provide diversified and personalized services for other users, such as sharing automobiles, sharing bicycles and sharing charge pal.
In the sharing mode, users need to share a resource and must be authorized. The prior art proposes an authorization system Based on a Role-Based Access Control (RBAC) model, and the authorization system includes: a resource manager and a resource controller. The process of using the system to authorize resources is as follows:
the user terminal needs to send an authentication request to the resource manager, where the authentication request includes: the account and the password corresponding to the account are used for authenticating the user terminal by the resource manager, and the method specifically comprises the following steps: and configuring corresponding authority for the account of the user terminal, and storing the authentication result, wherein the authority can be used for modifying the password corresponding to the account and acquiring resources on the resource controller, for example, in a user registration process. The resource manager can acquire the state of each resource from the resource controller in real time, the state of the resource is available or unavailable, when the user terminal sends a resource request to the resource manager, the resource request can carry an account and a password, the resource manager can check whether the resource is available or not while verifying whether the account and the password are the same as the stored authentication result, if the account and the password are the same as the stored authentication result and the resource is available, the resource is requested to the resource controller, and after the resource controller forwards the resource to the resource manager, the resource manager issues the resource to the user terminal, for example, in a shared single-vehicle unlocking process.
When the environmental conditions of the account are changed, for example, the account is landed, the account logs in an IP address, the distance between the account and a resource, the time for the account to access the resource needs to be verified by a developer, and when the account is not stolen, the developer manually modifies the authority corresponding to the account in the background to enable a user terminal using the account to acquire the resource, and the authorization cannot be dynamically authorized according to the change of the environment.
Disclosure of Invention
The embodiment of the invention aims to provide an authorization system and an authorization method based on user terminal authentication so as to realize dynamic authorization of a user terminal. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides an authorization system based on user terminal authentication, where the system includes: a resource manager and a resource controller,
the resource manager is used for receiving an authentication request sent by a user terminal, wherein the authentication request carries a request use time period of resources to be requested, acquiring state information of the resources stored in the resource controller from the resource controller, determining an operable time period of the stored resources based on the state information of the stored resources, determining an authentication certificate corresponding to the user terminal when the operable time period of the stored resources contains the request use time period, and sending the authentication certificate corresponding to the user terminal to the resource controller; the authentication request includes: the information of the user terminal, the authentication voucher includes: the method comprises the steps of obtaining an authentication list, information of a user terminal, authentication certificate determination time and authentication certificate expiration time, recording a request use time period of resources to be requested in the authentication list, and operational authority of the user terminal on the stored resources and environmental conditions met by operation of the stored resources;
the resource controller is used for receiving the authentication certificate corresponding to the user terminal, performing digital signature on the authentication certificate corresponding to the user terminal, acquiring the authentication information of the user terminal, and forwarding the authentication information of the user terminal to the resource manager, wherein the authentication information comprises: the digital signature and the signature content corresponding to the user terminal, wherein the signature content comprises: the algorithm used by the authentication credentials and the digital signature;
the resource manager is further used for receiving the forwarded authentication information of the user terminal, sending the authentication information to the corresponding user terminal, judging whether the first information is the same as the second information when receiving an authorization request sent by the user terminal, forwarding the authorization request to the resource controller when the first information is the same as the second information and the environmental parameters of the user terminal meet the environmental conditions met by operating the resources in the authentication voucher and the request use time period is not expired, wherein the authorization request carries the information of the user terminal and the authentication information, the first information is the information of the user terminal in the authentication voucher carried in the authorization request, and the second information is the information of the user terminal carried in the authorization request;
the resource controller is also used for receiving the authorization request, carrying out digital signature on the authentication voucher in the authentication information carried in the authorization request according to an algorithm used by the digital signature in the signature content of the authentication information to obtain a pending digital signature, responding to the authorization request when the pending digital signature is the same as the digital signature in the authentication information carried in the authorization request, and sending information responding to the authorization request to the resource manager;
the resource manager is also used for receiving the information of the response of the resource controller to the authorization request and forwarding the information to the user terminal.
Optionally, the authorization system based on user terminal authentication provided in the embodiment of the first aspect of the present invention further includes: the message queue telemetering transmission MQTT server is used for forwarding interactive information between the resource manager and the resource controller, and the interactive information comprises: authentication credentials corresponding to the user terminal, authentication information of the user terminal, and information for responding to the authorization request by the resource controller.
Optionally, the resource manager is specifically configured to:
receiving an authentication request sent by a user terminal, and acquiring state information of resources stored in a resource controller within a preset time period after the current time from the resource controller;
aiming at a current authentication request, determining an operable time period of the stored resource within a preset time period after the current time based on state information of the stored resource within the preset time period after the current time, and adding the requested time period of the resource to be requested, the operable authority of the user terminal on the stored resource and the environmental condition which is satisfied by the operation of the stored resource into a preset list to obtain an authentication list when the operable time period of the stored resource contains the current requested time period, wherein the current authentication request carries the current requested time period of the resource to be requested;
determining the authentication list and the information of the user terminal carried in the current authentication request as an authentication certificate corresponding to the user terminal;
and sending the authentication certificate corresponding to the user terminal to the resource controller.
Optionally, the resource controller is specifically configured to:
receiving an authentication certificate corresponding to a user terminal sent by a resource manager;
digitally signing the authentication certificate to obtain authentication information of the user terminal, so that a first field of the authentication information comprises an algorithm used for digitally signing the authentication certificate and the type of the authentication information, a second field of the authentication information comprises information contained in the authentication certificate, and a third field of the authentication information comprises: a digital signature corresponding to the user terminal;
and forwarding the authentication information of the user terminal to the resource manager.
Optionally, the resource manager is specifically configured to:
and comparing the hash value of the first information with the hash value of the second information, and judging whether the first information is the same as the first information.
In a second aspect, an embodiment of the present invention provides an authorization method based on user terminal authentication, which is applied to an authorization system based on user terminal authentication provided in an embodiment of the first aspect of the present invention, and the method includes:
the resource manager receives an authentication request sent by a user terminal, acquires state information of resources stored in the resource controller from the resource controller, determines an operable time period of the stored resources based on the state information of the stored resources, determines an authentication certificate corresponding to the user terminal when the operable time period of the stored resources contains a request use time period, and sends the authentication certificate corresponding to the user terminal to the resource controller; the authentication request carries a request use time period of resources to be requested, and comprises: the information of the user terminal and the request information, the authentication voucher includes: the authentication list records the operable authority of the user terminal to the stored resource and the environmental condition which is satisfied by the operation of the stored resource;
the resource controller receives an authentication certificate corresponding to the user terminal, carries out digital signature on the authentication certificate corresponding to the user terminal, obtains authentication information of the user terminal, and forwards the authentication information of the user terminal to the resource manager, wherein the authentication information comprises: the digital signature and the signature content corresponding to the user terminal, wherein the signature content comprises: the algorithm used by the authentication credentials and the digital signature;
the resource manager receives the forwarded authentication information of the user terminal and sends the authentication information to the corresponding user terminal, when an authorization request sent by the user terminal is received, whether the first information is the same as the second information is judged, when the first information is the same as the second information, the environmental parameters of the user terminal meet the environmental conditions met by the operation of the resources in the authentication certificate and the request use time period is not expired, the authorization request is forwarded to the resource controller, the authorization request carries the information of the user terminal and the authentication information, the first information is the information of the user terminal in the authentication certificate in the authentication information carried in the authorization request, and the second information is the information of the user terminal carried in the authorization request;
the resource controller receives the authorization request, carries out digital signature on an authentication certificate in authentication information carried in the authorization request according to an algorithm used by the digital signature in signature content of the authentication information to obtain a pending digital signature, responds to the authorization request when the pending digital signature is the same as the digital signature in the authentication information carried in the authorization request, and sends information responding to the authorization request to the resource manager;
and the resource manager receives the information of the response of the resource controller to the authorization request and forwards the information to the user terminal.
Optionally, the authorization system based on user terminal authentication, applied to the authorization method based on user terminal authentication provided in the embodiment of the second aspect of the present invention, further includes: the message queue telemeters the transmitting MQTT server,
correspondingly, an authorization method based on user terminal authentication provided by an embodiment of a second aspect of the present invention further includes:
the MQTT server forwards interaction information between the resource manager and the resource controller, wherein the interaction information comprises: authentication credentials corresponding to the user terminal, authentication information of the user terminal, and information for responding to the authorization request by the resource controller.
Optionally, the authorization method based on user terminal authentication provided in the embodiment of the second aspect of the present invention further includes:
the resource manager receives an authentication request sent by a user terminal, and acquires state information of resources stored in the resource controller within a preset time period after the current time from the resource controller;
determining an operable time period within a preset time period after the current time of a stored resource according to a current authentication request based on state information of the stored resource within the preset time period after the current time, and adding a request use time period of the resource to be requested, an operable authority of a preset user terminal to the stored resource and an environmental condition which meets the operation of the stored resource into a preset list to obtain an authentication list when the operable time period of the stored resource contains the current request use time period;
determining the authentication list and the information of the user terminal carried in the current authentication request as an authentication certificate corresponding to the user terminal;
and sending the authentication certificate corresponding to the user terminal to the resource controller.
Optionally, the authorization method based on user terminal authentication provided in the embodiment of the second aspect of the present invention further includes:
the resource controller receives an authentication certificate corresponding to the user terminal sent by the resource manager; digitally signing the authentication certificate to obtain authentication information of the user terminal, so that a first field of the authentication information comprises an algorithm used for digitally signing the authentication certificate and the type of the authentication information, a second field of the authentication information comprises information contained in the authentication certificate, and a third field of the authentication information comprises: a digital signature corresponding to the user terminal; and forwarding the authentication information of the user terminal to the resource manager.
Optionally, the authorization method based on user terminal authentication provided in the embodiment of the second aspect of the present invention further includes:
and the resource manager compares the hash value of the first information with the hash value of the second information and judges whether the first information is the same as the first information.
The resource manager in the system is used for receiving an authentication request sent by a user terminal, acquiring state information of resources stored in a resource controller from the resource controller, determining an operable time period of the stored resources based on the state information of the stored resources, determining an authentication certificate corresponding to the user terminal when the operable time period of the stored resources contains a request use time period, sending the authentication certificate corresponding to the user terminal to the resource controller, receiving the authentication certificate corresponding to the user terminal sent by the resource manager, digitally signing the authentication certificate corresponding to the user terminal, acquiring the authentication information of the user terminal, and forwarding the authentication information of the user terminal to the resource manager. When a user terminal needs authorization, an authorization request is sent to a resource manager, the resource manager sends the authorization request to a resource controller when the user terminal information of an authentication certificate carried by the user terminal is the same as the user terminal information of the authorization request, the environmental parameters of the user terminal meet the environmental conditions met by operating resources in the authentication certificate, and the request use time period is not expired, the resource controller responds to the authorization request under the condition that the digital signature of the authentication certificate is verified to be the same as the generated to-be-determined digital signature, information responding to the authorization request is generated and finally sent to the user terminal by the resource manager, in the process, when the environment of the user terminal is changed, compared with the prior art, the resource manager can determine whether the environmental conditions met by operating the resources in the authentication certificate are met according to the changed environment, and the resource controller verifies whether the digital signature to be determined is the same as the digital signature corresponding to the user terminal in the authentication information carried in the authorization request again without manual verification by a developer, so that whether the authorization is determined according to the change of the environmental conditions can be realized.
Of course, not all of the above advantages need be achieved in the practice of any one product or method of the present invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an authorization system based on user terminal authentication according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an authorization system based on user terminal authentication and including an MQTT server according to an embodiment of the present invention;
fig. 3 is an interaction diagram of signaling of an authorization system based on user terminal authentication according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
As shown in fig. 1, an authorization system based on user terminal authentication provided in an embodiment of the present invention may include: a resource manager 11 and a resource controller 12,
the resource manager 11 is configured to receive an authentication request sent by a user terminal, where the authentication request carries a request use time period of a resource to be requested, acquire state information of the resource stored in the resource controller from the resource controller, determine an operable time period of the stored resource based on the state information of the stored resource, determine an authentication credential corresponding to the user terminal when the operable time period of the stored resource includes the request use time period, and send the authentication credential corresponding to the user terminal to the resource controller.
Wherein the authentication request comprises: the information of the user terminal, the authentication voucher includes: the authentication list records the operable authority of the user terminal to the stored resource and the environmental condition which is satisfied by the operation of the stored resource.
The resource manager may receive an authentication request from one user terminal, or may receive authentication requests from a plurality of user terminals.
It is understood that in the shared-bicycle scenario, the resource to be requested may be a shared bicycle, and the resource stored by the resource controller is the shared bicycle controlled by the resource controller. In a parking lot scene, the resource to be requested can be a parking space, the resource controller stored resource refers to the parking space controlled by the resource controller, in a shared charge pal scene, the resource to be requested can be a charge pal, and the resource controller stored resource refers to the charge pal stored on the charge pal device in a market.
It is understood that the information of the user terminal may be a user registration ID (identity), a device ID of the user terminal, or an IP (Internet Protocol) address, the authentication credential determination time refers to a system time when the resource manager determines the authentication credential, and the authentication credential expiration time refers to a system time of the resource manager when the authentication credential fails. The operable authority of the user terminal on the stored resource comprises: and accessing and acquiring the stored resources. The environmental conditions satisfied by the ongoing operation of the stored resource include: the upper limit of the physical distance between the user terminal and the stored resources and the lower limit of the electric quantity of the resource controller.
It can be understood that a plurality of network ports are arranged on the resource controller, the resource controller stores each resource and state information of each resource, the resource manager can obtain the state information of one resource stored in the resource controller through one network port, the state information is used for reflecting whether the resource is in an idle state or a busy state in a preset time period after the current time, and the time period when the resource is in the idle state, when the user terminal needs to obtain the resource to be requested, an authentication request carrying the time period of the resource to be requested for use needs to be sent to the resource manager, and the time period of the resource to be requested for use is obtained by the user through inputting or selecting the starting time and the ending time on the user terminal according to the self-demand. The resource manager can determine the authentication certificate corresponding to the user terminal by comparing the available time period containing the request use time period of the stored resource, the authentication certificate indicates that the user terminal is approved by the resource manager, and can send an authorization request to the resource manager.
Exemplarily, the authentication request sent by the user terminal in the parking lot scene is specifically: parking for 2 hours in a period of 5:00-7:00 in advance, if the resource to be requested is a parking space, the time period of the requested use of the parking space is 5:00-7:00, and if the parking lot has 3 parking spaces, a, b and c respectively; the parking space a is reserved at 4:00-6:00, the parking space b is in an idle state at 5:00-7:00, the resource manager acquires the state information of the parking spaces a, b and c from 3 network ports of the resource controller of the parking lot, and when the parking space b is in the idle state, namely an operable time period, and the requested use time period of the resource to be requested carried by the authentication request is included, the authentication certificate is determined.
It can be understood that the resource manager can ensure that the authentication request of the user can be satisfied when the authentication credential is determined by determining the request use time period carrying the resource to be requested from the authentication request, acquiring the state information of the resource stored in the resource controller from the resource controller, and determining the operable time period of the stored resource based on the state information of the stored resource. Compared with a mode of sending the authentication certificate to the user terminal when the resource cannot be provided, the method and the system further lay the foundation for realizing dynamic authorization according to the state information of the resource.
And the resource controller 12 is configured to receive the authentication credential corresponding to the user terminal, perform digital signature on the authentication credential corresponding to the user terminal, obtain authentication information of the user terminal, and forward the authentication information of the user terminal to the resource manager.
Wherein the authentication information includes: the digital signature and the signature content corresponding to the user terminal, wherein the signature content comprises: authentication credentials and algorithms used for digital signatures.
It can be appreciated that digitally signing the authentication credential requires determining a digital signature format, the header information of which is: the algorithm used for digitally signing the authentication credentials, the type of the authentication credentials; the method comprises the steps that the middle information in the digital signature format is an authentication certificate, the tail information in the digital signature format is a digital signature, then a secret key and the head information are used for digitally signing the authentication certificate in the process of digitally signing the authentication certificate by utilizing the coded head information and the middle information, the digital signature corresponding to a user terminal and signature content are obtained, the authentication certificate is digitally signed, the authentication certificate cannot be tampered, and the security of authorization of the user terminal is further improved.
The resource manager 11 is further configured to receive the forwarded authentication information of the user terminal, send the authentication information to the corresponding user terminal, determine whether the first information is the same as the second information when receiving an authorization request sent by the user terminal, and forward the authorization request to the resource controller when the first information is the same as the second information, the environmental parameter of the user terminal meets an environmental condition that is satisfied by the operation performed on the resource in the authentication credential, and the requested use time period is not expired.
The authorization request carries information of the user terminal and authentication information, the first information is information of the user terminal in an authentication certificate in the authentication information carried in the authorization request, and the second information is information of the user terminal carried in the authorization request. The environmental parameters of the user terminal include: the physical distance between the user terminal and the resource to be requested, the request use time period comprises a start time and an end time, the non-expiration of the request use time period means that the end time in the request use time period is before the current time, and the current time means the current system time of the resource manager.
It can be understood that, after the resource manager sends the authentication information to the corresponding user terminal, if the user terminal wants to request the resource, it will send an authorization request to the resource manager, where the authorization request carries the information of the user terminal, and if the user changes a new user terminal, even if the new user terminal obtains the authentication information, because the information of the new user terminal is different from the information of the original user terminal, and the information of the user terminal in the authentication credentials in the authentication information is the information of the original user terminal, it is determined whether the first information, i.e. the information of the original user terminal, is the same as the second information, i.e. the information of the new user terminal, so as to know whether the user terminal is changed, and if the user terminal is not changed, it is necessary to determine again whether the physical distance between the user terminal and the resource to be requested is smaller than the upper limit of the physical distance between the user terminal and the stored resource under the environment condition that the operation of the stored resource satisfies And when the request use time period of the resource to be requested is not expired, the authorization request is forwarded to the resource controller, so that the validity of authorization is ensured.
In an exemplary parking lot scenario, when the user terminal is far from the parking space and the physical parameter of the user terminal is not smaller than the upper limit of the physical distance between the user terminal and the stored resource, the user cannot park. Assuming that the requested use time period of the resource to be requested is 5:00-8:00 and the current time is 9:00, the requested use time period of the resource to be requested has expired, and the user cannot stop the vehicle.
The resource controller 12 is further configured to receive the authorization request, perform digital signature on the authentication credential in the authentication information carried in the authorization request according to an algorithm used by the digital signature in the signature content of the authentication information, obtain a pending digital signature, respond to the authorization request when the pending digital signature is the same as the digital signature in the authentication information carried in the authorization request, and send information that is responsive to the authorization request to the resource manager.
Wherein the information in response to the authorization request includes: and executing the notification message after the action corresponding to the resource to be requested by the notification message after the resource to be requested is operated.
It can be understood that, after the resource controller receives the authorization request, in order to ensure that the resource is not illegally obtained or operated, it is necessary to verify whether the signature content in the authentication information is tampered, if the signature content is tampered, the signature content will change, but the digital signature of the authentication certificate will not change, so that the resource controller will perform digital signature on the authentication certificate according to the algorithm used by the digital signature in the signature content of the authentication information to obtain an undetermined digital signature, compare whether the undetermined digital signature is the same as the digital signature in the authentication information carried in the authorization request, and can know whether the signature content is tampered, and when the signature content is not tampered, respond to the authorization request and send the information responding to the authorization request to the resource manager.
Illustratively, the authorization request may be at the parking lot 5: when the user terminal stops the vehicle in the time period of 00-7:00, the process that the resource controller responds to the authorization request is that the resource controller opens the door of the parking lot after the user terminal arrives at the parking lot, and a notification message that the door of the parking lot is opened and the user terminal asks for stopping the vehicle is sent after the resource controller opens the door of the parking lot; or a notification message of please park in a certain free parking space.
It can be understood that when the power amount in the resource controller is less than the power amount lower limit of the resource controller, the resource controller cannot continue the process of digitally signing the authentication certificate or responding to the authorization request, and at this moment, the resource controller sends alarm information for reminding the replacement of the power supply device.
The resource manager 11 is further configured to receive information that the resource controller responds to the authorization request, and forward the information to the user terminal.
It can be understood that, after receiving the information that the resource controller responds to the authorization request, the resource manager learns that the authorization request is allowed, and at this time, forwards the information that the resource controller responds to the authorization request to the user terminal to notify the user terminal that the user terminal is authorized.
Compared with the prior art, the resource manager in the authorization system based on the user terminal authentication provided by the embodiment of the invention can determine whether the environmental parameters of the user terminal meet the environmental conditions met by the resource operation in the authentication certificate according to the changed environment, determine that the requested use time period is not expired, and decide to forward the authorization request to the resource controller, so that the resource manager can forward the authorization request according to the change of the environment, and the resource controller verifies whether the digital signature to be determined is the same as the digital signature corresponding to the user terminal in the authentication information carried in the authorization request again, and does not need the artificial verification of a developer. Therefore, the authorization system based on the user terminal authentication provided by the embodiment of the invention can realize whether to determine authorization according to the change of the environmental conditions.
Example 2
As an optional implementation manner provided in the embodiment of the present invention, as shown in fig. 2, the authorization system based on user terminal authentication provided in the embodiment of the present invention further includes: an MQTT (Message Queuing telemetering Transport) server 13,
the MQTT server 13 is configured to forward interaction information between the resource manager and the resource controller, where the interaction information includes: authentication credentials corresponding to the user terminal, authentication information of the user terminal, and information for responding to the authorization request by the resource controller.
It can be understood that, in the embodiment, by adding the MQTT server for forwarding the interactive information between the resource manager and the resource controller, the probability of losing the interactive information can be reduced, and the security of transmitting the interactive information is improved.
Example 3
In an optional implementation manner provided by the embodiment of the present invention, the resource manager is further configured to receive an authentication request sent by the user terminal, acquire state information of a resource stored in the resource controller from the resource controller, determine an operable time period of the stored resource based on the state information of the stored resource, and return a message that the stored resource is unavailable to the user terminal when there is no storage resource containing a request use time period in the operable time period of the stored resource.
The authentication request carries a request use time period of resources to be requested.
It can be understood that, when the state information of the resource stored by the resource controller is unavailable, the resource manager needs to return a message that the stored resource is unavailable to the user terminal, so that the user terminal knows that the resource to be requested in the sent authentication request cannot be operated, and the resource manager cannot determine the authentication credential.
Example 4
As an optional implementation manner provided in the embodiment of the present invention, the resource manager 11 in fig. 2 is specifically configured to:
and receiving an authentication request sent by the user terminal, and acquiring the state information of the resources stored in the resource controller in a preset time period after the current time from the resource controller.
The current time refers to the current system time when the resource manager receives the authentication request, the preset time period refers to a preset time period, and the preset time period is set according to the granularity of a time unit.
It can be understood that the granularity requirement of the time unit does not exceed the time threshold, the granularity requirement of the time unit is considered to be fine, 15 or 30 minutes is set as a preset time period, the granularity requirement of the time unit exceeds the time threshold, the granularity requirement of the time unit is coarse, 1 day, 1 week or 1 month is set as a preset time period, and the time threshold is a value set manually.
For example, the granularity requirement of the time unit does not exceed the time threshold, the preset time period may be set to 15 minutes, and the preset time period may be generated into a byte array with a length of 96 bits and a value of 0.
The granularity requirement of the time unit exceeds a time threshold, a preset time period can be set to be 1 day, the 1 day is divided according to 15 minutes, then a byte time array of 0 is generated according to a mode that the byte array is generated according to 15 minutes, the length of the time array is determined by the number of 15 minutes contained in the 1 day, and each item of the time array is a time period of 15 minutes.
It can be understood that the state information of the stored resource, which is acquired by the resource manager from the network port of the resource controller, is a binary bit array, that is, a target array, when the vehicle owner reserves the parking space, the resource manager determines a array segment corresponding to the reserved parking space time in the time array according to the reserved parking space time, and then judges whether the result of the logical and operation performed on the target array segment and the array segment is 0, if the result is 0, it indicates that the parking space is free in the time segment corresponding to the array segment, and the vehicle owner can reserve the parking space.
And aiming at the current authentication request, determining an operable time period within a preset time period after the current time of the stored resource based on the state information of the stored resource within the preset time period after the current time, and adding the requested time period of the resource to be requested, the preset operable authority of the user terminal to the stored resource and the environmental condition which meets the operation of the stored resource to obtain an authentication list when the stored resource containing the current requested time period exists in the operable time period of the stored resource.
The current authentication request carries a current request use time period of a current resource to be requested.
It can be understood that the obtained authentication list records the current request use time period, the operable authority of the user terminal to the stored resource, and the environmental condition that the user terminal performs operation on the resource stored by the resource controller to meet, and when the user terminal sends the authorization request, the authentication list can be used as the prior condition for the resource manager to forward the authorization request.
And determining the authentication list and the information of the user terminal carried in the current authentication request as an authentication certificate corresponding to the user terminal.
And sending the authentication certificate corresponding to the user terminal to the resource controller.
It can be understood that, in the embodiment, the authentication list is obtained, and the information of the user terminal carried in the authentication list and the current authentication request is determined as the authentication credential.
Example 5
As an optional implementation manner provided by the embodiment of the present invention, the resource manager 11 in fig. 2 is further configured to:
when an authorization request sent by a user terminal is received, whether an authentication certificate carried in the authorization request is expired is judged, when the authentication certificate is not expired, whether first information and second information are the same is judged, when the first information and the second information are the same, environmental parameters of the user terminal meet environmental conditions which are met by resource operation in the authentication certificate, and when a request use time period is not expired, the authorization request is forwarded to a resource controller.
And when the expiration time of the authentication voucher is before the current time when the resource manager receives the authorization request sent by the user terminal, the authentication voucher is considered to be expired.
The embodiment can further judge whether the first information is the same as the second information by judging whether the authentication voucher is expired or not and when the authentication voucher is not expired, so that the security of the resource manager for forwarding the authorization request can be improved.
Example 6
As an optional implementation manner provided by the embodiment of the present invention, the resource manager 11 in fig. 2 is further configured to:
when an authorization request sent by a user terminal is received, whether an authentication certificate carried in the authorization request is overdue or not is judged, and when the authentication certificate is overdue, information that resources cannot be authorized is returned to the user terminal.
Inventive example 7
As an optional implementation manner provided by the embodiment of the present invention, the resource controller 12 in fig. 2 is specifically configured to:
and receiving the authentication certificate corresponding to the user terminal sent by the resource manager.
Digitally signing the authentication certificate to obtain authentication information of the user terminal, so that a first field of the authentication information comprises an algorithm used for digitally signing the authentication certificate and the type of the authentication information, a second field of the authentication information comprises information contained in the authentication certificate, and a third field of the authentication information comprises: and the digital signature corresponding to the user terminal.
It is understood that in the present embodiment, the digital signature for the authentication credential may adopt a JWT (JSON Web Token, JSON network credential) technology, where the JWT is composed of three fields of header information, payload information, and digital signature separated by a dot number. Header information, typically including the type of authentication credential and the signature algorithm used by the authentication credential, is encoded to form a first field of JWT; the load information is used for storing information contained in the authentication certificate, and the load information is encoded to form a second field of the JWT; the digital signature is formed by encrypting header information and load information and is used for verifying the identity of the user terminal, and the digital signature must be signed by adopting an algorithm in the first field.
And forwarding the authentication information of the user terminal to the resource manager.
In the embodiment, the authentication information is obtained by performing the digital signature on the authentication certificate, and the digital signature corresponding to the user terminal in the authentication information is not easy to be tampered, so that the subsequent security of authorizing the user terminal can be improved.
Example 8
As an optional implementation manner provided in the embodiment of the present invention, the resource manager in fig. 2 is specifically configured to: and comparing the hash value of the first information with the hash value of the second information, and judging whether the first information is the same as the first information.
It can be understood that the hash value has uniqueness, and the present embodiment can improve the accuracy of determining whether the first information and the second information are the same by comparing the hash value of the first information with the hash value of the second information.
In order to verify the effectiveness of the authorization system based on the user terminal authentication provided by the embodiment of the invention for realizing dynamic authorization, the inventor simulates a parking lot comprising 400 parking space devices, wherein 200 parking spaces are applied to the authorization system based on the user terminal authentication provided by the embodiment of the invention, the remaining 200 parking spaces are applied to the authorization system in the prior art, a parking lot administrator issues free parking spaces according to the current state of the parking lots, the issuing duration can be set, and an owner reserves the free parking spaces issued by the administrator according to the own needs.
Because the situation that one vehicle owner reserves 1 idle parking space with the duration of 1 hour but actually stops for only half an hour exists, the rest half hour reserved by the vehicle owner is wasted under the situation.
According to the existing statistical data, the traffic flow of the parking lot at different moments in a period of time is proved to approximately meet the poisson distribution, so that whether a specific time period belongs to a peak time period or a normal time period can be judged according to the parameter lambda of the poisson distribution, the time period when the lambda exceeds a threshold value is the peak time period, and otherwise, the time period is the normal time period.
The method includes the steps that a traffic flow model in a period (6 hours) is constructed according to Poisson distribution, a threshold value is set to be 100, a specific period is represented as a normal period when lambda is 50, a specific period is represented as a peak period when lambda is 200, parking information of a car owner in 30 days is used as a sample, and it is verified that compared with an authorization system in the prior art, the parking space utilization rate of the authorization system based on user terminal authentication provided by the embodiment of the invention is higher.
Table 1 λ is 200, utilization rate of parking space
Figure BDA0002324490670000151
Table 2 λ is 50, utilization ratio of parking space
Figure BDA0002324490670000161
As can be seen from tables 1 and 2, in the peak time period and the normal time period, the authorization system based on the user terminal authentication provided by the embodiment of the present invention can effectively reduce the idle time of the parking space, and improve the utilization rate of the parking space.
An authorization method based on user terminal authentication provided in an embodiment of the present invention is, as shown in fig. 3, applied to an authorization system based on user terminal authentication in embodiments 1 to 8 above, where the system includes: a resource manager and a resource controller;
the method can comprise the following steps:
s3011, the resource manager receives an authentication request sent by the user terminal; s3012, obtaining the state information of the resource stored in the resource controller from the resource controller; s3013, the resource manager determines the operable time period of the stored resource based on the state information of the stored resource; s3014, when the operable time slot of the storage resource contains the request use time slot, determining the authentication voucher corresponding to the user terminal; and S3015, sending the authentication certificate corresponding to the user terminal to the resource controller.
The authentication request carries a request use time period of resources to be requested, and the authentication request comprises: the information of the user terminal, the authentication voucher includes: the authentication list, the information of the user terminal, the authentication certificate determination time and the authentication certificate expiration time, and the authority of the user terminal for operating the resource and the environmental conditions met by the resource operation are recorded in the authentication list.
S3021, the resource controller receives an authentication certificate corresponding to the user terminal; s3022, digitally signing the authentication certificate corresponding to the user terminal to obtain authentication information of the user terminal; s3023, forwarding the authentication information of the user terminal to the resource manager.
Wherein the authentication information includes: the digital signature and the signature content corresponding to the user terminal, wherein the signature content comprises: authentication credentials and algorithms used for digital signatures.
S3031, the resource manager receives the forwarded authentication information of the user terminal; s3032, sending the authentication information to the corresponding user terminal; s3033, when receiving an authorization request sent by the user terminal, judging whether the first information is the same as the second information; s3034, when the first information is the same as the second information, the environmental parameter of the user terminal meets the environmental condition which is met by operating the resource in the authentication certificate, and the request use time period is not expired, the authorization request is forwarded to the resource controller.
The authorization request carries information of the user terminal and authentication information, the first information is information of the user terminal in the authentication certificate in the authentication information carried in the authorization request, and the second information is information of the user terminal carried in the authorization request.
S3041, the resource controller receives the authorization request; s3042, digitally signing the authentication voucher in the authentication information carried in the authorization request according to an algorithm used by the digital signature in the signature content of the authentication information to obtain a pending digital signature; s3043, when the pending digital signature is the same as the digital signature in the authentication information carried in the authorization request, responding to the authorization request, and S3044, sending the information responding to the authorization request to the resource manager.
S305, the resource manager receives the information of the resource controller responding to the authorization request and forwards the information to the user terminal.
Optionally, the system for applying the authorization method based on the user terminal authentication provided in the embodiment of the present invention further includes: the method comprises the following steps:
the MQTT server forwards interaction information between the resource manager and the resource controller, wherein the interaction information comprises: authentication credentials corresponding to the user terminal, authentication information of the user terminal, and information for responding to the authorization request by the resource controller.
Optionally, the authorization method based on user terminal authentication provided in the embodiment of the present invention further includes:
a resource manager for managing the resources of the network,
and receiving an authentication request sent by the user terminal, and acquiring the state information of the resources stored in the resource controller in a preset time period after the current time from the resource controller.
And aiming at the current authentication request, determining an operable time period within a preset time period after the current time of the stored resource based on the state information of the stored resource within the preset time period after the current time, and adding the required time period of the resource to be requested, the operable authority of the preset user terminal to the stored resource and the environmental condition which meets the operation of the stored resource into a preset list to obtain an authentication list when the operable time period of the stored resource contains the current required time period.
The current authentication request carries a current request use time period of a current resource to be requested.
And determining the authentication list and the information of the user terminal carried in the current authentication request as an authentication certificate corresponding to the user terminal.
And sending the authentication certificate corresponding to the user terminal to the resource controller.
Optionally, the authorization method based on user terminal authentication provided in the embodiment of the present invention further includes:
a resource controller for controlling the operation of the mobile communication terminal,
and receiving the authentication certificate corresponding to the user terminal sent by the resource manager.
The authentication certificate corresponding to the user terminal is digitally signed to obtain authentication information of the user terminal, so that a first field of the authentication information comprises an algorithm used for digitally signing the authentication certificate and the type of the authentication information, a second field of the authentication information comprises information contained in the authentication certificate, and a third field of the authentication information comprises: and the digital signature corresponding to the user terminal.
And forwarding the authentication information of the user terminal to the resource manager.
Optionally, the authorization method based on user terminal authentication provided in the embodiment of the present invention further includes:
a resource manager for managing the resources of the network,
and comparing the hash value of the first information with the hash value of the second information, and judging whether the first information is the same as the first information.
The invention provides an authorization method based on user terminal authentication, a resource manager determines an authentication certificate, a resource controller digitally signs the authentication certificate, when a user terminal needs to be authorized, an authorization request is sent to the resource manager, the resource manager sends an authorization request to the resource controller when the user terminal information of the authentication certificate carried by the user terminal is the same as the user terminal information of the authorization request, the environmental parameters of the user terminal meet the environmental conditions met by operating the resource in the authentication certificate, and when the request use time period is not expired, the resource controller sends the authorization request to the resource controller, the resource controller responds to the authorization request under the condition that the digital signature of the authentication certificate is the same as the generated to-be-determined digital signature, generates information for responding to the authorization request, and finally the information is sent to the user terminal by the resource manager, in the process, when the environment of the user terminal is changed, compared with the prior art, the resource manager can determine whether the environment condition met by the resource operation in the authentication certificate is met or not according to the changed environment, determine whether the authorization request is forwarded to the resource controller or not, and can realize that the authorization request is forwarded according to the change of the actual condition, and the resource controller verifies again whether the digital signature to be determined is the same as the digital signature corresponding to the user terminal in the authentication information carried in the authorization request or not, and does not need the manual verification of a developer, so that whether the authorization is determined according to the change of the environment condition or not can be realized.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and the embodiments are mainly described as different from other embodiments. In particular, as for the method embodiment, since it is substantially similar to the system embodiment, the description is simple, and the relevant points can be referred to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (10)

1. An authorization system based on user terminal authentication, the system comprising: a resource manager and a resource controller,
the resource manager is configured to receive an authentication request sent by a user terminal, where the authentication request carries a request use time period of a resource to be requested, acquire state information of the resource stored in the resource controller from the resource controller, determine an operable time period of the stored resource based on the state information of the stored resource, determine an authentication credential corresponding to the user terminal when the operable time period of the stored resource contains the request use time period, and send the authentication credential corresponding to the user terminal to the resource controller; the authentication request includes: information of the user terminal, the authentication credential comprising: the method comprises the steps that an authentication list, information of a user terminal, authentication certificate determination time and authentication certificate expiration time are obtained, a request use time period of resources to be requested is recorded in the authentication list, and the user terminal has operational authority over the stored resources and meets environmental conditions for operating the stored resources;
the resource controller is configured to receive an authentication credential corresponding to the user terminal, perform digital signature on the authentication credential corresponding to the user terminal, obtain authentication information of the user terminal, and forward the authentication information of the user terminal to the resource manager, where the authentication information includes: the digital signature and the signature content corresponding to the user terminal, wherein the signature content comprises: the authentication credentials and the algorithm used by the digital signature;
the resource manager is further configured to receive forwarded authentication information of the user terminal, send the authentication information to a corresponding user terminal, determine whether first information is the same as second information when an authorization request sent by the user terminal is received, forward the authorization request to the resource controller when the first information is the same as the second information and an environmental parameter of the user terminal meets an environmental condition that is met by operation on a resource in the authentication credential and a request use time period is not expired, where the authorization request carries information of the user terminal and the authentication information, the first information is information of the user terminal in the authentication credential in the authentication information carried in the authorization request, and the second information is information of the user terminal carried in the authorization request;
the resource controller is further configured to receive the authorization request, perform digital signature on an authentication credential in authentication information carried in the authorization request according to an algorithm used by a digital signature in signature content of the authentication information, obtain a pending digital signature, respond to the authorization request when the pending digital signature is the same as the digital signature in the authentication information carried in the authorization request, and send information that is responsive to the authorization request to the resource manager;
and the resource manager is also used for receiving the information of the resource controller responding to the authorization request and forwarding the information to the user terminal.
2. The system of claim 1, further comprising: the message queue telemetry transmission MQTT server is used for forwarding interaction information between the resource manager and the resource controller, and the interaction information comprises: the authentication certificate corresponding to the user terminal, the authentication information of the user terminal, and the information of the resource controller responding to the authorization request.
3. The system of claim 1, wherein the resource manager is specifically configured to:
receiving an authentication request sent by a user terminal, and acquiring state information of resources stored in the resource controller within a preset time period after the current time from the resource controller;
aiming at a current authentication request, determining an operable time period of the stored resource within a preset time period after the current time based on state information of the stored resource within the preset time period after the current time, and adding the requested use time period of the resource to be requested, the operable authority of the user terminal on the stored resource and an environmental condition which meets the operation of the stored resource into a preset list to obtain an authentication list when the operable time period of the stored resource contains the current requested use time period, wherein the current authentication request carries the current requested use time period of the resource to be requested;
determining the authentication list and the information of the user terminal carried in the current authentication request as an authentication certificate corresponding to the user terminal;
and sending the authentication certificate corresponding to the user terminal to the resource controller.
4. The system of claim 1, wherein the resource controller is specifically configured to:
receiving an authentication certificate corresponding to the user terminal sent by the resource manager;
digitally signing the authentication credential to obtain authentication information of the user terminal, so that a first field of the authentication information includes an algorithm used for digitally signing the authentication credential and a type of the authentication information, a second field of the authentication information includes information included in the authentication credential, and a third field of the authentication information includes: a digital signature corresponding to the user terminal;
and forwarding the authentication information of the user terminal to the resource manager.
5. The system of claim 1, wherein the resource manager is specifically configured to:
and comparing the hash value of the first information with the hash value of the second information, and judging whether the first information is the same as the first information.
6. An authorization method based on user terminal authentication is characterized in that the authorization method is applied to an authorization system based on user terminal authentication, and the authorization system comprises: a resource manager and a resource controller, the method comprising:
the resource manager receives an authentication request sent by a user terminal, wherein the authentication request carries a request use time period of resources to be requested, acquires state information of the resources stored in the resource controller from the resource controller, determines an operable time period of the stored resources based on the state information of the stored resources, determines an authentication certificate corresponding to the user terminal when the operable time period of the stored resources contains the request use time period, and sends the authentication certificate corresponding to the user terminal to the resource controller; the authentication request carries a request use time period of resources to be requested, and the authentication request comprises: the information of the user terminal and the request information, the authentication voucher includes: the authentication list records the operable authority of the user terminal to the stored resource and the environmental condition which is satisfied by the operation of the stored resource;
the resource controller receives an authentication certificate corresponding to the user terminal, digitally signs the authentication certificate corresponding to the user terminal, obtains authentication information of the user terminal, and forwards the authentication information of the user terminal to the resource manager, wherein the authentication information comprises: the digital signature and the signature content corresponding to the user terminal, wherein the signature content comprises: the authentication credentials and the algorithm used by the digital signature;
the resource manager receives forwarded authentication information of a user terminal, sends the authentication information to a corresponding user terminal, judges whether first information and second information are the same or not when receiving an authorization request sent by the user terminal, forwards the authorization request to the resource controller when the first information and the second information are the same, environmental parameters of the user terminal meet environmental conditions met by resource operation in the authentication voucher and the request use time period is not expired, wherein the authorization request carries information of the user terminal and the authentication information, the first information is information of the user terminal in the authentication voucher in the authorization request, and the second information is information of the user terminal in the authorization request;
the resource controller receives the authorization request, carries out digital signature on an authentication certificate in authentication information carried in the authorization request according to an algorithm used by a digital signature in signature content of the authentication information to obtain a pending digital signature, responds to the authorization request when the pending digital signature is the same as the digital signature in the authentication information carried in the authorization request, and sends information responding to the authorization request to the resource manager;
and the resource manager receives the information of the response of the resource controller to the authorization request and forwards the information to the user terminal.
7. The method of claim 6, wherein the system further comprises: the method comprises the following steps:
the MQTT server forwards interaction information between the resource manager and the resource controller, wherein the interaction information comprises: the authentication certificate corresponding to the user terminal, the authentication information of the user terminal, and the information of the resource controller responding to the authorization request.
8. The method of claim 6, further comprising:
the resource manager receives an authentication request sent by a user terminal, and acquires state information of resources stored in the resource controller within a preset time period after the current time from the resource controller;
determining an operable time period within a preset time period after the current time of a stored resource according to a current authentication request based on state information of the stored resource within the preset time period after the current time, and adding a request use time period of the resource to be requested, a preset operating authority of a user terminal to the stored resource and an environmental condition which meets the operation of the stored resource when the operable time period of the stored resource contains the current request use time period into a preset list to obtain an authentication list, wherein the current authentication request carries the current request use time period of the resource to be requested;
determining the authentication list and the information of the user terminal carried in the current authentication request as an authentication certificate corresponding to the user terminal;
and sending the authentication certificate corresponding to the user terminal to the resource controller.
9. The method of claim 6, further comprising:
the resource controller receives an authentication certificate corresponding to the user terminal sent by the resource manager; digitally signing the authentication credential to obtain authentication information of the user terminal, so that a first field of the authentication information includes an algorithm used for digitally signing the authentication credential and a type of the authentication information, a second field of the authentication information includes information included in the authentication credential, and a third field of the authentication information includes: a digital signature corresponding to the user terminal; and forwarding the authentication information of the user terminal to the resource manager.
10. The method of claim 6, further comprising:
and the resource manager compares the hash value of the first information with the hash value of the second information, and judges whether the first information is the same as the first information.
CN201911310892.4A 2019-12-18 2019-12-18 Authorization system and method based on user terminal authentication Active CN111181931B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911310892.4A CN111181931B (en) 2019-12-18 2019-12-18 Authorization system and method based on user terminal authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911310892.4A CN111181931B (en) 2019-12-18 2019-12-18 Authorization system and method based on user terminal authentication

Publications (2)

Publication Number Publication Date
CN111181931A CN111181931A (en) 2020-05-19
CN111181931B true CN111181931B (en) 2021-01-01

Family

ID=70657395

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911310892.4A Active CN111181931B (en) 2019-12-18 2019-12-18 Authorization system and method based on user terminal authentication

Country Status (1)

Country Link
CN (1) CN111181931B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111737681A (en) * 2020-06-08 2020-10-02 海尔优家智能科技(北京)有限公司 Resource acquisition method and device, storage medium and electronic device
CN111818065B (en) * 2020-07-13 2021-10-22 宁夏百旺中税科技有限公司 User terminal information control system and method based on big data
CN117389752A (en) * 2023-12-07 2024-01-12 合芯科技(苏州)有限公司 Method and device for allocating accelerator resources, computer equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106714075B (en) * 2015-08-10 2020-06-26 华为技术有限公司 Method and device for processing authorization
CN108206821A (en) * 2016-12-20 2018-06-26 航天信息股份有限公司 A kind of identity authentication method and system
US10616207B2 (en) * 2017-10-12 2020-04-07 Dell Products, L.P. Context and device state driven authorization for devices
CN110509891B (en) * 2019-09-24 2021-03-23 宝能汽车集团有限公司 Automobile leasing supervision system and method thereof

Also Published As

Publication number Publication date
CN111181931A (en) 2020-05-19

Similar Documents

Publication Publication Date Title
CN111767527B (en) Block chain-based data authority control method and device and computer equipment
CN110598394B (en) Authority verification method and device and storage medium
US20210314312A1 (en) System and method for transferring device identifying information
TWI432000B (en) Provisioning of digital identity representations
US8554749B2 (en) Data file access control
US9542540B2 (en) System and method for managing application program access to a protected resource residing on a mobile device
US9608814B2 (en) System and method for centralized key distribution
CN111181931B (en) Authorization system and method based on user terminal authentication
TWI438642B (en) Provisioning of digital identity representations
US9825938B2 (en) System and method for managing certificate based secure network access with a certificate having a buffer period prior to expiration
US20120260318A1 (en) Access to a network for distributing digital content
US20180109502A1 (en) System and method for providing a proxied contact management system
KR20090044437A (en) Method and system for controlling access for mobile agents in home network environments
JP2003296281A (en) Method and system for access control
CN111881483B (en) Resource account binding method, device, equipment and medium based on blockchain
US20020099668A1 (en) Efficient revocation of registration authorities
KR102410006B1 (en) Method for creating decentralized identity able to manage user authority and system for managing user authority using the same
CN102571874B (en) On-line audit method and device in distributed system
US8479272B2 (en) Identity assertion
US20170104748A1 (en) System and method for managing network access with a certificate having soft expiration
KR100639992B1 (en) Security apparatus for distributing client module and method thereof
US11461451B2 (en) Document signing system for mobile devices
CN108632254B (en) Access control method of intelligent home environment based on private chain
CN114268506A (en) Method for accessing server side equipment, access side equipment and server side equipment
WO2021177970A1 (en) Secure data management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Sun Yi

Inventor after: Zhang Yin

Inventor after: Lin Zhaowen

Inventor after: Zheng Xu

Inventor after: Cai Xiaohong

Inventor before: Sun Yi

Inventor before: Lin Zhaowen

Inventor before: Zheng Xu

Inventor before: Cai Xiaohong

Inventor before: Zhang Yin

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant