CN111212095A - Authentication method, server, client and system for identity information - Google Patents

Authentication method, server, client and system for identity information Download PDF

Info

Publication number
CN111212095A
CN111212095A CN202010309505.1A CN202010309505A CN111212095A CN 111212095 A CN111212095 A CN 111212095A CN 202010309505 A CN202010309505 A CN 202010309505A CN 111212095 A CN111212095 A CN 111212095A
Authority
CN
China
Prior art keywords
client
short
server
time token
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010309505.1A
Other languages
Chinese (zh)
Other versions
CN111212095B (en
Inventor
王栋
赵丽花
杨珂
廖会敏
玄佳兴
秦日臻
吕梓童
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guowang Xiongan Finance Technology Group Co ltd
State Grid Blockchain Technology Beijing Co ltd
State Grid Digital Technology Holdings Co ltd
Original Assignee
Guowang Xiongan Finance Technology Group Co ltd
State Grid Blockchain Technology Beijing Co ltd
State Grid E Commerce Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guowang Xiongan Finance Technology Group Co ltd, State Grid Blockchain Technology Beijing Co ltd, State Grid E Commerce Co Ltd filed Critical Guowang Xiongan Finance Technology Group Co ltd
Priority to CN202010309505.1A priority Critical patent/CN111212095B/en
Publication of CN111212095A publication Critical patent/CN111212095A/en
Application granted granted Critical
Publication of CN111212095B publication Critical patent/CN111212095B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides an authentication method, a server, a client and a system of identity information, wherein the method comprises the following steps: and after receiving the login request of the client, the server determines whether the login request passes authentication or not according to the second public key, the user name, the first client timestamp and the first short-time token of the client. And if the login request passes the authentication, feeding back a newly generated second short-time token to the client, wherein the first short-time token and the second short-time token are generated according to the user identity information, the equipment fingerprint information and the corresponding random number. And the client carries the second short-time token when sending the service request. And if the server determines that the service request passes the authentication, determining the operation authority of the client according to the predetermined security trust degree of the client, and processing the service request according to the operation authority. According to the scheme, the server generates the short-time token through the equipment fingerprint information, refreshes the short-time token after the login authentication is passed, determines the operation authority of the client through the safety trust degree, and improves the communication safety.

Description

Authentication method, server, client and system for identity information
Technical Field
The invention relates to the technical field of computers, in particular to an authentication method, a server, a client and a system of identity information.
Background
With the development of internet technology, various application software is emerging in the market at present. In the process of using the application software, the authentication of the identity information needs to be completed between the client and the server.
The authentication method between the client and the server is as follows: when a user uses a client to request for logging in a server through an account and a password for the first time, the server generates a Token (Token) and feeds the Token back to the client, and then the client can complete a data request only by carrying the Token without account information when performing the data request to the server every time. But on the one hand, the token is used as a unique identification of authentication, and when an attacker intercepts the token, the data request can be forged by the token so as to steal the data of the server. On the other hand, when a user reveals an account and a password for various reasons, an attacker can log in and steal data of a server using the account and the password obtained by the hacking.
Therefore, the security of the authentication method between the client and the server is poor at present.
Disclosure of Invention
In view of this, embodiments of the present invention provide an authentication method, a server, a client and a system for identity information, so as to solve the problem of poor security in the current authentication method.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
the first aspect of the embodiment of the invention discloses an authentication method of identity information, which is applied to a server and comprises the following steps:
after receiving a login request sent by a client, generating a first public key and a first private key, and sending the first public key to the client to enable the client to generate a second public key and a second private key;
determining whether the login request passes authentication according to the second public key, the user name, a first client timestamp and a first short-time token fed back by the client, wherein the first short-time token is generated by a server according to user identity information, equipment fingerprint information and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to the security trust level of the client, and the security trust level is determined according to the user identity information or the equipment fingerprint information;
if the login request passes the authentication, updating the first random number and the first validity period corresponding to the first short-time token, generating a second short-time token, and feeding the second short-time token back to the client, so that the client replaces the first short-time token with the second short-time token;
receiving a service request sent by a client, and acquiring the second short-time token and a second client timestamp carried in the service request;
if the second client timestamp meets a time condition and the second short-time token is not expired, determining that the service request passes authentication;
and determining the operation authority of the client according to an operation authority table and the safety trust of the client, and processing the service request according to the operation authority, wherein the operation authority comparison table comprises the corresponding relation between the safety trust and the operation authority.
Preferably, the determining whether the login request is authenticated according to the second public key, the user name, the first client timestamp, and the first short-time token fed back by the client includes:
receiving a first signature fed back by the client, wherein the first signature is obtained by encrypting the second public key, the user name, the first client timestamp and a second signature by the client by using the first public key, and the second signature is obtained by encrypting the first short-time token and the first client timestamp by the client by using a preset encryption algorithm;
decrypting the first signature by using the first private key to obtain the second public key, the user name, the first client timestamp and the second signature;
if the difference value between the first server timestamp and the first client timestamp is larger than or equal to a first time threshold value, determining that the login request is not authenticated;
if the difference value between the first server timestamp and the first client timestamp is smaller than the first time threshold, determining a corresponding password and a corresponding device ID according to the user name;
encrypting the second public key, the device ID, the first client timestamp and the second signature by using the first public key to obtain a third signature;
and if the third signature is verified to be consistent with the first signature, determining that the login request passes the authentication.
Preferably, the feeding back the second short-time token to the client includes:
encrypting the second short-time token by using the second public key to obtain a fourth signature;
and feeding back the fourth signature to the client, so that the client decrypts the fourth signature by using the second private key to obtain the second short-time token.
Preferably, the receiving a service request sent by a client, and acquiring the second short-time token and the second client timestamp carried in the service request includes:
receiving a service request which is sent by the client and carries a fifth signature, wherein the fifth signature is obtained by encrypting a sixth signature and the second client timestamp by the client according to the first public key, and the sixth signature is obtained by encrypting the second short-time token and the second client timestamp by the client according to a preset encryption algorithm;
decrypting the fifth signature by using the first private key to obtain a sixth signature and a second client timestamp;
and decrypting the sixth signature by using the preset encryption algorithm to obtain the second short-time token.
Preferably, if the second client timestamp meets the time condition and the second short-time token is not expired, determining that the service request is authenticated includes:
and if the difference value between the second server timestamp and the second client timestamp is smaller than a second time threshold value and the second short-time token is determined to be not expired according to a second validity period, determining that the service request passes the authentication.
Preferably, the method further comprises the following steps:
if the second client timestamp meets a time condition and the second short-time token is expired, updating a second random number and a second validity period corresponding to the second short-time token to generate a third short-time token;
and feeding back the third short-time token to the client, so that the client sends a service request carrying the third short-time token and a timestamp of the third client, and returning to execute the step of receiving the service request.
The second aspect of the embodiment of the invention discloses an authentication method of identity information, which is applied to a client, and the method comprises the following steps:
sending a login request to a server, and receiving a first public key fed back by the server, wherein the first public key and a first private key are generated by the server;
generating a second public key and a second private key;
sending the second public key, the user name, a first client timestamp and a first short-time token to the server to enable the server to determine whether the login request passes authentication, wherein the first short-time token is generated by the server according to user identity information, equipment fingerprint information and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to the security trust degree of the client, and the security trust degree is determined according to the user identity information or the equipment fingerprint information;
receiving a second short-time token fed back by the server, replacing the first short-time token with the second short-time token, and determining that the login request passes authentication, wherein the second short-time token is generated by updating the first random number and the first validity period corresponding to the first short-time token by the server;
and sending a service request at least carrying the second short-time token and a second client time stamp to the server, enabling the server to determine whether the service request passes authentication according to the second short-time token and the second client time stamp, and enabling the server to process the service request according to the security trust degree of the client.
Preferably, the sending the second public key, the user name, the first client timestamp, and the first short-time token to the server includes:
encrypting the first short-time token and the first client timestamp by using a preset encryption algorithm to obtain a second signature;
encrypting the second public key, the user name, the first client timestamp and the second signature by using the first public key to obtain a first signature;
and sending the first signature to the server, so that the server decrypts the first signature by using the first private key to obtain the second public key, the user name, the first client timestamp and the second signature.
Preferably, the receiving the second short-time token fed back by the server includes:
receiving a fourth signature fed back by the server, wherein the fourth signature is obtained by encrypting a second short-time token by the server according to the second public key;
and decrypting the fourth signature by using the second private key to obtain the second short-time token.
Preferably, the sending the service request carrying at least the second short-time token and the second client timestamp to the server includes:
encrypting the second short-time token and the timestamp of the second client by using a preset encryption algorithm to obtain a sixth signature;
encrypting the sixth signature and the second client timestamp by using the first public key to obtain a fifth signature;
and sending the service request carrying the fifth signature to the server, so that the server decrypts the fifth signature based on the first private key and the preset encryption algorithm to obtain the second short-time token and the second client timestamp.
Preferably, after sending the service request carrying at least the second short-time token and the second client timestamp to the server, the method further includes:
receiving a third short-time token fed back by the server, wherein the third short-time token is generated by updating a second random number and a second validity period corresponding to the second short-time token by the server;
and sending a service request carrying at least the third short-time token and a third client timestamp to the server.
A third aspect of the embodiments of the present invention discloses a server, including:
the first processing unit is used for generating a first public key and a first private key after receiving a login request sent by a client, and sending the first public key to the client so that the client generates a second public key and a second private key;
a determining unit, configured to determine whether the login request passes authentication according to the second public key, the user name, a first client timestamp, and a first short-time token fed back by the client, where the first short-time token is generated by the server according to user identity information, device fingerprint information, and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to security trust of the client, and the security trust is determined according to the user identity information or the device fingerprint information;
the updating feedback unit is used for updating the first random number and the first validity period corresponding to the first short-time token if the login request passes the authentication, generating a second short-time token, and feeding the second short-time token back to the client, so that the client replaces the first short-time token with the second short-time token;
the second processing unit is used for receiving a service request sent by a client, acquiring a second short-time token and a second client time stamp carried in the service request, and determining that the service request passes authentication if the second client time stamp meets a time condition and the second short-time token is not expired;
and the third processing unit is used for determining the operation authority of the client according to an operation authority table and the safety trust degree of the client, and processing the service request according to the operation authority, wherein the operation authority comparison table comprises the corresponding relation between the safety trust degree and the operation authority.
A fourth aspect of the present invention discloses a client, where the client includes:
the communication unit is used for sending a login request to a server and receiving a first public key fed back by the server, wherein the first public key and a first private key are generated by the server;
a generating unit configured to generate a second public key and a second private key;
a first sending unit, configured to send the second public key, the user name, a first client timestamp, and a first short-time token to the server, so that the server determines whether the login request passes authentication, where the first short-time token is generated by the server according to user identity information, device fingerprint information, and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to security trust of the client, and the security trust is determined according to the user identity information or the device fingerprint information;
the processing unit is used for receiving a second short-time token fed back by the server, replacing the first short-time token with the second short-time token, and determining that the login request passes authentication, wherein the second short-time token is generated by updating the first random number and the first validity period corresponding to the first short-time token by the server;
a second sending unit, configured to send a service request carrying at least the second short-time token and a second client timestamp to the server, so that the server determines, according to the second short-time token and the second client timestamp, whether the service request passes authentication, and makes the server process the service request according to the security trust level of the client.
A fifth aspect of the present invention discloses an authentication system for identity information, the system including: a server disclosed in the third aspect of the embodiments of the present invention and a client disclosed in the fourth aspect of the embodiments of the present invention.
Based on the authentication method, the server, the client and the system for the identity information provided by the embodiment of the invention, the method comprises the following steps: and after receiving the login request of the client, the server generates a first public key and sends the first public key to the client. And the server determines whether the login request passes the authentication or not according to the second public key of the client, the user name, the first client timestamp and the first short-time token. And if the login request passes the authentication, feeding back a newly generated second short-time token to the client, wherein the first short-time token and the second short-time token are generated according to the user identity information, the equipment fingerprint information and the corresponding random number. And the client carries the second short-time token when sending the service request to the server. If the server determines that the service request passes the authentication, the server determines the operation authority of the client according to the predetermined security trust degree of the client and processes the service request according to the operation authority. In the scheme, the server generates the short-time token by using the equipment fingerprint information, and refreshes the short-time token after the login authentication is passed, so that the safety of the short-time token is improved. When the server communicates with the client, the client encrypts the transmission information by using the first public key, and the server encrypts the transmission information by using the second public key, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved. After the service request of the client passes the authentication, the server determines the operation authority of the client through the safety trust degree, and determines whether to respond to the service request according to the operation authority, so that the requirement of dynamic credit granting is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an authentication system for identity information according to an embodiment of the present invention;
fig. 2 is a flowchart of an authentication method for identity information according to an embodiment of the present invention;
fig. 3 is a flowchart of determining whether a login request is authenticated according to an embodiment of the present invention;
fig. 4 is a flowchart of the server feeding back the second short-time token to the client according to the embodiment of the present invention;
fig. 5 is a flowchart of transmission of a second short-time token and a second client timestamp according to an embodiment of the present invention;
fig. 6 is a block diagram of a server according to an embodiment of the present invention;
fig. 7 is a block diagram of a client according to an embodiment of the present invention;
fig. 8 is a block diagram of an authentication system for identity information according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
As can be seen from the background art, in the existing authentication method between the client and the server, a Token (Token) is used as a unique identifier for authentication, when an attacker intercepts the Token, the attacker forges a data request through the Token to steal data of the server, and when a user leaks an account and a password for various reasons, the attacker can log in and steal data of the server by using the obtained account and password, that is, the existing authentication method between the client and the server has poor security.
Therefore, the embodiment of the invention provides an authentication method, a server, a client and a system for identity information. When the server and the client communicate with each other, the client encrypts the transmission information by using the first public key, and the server encrypts the transmission information by using the second public key, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved.
In order to better understand what is shown in the following embodiments of the present invention, some terms referred to in the embodiments of the present invention are explained.
Zero trust security framework: the zero trust security framework is a security model, and the core idea of the zero trust security framework is that no person or thing is trusted.
Device fingerprint information: a globally unique device ID is generated for each operating device using device fingerprinting techniques to represent a unique device characteristic of an operating device. The method for generating the device fingerprint information includes three methods, namely an active generation method, a passive generation method and a hybrid generation method, wherein the hybrid generation method is formed by mixing partial contents of the active generation method and partial contents of the passive generation method.
Safety trust degree: is a quantitative representation of the degree of trust, which is used to measure the magnitude of trust.
Token: in the identity authentication process of the client and the server, the server uses a character string generated by a certain rule, namely the character string is a token for the client to carry out service request.
To better explain the interaction between the client and the server, the illustration is made by the contents shown in fig. 1, and it should be noted that the contents shown in fig. 1 are only for illustration.
Referring to fig. 1, a schematic structural diagram of an authentication system for identity information provided in an embodiment of the present invention is shown, where the authentication system includes a client and a server.
The server side comprises a user registration device, an identity authentication device, a trust degree evaluation device and a dynamic trust device, and the category of the client side is at least as follows: the functions of each device in the PC side, the mobile terminal, and the device side and the server side are explained as follows.
The user registration device: when the client side registers, the client side sends the user identity information and the equipment fingerprint information to the user registration device, the user registration device processes the user identity information and the equipment fingerprint information by using a Hash encryption algorithm to obtain a short-time token, and the short-time token is fed back to the client side.
The identity authentication device: when a client sends a login request to a server, the server needs to perform identity authentication on the client, that is, whether the login request passes the authentication is determined. The client sends the user identity information, the short-time token of the client and the client timestamp to an identity authentication device in an encryption transmission mode, and the identity authentication device performs identity authentication on the client by using the received information. After the client passes the identity authentication, the identity authentication device updates the short-time token and sends the updated short-time token to the client in an encryption transmission mode.
Meanwhile, when the identity authentication device updates the short-time token, the validity period of the short-time token is set according to the security trust degree of the client.
A trust level evaluation device: and establishing the security trust level of the user and the equipment of the client through the user identity information and the equipment fingerprint information, wherein different security trust levels correspond to different security trust degrees.
The dynamic credit granting device: and setting minimum operation authority for the user of the client registered in the server according to the zero trust security framework. And dynamically adjusting the operation authority according to the change of the security trust degree in the process that the user continuously uses the client.
That is to say, after the client sends the service request to the server and the service request passes the authentication, the dynamic trust authority needs to determine the operation authority according to the security trust degree, and responds (executes) the service request on the premise that the operation authority satisfies the service request, and if the operation authority does not satisfy the service request, the service request is not executed.
It should be noted that the content in fig. 1 is only used for illustration, and specific contents of an authentication method, a server, a client, and a system for identity information provided by the embodiment of the present invention are described in detail below.
Referring to fig. 2, a flowchart of an authentication method for identity information according to an embodiment of the present invention is shown, where the authentication method includes the following steps:
step S201: the client sends a login request to the server.
It should be noted that the client completes registration in the server in advance, when the client registers, the client sends the user identity information and the device fingerprint information to the server, the server performs corresponding audit, and after the audit is passed, the server generates a short-time token by using the user identity information, the device fingerprint information and the random number, and sends the short-time token to the client.
The server generates the short-time token in the following way:
server acquires user identity information
Figure 350611DEST_PATH_IMAGE001
The server extracts an Equipment serial number ID or a Mobile Equipment serial number (MEID) from the Equipment fingerprint information, extracts an Equipment International Identity (IMEI) and an International subscriber Identity (IMSI), and uses the obtained Equipment serial number ID, MEID, IMEI, and IMSI as a character string T = generation (ID/MEID, IMEI, IMSI).
The server collects a Random number Random and calculates a hash value of the Random number using a hash encryption algorithm, as in formula (1).
Figure 780455DEST_PATH_IMAGE002
(1)
Using a hash encryption algorithm, computing
Figure 835130DEST_PATH_IMAGE003
T and
Figure 172570DEST_PATH_IMAGE004
the hash value of (2).
Figure 816041DEST_PATH_IMAGE005
(2)
And calculating the hash value of R by using a hash encryption algorithm, wherein the hash value of R is the short-time token, and the formula (3) is shown.
Figure 961327DEST_PATH_IMAGE006
(3)
According to the content in the formulas, the process of generating the short-time token is completed by the server without the assistance of other equipment, so that the privacy of the short-time token is ensured. The server generates the short-time token by using the random number, so that the randomness of the short-time token is ensured. Meanwhile, the server generates the short-time token by utilizing the user identity information, the equipment fingerprint information and the random number, so that the short-time token, the user identity information and the equipment are completely bound, and the uniqueness of the user and the short-time token is ensured.
In the process of implementing step S201 specifically, it should be noted that when the client sends a login request to the server, the user needs to input a user name and a password.
Step S202: the server generates a first public key and a first private key, and the server sends the first public key to the client.
In the process of implementing step S202 specifically, after the server receives the login request sent by the client, the server generates the first public key and the first private key by using rsa (rsa algorithm), and the server stores the first private key in the local memory of the server and sends the first public key to the client.
It should be noted that the server may also use other algorithms to generate the first public key and the first private key, which is not limited in this respect.
Step S203: the client generates a second public key and a second private key.
In the process of implementing step S203, after receiving the first public key sent by the server, the client generates a second public key and a second private key by using an RSA algorithm, and the client stores the second private key in the local memory.
Step S204: and the client sends the second public key, the user name, the first client timestamp and the first short-time token to the server.
It should be noted that the server generates the first short-time token in advance according to the user identity information, the device fingerprint information, and the first random number, the server sets a first validity period of the first short-time token according to the security trust level of the client, and the server sends the first short-time token to the client.
It should be noted that, the manner of generating the first short-time token by the server may refer to the content in step S201, and is not described herein again.
It should be further noted that the server determines the security trust level of the client according to the user identity information or the device fingerprint information, and as can be seen from the foregoing, when the validity period of the short-time token is set, different security trust levels correspond to different validity periods.
For example: when the short-time token corresponding to the client is generated for the 1 st time, the valid period of the short-time token is set as a default value (7 days). With the increase of the security trust degree of the user using the client, the validity period is set to 10 days when the validity period of the short-time token is set next time.
It can be understood that the security trust level of the user and the device of the client is established, and the corresponding security trust level is determined according to the security trust level of the user or the device. The specific way to establish the security trust level of the user and the device is as follows:
establishing a security trust level mode of a user: and establishing a safety trust level of the user according to the use requirement of the service scene. The newly registered user or the user with the service utilization rate lower than the first utilization rate threshold is defined as a new user, the user with the service utilization rate between the first utilization rate threshold and the second utilization rate threshold is defined as a common user, the user with the service utilization rate between the second utilization rate threshold and the third utilization rate threshold is defined as a seed user, and the user with the service utilization rate higher than the third utilization rate threshold and with functional requirements on the service is defined as a core user.
Wherein the third usage threshold is greater than the second usage threshold, which is greater than the first usage threshold.
That is, different security trust degrees are set for users with different security trust levels, wherein the security trust degree of the new user is the lowest, and the security trust degree of the core user is the highest. And as the service utilization rate of the user is increased, the security trust level of the user also changes, for example, as the service utilization rate of the new user is increased to a range from the first utilization rate threshold to the second utilization rate threshold, the security trust level of the new user is increased to a common user.
Establishing a security trust level mode of the equipment: the method comprises the steps of determining the security level of the equipment according to the type of the equipment and the influence of the damaged equipment on a service system, and dividing the equipment into four types according to the security level, namely general equipment, main equipment, key equipment and confidential equipment. The device which has no requirement on safety and is used for butting non-safety services is defined as a common device, the device which is used by a service system with common safety requirement is defined as a main device, the device which has high standard safety requirement and is connected with an important service system of a company is defined as a key device, and the device which bears the core service of the company and is positioned at a key node of the core is defined as a core device.
That is to say, the devices with different security trust levels correspond to different security trust levels, wherein the security trust level of the general device is the lowest, and the security trust level of the core device is the highest.
It can be understood that the security trust level of the user and the device is established by collecting behavior information such as user identity information, frequency of the user using the client and the like, and collecting user track information such as device IP, location characteristics and the like of the user, and when the security trust level of the user or the device changes, the security trust level also changes correspondingly.
In the process of implementing step S204 specifically, the client encrypts the second public key, the user name, the first client timestamp, and the first short-time token by using the first public key and the RSA algorithm, and feeds back the encrypted second public key, the user name, the first client timestamp, and the first short-time token to the server.
Step S205: and the server determines whether the login request passes the authentication or not according to the second public key, the user name, the first client timestamp and the first short-time token. If the login request is authenticated, step S206 is executed, and if the login request is not authenticated, login error information indicating that the login request is not authenticated is fed back to the client.
In the process of specifically implementing step S205, the server decrypts the encrypted second public key, the user name, the first client timestamp, and the first short-time token by using the first private key, so as to obtain the second public key, the user name, the first client timestamp, and the first short-time token.
And the server determines whether the login request passes the authentication or not by utilizing the second public key, the user name, the first client timestamp and the first short-time token.
Step S206: and the server updates the first random number and the first validity period corresponding to the first short-time token, generates a second short-time token and feeds the second short-time token back to the client.
In the process of implementing step S206, it is understood that the server generates the short-time token according to the user identity information, the device fingerprint information and the random number. And the server updates the first random number and the first validity period corresponding to the first short-time token and generates a second short-time token (refreshToken). That is, the server generates a second short-time token according to the user identity information, the device fingerprint information, and the second random number, and sets a second validity period of the second short-time token.
For details of the process of generating the second short-time token, reference may be made to the content in step S201, and details are not described herein again.
And after the server generates the second short-time token, feeding the second short-time token back to the client.
Step S207: the client replaces the first ephemeral token with the second ephemeral token.
In the process of implementing step S207 specifically, when the client receives the second short-time token, it determines that the login request passes authentication. The client saves the second short-time token in the local memory, and replaces the originally saved first short-time token.
Step S208: and the client sends a service request carrying at least a second short-time token and a second client time stamp to the server.
In the process of implementing step S208 specifically, the client encrypts the second short-time token and the timestamp of the second client according to the first public key and the RSA algorithm, and sends the service request carrying the encrypted second short-time token and the encrypted second client to the server.
Step S209: and the server acquires a second short-time token and a second client timestamp carried in the service request.
In the process of implementing step S209 specifically, the server decrypts the encrypted second short-time token and the second client timestamp by using the first private key, so as to obtain the second short-time token and the second client timestamp.
Step S210: the server determines whether the service request passes the authentication, if the service request passes the authentication, step S211 is executed, and if the service request does not pass the authentication, re-login information indicating that re-login is required is fed back to the client.
In the process of implementing step S210 specifically, the server determines whether the timestamp of the second client satisfies the time condition, and if the timestamp of the second client does not satisfy the time condition, the server feeds back re-login information indicating that re-login is required to the client.
The time condition is as follows: the difference between the second server timestamp and the second client timestamp is less than a second time threshold.
And if the difference value between the second server timestamp and the second client timestamp is smaller than a second time threshold value and the second short-time token is determined to be not expired according to the second validity period, the server determines that the service request passes the authentication.
Preferably, if the timestamp of the second client meets the time condition and the second short-time token is expired, the server updates the second random number and the second validity period corresponding to the second short-time token to generate a third short-time token.
And the server feeds the third short-time token back to the client, and the client sends a service request carrying the third short-time token and a timestamp of the third client to the server. That is, returning to the execution of step S209, the second short-time token and the third client time stamp in step S209 are replaced with the third short-time token and the third client time stamp.
And if the difference value between the timestamp of the third server and the timestamp of the third client is smaller than the second time threshold value and the third validity period of the third short-time token determines that the third short-time token is expired, the server feeds back re-login information indicating that re-login is required to the client.
If the difference between the third server timestamp and the third client timestamp is smaller than the second time threshold, and it is determined that the third short-time token is not expired according to the third validity period of the third short-time token, step S211 is executed.
Step S211: and the server determines the operation authority of the client according to the operation authority table and the safety trust degree of the client.
In the process of implementing step S211 specifically, it can be understood that the corresponding relationship between the security trust and the operation authority is preset to obtain the operation authority comparison table, that is, the security trust in the operation authority table has the corresponding operation authority.
And the server determines the operation authority of the client according to the operation authority table and the safety trust degree of the client.
Step S212: the server judges whether the operation authority meets the service request. And if the operation authority meets the service request, responding to the service request, and if the operation authority does not meet the service request, feeding back operation failure information indicating operation failure to the client.
It should be noted that, different operation permissions can satisfy different service requests, and in the process of implementing step S212 specifically, the server determines whether the operation permission satisfies the service request. And if the operation authority meets the service request, responding to the service request, and if the operation authority does not meet the service request, feeding back operation failure information indicating operation failure to the client.
In the embodiment of the invention, the server generates the short-time token by using the equipment fingerprint information, and refreshes the short-time token after the login authentication is passed, thereby improving the safety of the short-time token. When the server communicates with the client, the client encrypts the transmission information by using the first public key, and the server encrypts the transmission information by using the second public key, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved. After the service request of the client passes the authentication, the server determines the operation authority of the client through the safety trust degree, and determines whether to respond to the service request according to the operation authority, so that the requirement of dynamic credit granting is realized.
The above embodiment of the present invention, referring to fig. 3, the process of determining whether the login request is authenticated in step S205 in fig. 2, shows a flowchart of determining whether the login request is authenticated according to the embodiment of the present invention, and includes the following steps:
step S301: the server receives a first signature (sign) fed back by the client.
It should be noted that, when the client receives the first public key, the client splices the first short-time token and the first client timestamp, and then encrypts the first short-time token and the first client timestamp by using a preset encryption Algorithm, for example, using SHA-1 (Secure Hash Algorithm 1) to encrypt the spliced first short-time token and the first client timestamp, so as to obtain the second signature.
The client splices the second public key, the user name, the first client timestamp and the second signature, encrypts the spliced result by using the first public key and an RSA algorithm to obtain a first signature, and feeds the first signature back to the server.
Step S302: the server decrypts the first signature by using the first private key to obtain a second public key, a user name, a first client timestamp and a second signature.
In the process of specifically implementing step S302, as can be known from the content in step S301, the client encrypts the second public key, the user name, the first client timestamp, and the second signature by using the first public key to obtain the first signature. Therefore, the server decrypts the first signature by using the first private key and the RSA algorithm to obtain a second public key, a user name, a first client timestamp and a second signature.
Step S303: if the difference value between the first server time stamp and the first client time stamp is larger than or equal to the first time threshold value, the server determines that the login request is not authenticated.
In the process of implementing step S303, the server obtains a local time (a first server timestamp), compares the first server timestamp with the first client timestamp, and if a difference between the first server timestamp and the first client timestamp is greater than or equal to a first time threshold, the server determines that the login request is not authenticated.
Step S304: and if the difference value between the first server timestamp and the first client timestamp is smaller than a first time threshold, the server determines a corresponding password and a corresponding device ID according to the user name.
In the process of implementing step S304 specifically, if the difference between the first server timestamp and the first client timestamp is smaller than the first time threshold, the server queries the password and the device ID corresponding to the user name according to the user name.
Step S305: and the server encrypts the second public key, the equipment ID, the first client timestamp and the second signature by using the first public key to obtain a third signature.
In the process of implementing step S305, the server repeats the encryption process of the client in step S301, that is, encrypts the second public key, the device ID, the first client timestamp, and the second signature by using the first public key, to obtain a third signature.
It can be understood that, the encryption process and the encryption method of the server and the client are consistent, the server compares the third tag with the first tag, and if the third tag is verified to be consistent with the first tag, it indicates that the content in the first tag is consistent with the content in the third tag. That is, it is determined that the content in the first tag is authenticated, i.e., the server determines that the login request is authenticated.
Step S306: and if the third signature is verified to be consistent with the first signature, the server determines that the login request passes the authentication.
In the embodiment of the invention, when the client transmits information to the server, the client encrypts the transmitted information by using the first public key, and the server decrypts the transmitted information by using the first private key after acquiring the transmitted information, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved.
Fig. 2 shows a process of the server feeding back the second short-time token to the client in step S206, referring to fig. 4, which shows a flowchart of the server feeding back the second short-time token to the client according to the embodiment of the present invention, and includes the following steps:
step S401: and the server encrypts the second short-time token by using the second public key to obtain a fourth signature.
As can be seen from the foregoing, the second public key and the second private key are generated by the client, and the client sends the second public key to the server.
In the process of implementing step S401 specifically, the server encrypts the second short-time token by using the second public key and the RSA algorithm to obtain a fourth signature.
Step S402: and the server feeds the fourth signature back to the client.
Step S403: and the client decrypts the fourth signature by using the second private key to obtain a second short-time token.
In the specific implementation process of step S403, the client decrypts the fourth signature by using the second private key and the RSA algorithm to obtain the second short-time token, and stores the second short-time token in the local memory to replace the first short-time token.
In the embodiment of the invention, the server refreshes the first short-time token after the login authentication is passed, and feeds back the obtained second short-time token to the client in an encryption transmission mode, so that the safety of the short-time token is improved, and the safety of information transmission is also ensured.
In the foregoing embodiment of the present invention, referring to fig. 5, a process of sending, by a client, a service request carrying at least a second short-time token and a second client timestamp to a server in steps S208 and S209 of fig. 2 is shown to show a transmission flowchart of the second short-time token and the second client timestamp provided in the embodiment of the present invention, and includes the following steps:
step S501: and the client encrypts the second short-time token and the second client timestamp by using a preset encryption algorithm to obtain a sixth signature.
In the process of implementing the step S501 specifically, when the client sends the service request to the server after the login request passes the authentication, the client concatenates the second short-time token and the second client timestamp and encrypts the second short-time token and the second client timestamp by using a preset encryption algorithm (for example, SHA-1 algorithm), so as to obtain a sixth signature.
Step S502: and the client encrypts the sixth signature and the second client timestamp by using the first public key to obtain a fifth signature.
In the process of implementing step S502 specifically, the client encrypts the sixth signature and the second client timestamp using the first public key and the RSA algorithm to obtain the fifth signature.
Step S503: and the client sends the service request carrying the fifth signature to the server.
Step S504: and the server decrypts the fifth signature by using the first private key to obtain a sixth signature and a second client timestamp.
In the process of implementing step S504 specifically, the server decrypts the fifth signature by using the first private key and the RSA algorithm to obtain the sixth signature and the second client timestamp.
Step S505: and the server decrypts the sixth signature by using a preset encryption algorithm to obtain a second short-time token.
In the process of implementing step S505 specifically, the server decrypts the sixth signature by using a preset encryption algorithm (for example, SHA-1 algorithm), so as to obtain the second short-time token.
In the embodiment of the invention, when the client transmits information to the server, the client encrypts the transmitted information by using the first public key, and the server decrypts the transmitted information by using the first private key after acquiring the transmitted information, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved.
Corresponding to the authentication method for identity information provided in the foregoing embodiment of the present invention, referring to fig. 6, an embodiment of the present invention further provides a structural block diagram of a server, where the server includes: a first processing unit 601, a determination unit 602, an update feedback unit 603, a second processing unit 604, and a third processing unit 605;
the first processing unit 601 is configured to generate a first public key and a first private key after receiving a login request sent by a client, and send the first public key to the client, so that the client generates a second public key and a second private key.
A determining unit 602, configured to determine whether the login request passes authentication according to a second public key, a user name, a first client timestamp, and a first short-time token fed back by the client, where the first short-time token is generated by the server according to the user identity information, the device fingerprint information, and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to security trust of the client, and the security trust is determined according to the user identity information or the device fingerprint information.
And an update feedback unit 603, configured to update the first random number and the first validity period corresponding to the first short-time token if the login request passes the authentication, generate a second short-time token, and feed the second short-time token back to the client, so that the client replaces the first short-time token with the second short-time token.
In a specific implementation, the update feedback unit is specifically configured to: and encrypting the second short-time token by using the second public key to obtain a fourth signature, and feeding the fourth signature back to the client, so that the client decrypts the fourth signature by using the second private key to obtain the second short-time token.
The second processing unit 604 is configured to receive a service request sent by a client, obtain a second short-time token and a second client timestamp carried in the service request, and determine that the service request passes authentication if the second client timestamp meets a time condition and the second short-time token is not expired.
In a specific implementation, the second processing unit 604 for determining that the service request passes the authentication is specifically configured to: and if the difference value between the second server timestamp and the second client timestamp is smaller than a second time threshold, determining that the second short-time token is not expired according to a second validity period, and determining that the service request passes the authentication.
Preferably, the second processing unit 604 is further configured to: and if the time stamp of the second client meets the time condition and the second short-time token is expired, updating a second random number and a second validity period corresponding to the second short-time token to generate a third short-time token, feeding the third short-time token back to the client, enabling the client to send a service request carrying the third short-time token and the time stamp of the third client, and returning to execute the step of receiving the service request.
The third processing unit 605 is configured to determine an operation authority of the client according to the operation authority table and the security trust level of the client, and process the service request according to the operation authority, where the operation authority comparison table includes a corresponding relationship between the security trust level and the operation authority.
Preferably, in conjunction with fig. 6, the determining unit 602 includes: the system comprises a receiving module, a decryption module, a first processing module and a second processing module, wherein the execution principle of each module is as follows:
the receiving module is used for receiving a first signature fed back by the client, the first signature is obtained by encrypting the second public key, the user name, the first client timestamp and the second signature by the client by using the first public key, and the second signature is obtained by encrypting the first short-time token and the first client timestamp by the client by using a preset encryption algorithm.
And the decryption module is used for decrypting the first signature by using the first private key to obtain a second public key, a user name, a first client timestamp and a second signature.
The first processing module is used for determining that the login request is not authenticated if the difference value between the first server timestamp and the first client timestamp is greater than or equal to a first time threshold; and if the difference value between the first server timestamp and the first client timestamp is smaller than a first time threshold, determining a corresponding password and a corresponding device ID according to the user name, and executing a second processing module.
And the second processing module is used for encrypting the second public key, the equipment ID, the first client timestamp and the second signature by using the first public key to obtain a third signature, and if the third signature is verified to be consistent with the first signature, determining that the login request passes the authentication.
Preferably, in conjunction with fig. 6, the second processing unit 604 includes: the system comprises a receiving module and a decryption module, wherein the execution principle of each module is as follows:
and the receiving module is used for receiving a service request which is sent by the client and carries a fifth signature, the fifth signature is obtained by encrypting a sixth signature and the timestamp of the second client by the client according to the first public key, and the sixth signature is obtained by encrypting the second short-time token and the timestamp of the second client by the client according to a preset encryption algorithm.
And the decryption module is used for decrypting the fifth signature by using the first private key to obtain a sixth signature and a second client timestamp, and decrypting the sixth signature by using a preset encryption algorithm to obtain a second short-time token.
In the embodiment of the invention, the server generates the short-time token by using the equipment fingerprint information, and refreshes the short-time token after the login authentication is passed, thereby improving the safety of the short-time token. When the server communicates with the client, the client encrypts the transmission information by using the first public key, and the server encrypts the transmission information by using the second public key, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved. After the service request of the client passes the authentication, the server determines the operation authority of the client through the safety trust degree, and determines whether to respond to the service request according to the operation authority, so that the requirement of dynamic credit granting is realized.
Corresponding to the authentication method for identity information provided in the foregoing embodiment of the present invention, referring to fig. 7, an embodiment of the present invention further provides a structural block diagram of a client, where the client includes: a communication unit 701, a generation unit 702, a first transmission unit 703, a processing unit 704, and a second transmission unit 705;
a communication unit 701, configured to send a login request to a server, and receive a first public key fed back by the server, where the first public key and a first private key are generated by the server.
A generating unit 702 is configured to generate a second public key and a second private key.
The first sending unit 703 is configured to send the second public key, the user name, the timestamp of the first client, and the first short-time token to the server, so that the server determines whether the login request passes authentication, where the first short-time token is generated by the server according to the user identity information, the device fingerprint information, and the first random number and is sent to the client, a first validity period of the first short-time token is preset according to the security trust level of the client, and the security trust level is determined according to the user identity information or the device fingerprint information.
And the processing unit 704 is configured to receive the second short-time token fed back by the server, replace the first short-time token with the second short-time token, and determine that the login request passes the authentication, where the second short-time token is generated by updating the first random number and the first validity period corresponding to the first short-time token by the server.
In a specific implementation, the processing unit 704 configured to receive the second short-time token fed back by the server is specifically configured to: and receiving a fourth signature fed back by the server, wherein the fourth signature is obtained by encrypting the second short-time token by the server according to the second public key, and decrypting the fourth signature by using the second private key to obtain the second short-time token.
A second sending unit 705, configured to send a service request carrying at least a second short-time token and a second client timestamp to the server, so that the server determines, according to the second short-time token and the second client timestamp, whether the service request passes authentication, and so that the server processes the service request according to the security trust level of the client.
Preferably, the processing unit 704 is further configured to receive a third short-time token fed back by the server, where the third short-time token is generated by updating, by the server, a second random number and a second validity period corresponding to the second short-time token.
Correspondingly, the second sending unit 705 is further configured to: and sending a service request carrying at least a third short-time token and a third client time stamp to the server.
Preferably, with reference to fig. 7, the first sending unit 703 includes: the encryption module and the sending module, the execution principle of each module is as follows:
and the encryption module is used for encrypting the first short-time token and the first client timestamp by using a preset encryption algorithm to obtain a second signature, and encrypting the second public key, the user name, the first client timestamp and the second signature by using the first public key to obtain a first signature.
And the sending module is used for sending the first signature to the server, so that the server decrypts the first signature by using the first private key to obtain a second public key, a user name, a first client timestamp and a second signature.
Preferably, with reference to fig. 7, the second sending unit 705 includes: the encryption module and the sending module, the execution principle of each module is as follows:
and the encryption module is used for encrypting the second short-time token and the second client timestamp by using a preset encryption algorithm to obtain a sixth signature, and encrypting the sixth signature and the second client timestamp by using the first public key to obtain a fifth signature.
And the sending module is used for sending the service request carrying the fifth signature to the server, so that the server decrypts the fifth signature based on the first private key and a preset encryption algorithm to obtain the second short-time token and the second client timestamp.
In the embodiment of the invention, the server generates the short-time token by using the equipment fingerprint information, and refreshes the short-time token after the login authentication is passed, thereby improving the safety of the short-time token. When the server communicates with the client, the client encrypts the transmission information by using the first public key, and the server encrypts the transmission information by using the second public key, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved. After the service request of the client passes the authentication, the server determines the operation authority of the client through the safety trust degree, and determines whether to respond to the service request according to the operation authority, so that the requirement of dynamic credit granting is realized.
Corresponding to the authentication method of identity information provided in the embodiment of the present invention, referring to fig. 8, an embodiment of the present invention further provides a structural block diagram of an authentication system of identity information, where the authentication system includes: a server 801 and a client 802.
The implementation principle of the server 801 can be referred to in the above embodiment of the present invention as shown in fig. 6, and the implementation principle of the client 802 can be referred to in the above embodiment of the present invention as shown in fig. 7.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (14)

1. An authentication method for identity information, which is applied to a server, the method comprising:
after receiving a login request sent by a client, generating a first public key and a first private key, and sending the first public key to the client to enable the client to generate a second public key and a second private key;
determining whether the login request passes authentication according to the second public key, the user name, a first client timestamp and a first short-time token fed back by the client, wherein the first short-time token is generated by a server according to user identity information, equipment fingerprint information and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to the security trust level of the client, and the security trust level is determined according to the user identity information or the equipment fingerprint information;
if the login request passes the authentication, updating the first random number and the first validity period corresponding to the first short-time token, generating a second short-time token, and feeding the second short-time token back to the client, so that the client replaces the first short-time token with the second short-time token;
receiving a service request sent by a client, and acquiring the second short-time token and a second client timestamp carried in the service request;
if the second client timestamp meets a time condition and the second short-time token is not expired, determining that the service request passes authentication;
and determining the operation authority of the client according to an operation authority table and the safety trust of the client, and processing the service request according to the operation authority, wherein the operation authority comparison table comprises the corresponding relation between the safety trust and the operation authority.
2. The method of claim 1, wherein the determining whether the login request is authenticated according to the second public key, the user name, the first client timestamp, and the first short-time token fed back by the client comprises:
receiving a first signature fed back by the client, wherein the first signature is obtained by encrypting the second public key, the user name, the first client timestamp and a second signature by the client by using the first public key, and the second signature is obtained by encrypting the first short-time token and the first client timestamp by the client by using a preset encryption algorithm;
decrypting the first signature by using the first private key to obtain the second public key, the user name, the first client timestamp and the second signature;
if the difference value between the first server timestamp and the first client timestamp is larger than or equal to a first time threshold value, determining that the login request is not authenticated;
if the difference value between the first server timestamp and the first client timestamp is smaller than the first time threshold, determining a corresponding password and a corresponding device ID according to the user name;
encrypting the second public key, the device ID, the first client timestamp and the second signature by using the first public key to obtain a third signature;
and if the third signature is verified to be consistent with the first signature, determining that the login request passes the authentication.
3. The method of claim 1, wherein the feeding back the second ephemeral token to the client comprises:
encrypting the second short-time token by using the second public key to obtain a fourth signature;
and feeding back the fourth signature to the client, so that the client decrypts the fourth signature by using the second private key to obtain the second short-time token.
4. The method according to claim 1, wherein the receiving a service request sent by a client and obtaining the second short-time token and the second client timestamp carried in the service request comprises:
receiving a service request which is sent by the client and carries a fifth signature, wherein the fifth signature is obtained by encrypting a sixth signature and the second client timestamp by the client according to the first public key, and the sixth signature is obtained by encrypting the second short-time token and the second client timestamp by the client according to a preset encryption algorithm;
decrypting the fifth signature by using the first private key to obtain a sixth signature and a second client timestamp;
and decrypting the sixth signature by using the preset encryption algorithm to obtain the second short-time token.
5. The method of claim 1, wherein determining that the service request is authenticated if the second client timestamp satisfies a time condition and the second short-time token is not expired comprises:
and if the difference value between the second server timestamp and the second client timestamp is smaller than a second time threshold value and the second short-time token is determined to be not expired according to a second validity period, determining that the service request passes the authentication.
6. The method of claim 1, further comprising:
if the second client timestamp meets a time condition and the second short-time token is expired, updating a second random number and a second validity period corresponding to the second short-time token to generate a third short-time token;
and feeding back the third short-time token to the client, so that the client sends a service request carrying the third short-time token and a timestamp of the third client, and returning to execute the step of receiving the service request.
7. An authentication method for identity information, which is applied to a client, the method comprising:
sending a login request to a server, and receiving a first public key fed back by the server, wherein the first public key and a first private key are generated by the server;
generating a second public key and a second private key;
sending the second public key, the user name, a first client timestamp and a first short-time token to the server to enable the server to determine whether the login request passes authentication, wherein the first short-time token is generated by the server according to user identity information, equipment fingerprint information and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to the security trust degree of the client, and the security trust degree is determined according to the user identity information or the equipment fingerprint information;
receiving a second short-time token fed back by the server, replacing the first short-time token with the second short-time token, and determining that the login request passes authentication, wherein the second short-time token is generated by updating the first random number and the first validity period corresponding to the first short-time token by the server;
and sending a service request at least carrying the second short-time token and a second client time stamp to the server, enabling the server to determine whether the service request passes authentication according to the second short-time token and the second client time stamp, and enabling the server to process the service request according to the security trust degree of the client.
8. The method of claim 7, wherein sending the second public key, the user name, the first client timestamp, and the first short-time token to the server comprises:
encrypting the first short-time token and the first client timestamp by using a preset encryption algorithm to obtain a second signature;
encrypting the second public key, the user name, the first client timestamp and the second signature by using the first public key to obtain a first signature;
and sending the first signature to the server, so that the server decrypts the first signature by using the first private key to obtain the second public key, the user name, the first client timestamp and the second signature.
9. The method of claim 7, wherein receiving the second ephemeral token fed back by the server comprises:
receiving a fourth signature fed back by the server, wherein the fourth signature is obtained by encrypting a second short-time token by the server according to the second public key;
and decrypting the fourth signature by using the second private key to obtain the second short-time token.
10. The method of claim 7, wherein sending the service request carrying at least the second short-time token and a second client timestamp to the server comprises:
encrypting the second short-time token and the timestamp of the second client by using a preset encryption algorithm to obtain a sixth signature;
encrypting the sixth signature and the second client timestamp by using the first public key to obtain a fifth signature;
and sending the service request carrying the fifth signature to the server, so that the server decrypts the fifth signature based on the first private key and the preset encryption algorithm to obtain the second short-time token and the second client timestamp.
11. The method of claim 7, wherein after sending the service request carrying at least the second short-time token and a second client timestamp to the server, further comprising:
receiving a third short-time token fed back by the server, wherein the third short-time token is generated by updating a second random number and a second validity period corresponding to the second short-time token by the server;
and sending a service request carrying at least the third short-time token and a third client timestamp to the server.
12. A server, characterized in that the server comprises:
the first processing unit is used for generating a first public key and a first private key after receiving a login request sent by a client, and sending the first public key to the client so that the client generates a second public key and a second private key;
a determining unit, configured to determine whether the login request passes authentication according to the second public key, the user name, a first client timestamp, and a first short-time token fed back by the client, where the first short-time token is generated by the server according to user identity information, device fingerprint information, and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to security trust of the client, and the security trust is determined according to the user identity information or the device fingerprint information;
the updating feedback unit is used for updating the first random number and the first validity period corresponding to the first short-time token if the login request passes the authentication, generating a second short-time token, and feeding the second short-time token back to the client, so that the client replaces the first short-time token with the second short-time token;
the second processing unit is used for receiving a service request sent by a client, acquiring a second short-time token and a second client time stamp carried in the service request, and determining that the service request passes authentication if the second client time stamp meets a time condition and the second short-time token is not expired;
and the third processing unit is used for determining the operation authority of the client according to an operation authority table and the safety trust degree of the client, and processing the service request according to the operation authority, wherein the operation authority comparison table comprises the corresponding relation between the safety trust degree and the operation authority.
13. A client, the client comprising:
the communication unit is used for sending a login request to a server and receiving a first public key fed back by the server, wherein the first public key and a first private key are generated by the server;
a generating unit configured to generate a second public key and a second private key;
a first sending unit, configured to send the second public key, the user name, a first client timestamp, and a first short-time token to the server, so that the server determines whether the login request passes authentication, where the first short-time token is generated by the server according to user identity information, device fingerprint information, and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to security trust of the client, and the security trust is determined according to the user identity information or the device fingerprint information;
the processing unit is used for receiving a second short-time token fed back by the server, replacing the first short-time token with the second short-time token, and determining that the login request passes authentication, wherein the second short-time token is generated by updating the first random number and the first validity period corresponding to the first short-time token by the server;
a second sending unit, configured to send a service request carrying at least the second short-time token and a second client timestamp to the server, so that the server determines, according to the second short-time token and the second client timestamp, whether the service request passes authentication, and makes the server process the service request according to the security trust level of the client.
14. A system for authenticating identity information, the system comprising: the server of claim 12 and the client of claim 13.
CN202010309505.1A 2020-04-20 2020-04-20 Authentication method, server, client and system for identity information Active CN111212095B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010309505.1A CN111212095B (en) 2020-04-20 2020-04-20 Authentication method, server, client and system for identity information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010309505.1A CN111212095B (en) 2020-04-20 2020-04-20 Authentication method, server, client and system for identity information

Publications (2)

Publication Number Publication Date
CN111212095A true CN111212095A (en) 2020-05-29
CN111212095B CN111212095B (en) 2020-07-21

Family

ID=70789930

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010309505.1A Active CN111212095B (en) 2020-04-20 2020-04-20 Authentication method, server, client and system for identity information

Country Status (1)

Country Link
CN (1) CN111212095B (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111836085A (en) * 2020-07-15 2020-10-27 北京奇艺世纪科技有限公司 Television screen projection method and device, cloud server and terminal equipment
CN111898110A (en) * 2020-08-05 2020-11-06 苏州朗动网络科技有限公司 Method, device, server and storage medium for acquiring user identity information
CN112016073A (en) * 2020-08-31 2020-12-01 北京中软华泰信息技术有限责任公司 Method for constructing server zero trust connection architecture
CN112039857A (en) * 2020-08-14 2020-12-04 苏州浪潮智能科技有限公司 Calling method and device of public basic module
CN112231366A (en) * 2020-12-11 2021-01-15 国网区块链科技(北京)有限公司 Enterprise credit report query method, device and system based on block chain
CN112261008A (en) * 2020-09-27 2021-01-22 苏州浪潮智能科技有限公司 Authentication method based on temporary token, client and server
CN112600831A (en) * 2020-12-11 2021-04-02 析云网络科技(苏州)有限公司 Network client identity authentication system and method
CN112686767A (en) * 2020-12-31 2021-04-20 上海掌门科技有限公司 User management method, device and storage medium
CN112788033A (en) * 2021-01-13 2021-05-11 京东方科技集团股份有限公司 Authentication method and authentication system
CN112788019A (en) * 2020-12-30 2021-05-11 杭州天谷信息科技有限公司 Application fusion scheme under zero trust concept
CN113079175A (en) * 2021-04-14 2021-07-06 上海浦东发展银行股份有限公司 Authorization system and method based on oauth2 protocol enhancement
CN113434889A (en) * 2021-07-07 2021-09-24 数字广东网络建设有限公司 Service data access method, device, equipment and storage medium
CN113438246A (en) * 2021-06-29 2021-09-24 四川巧夺天工信息安全智能设备有限公司 Data security and authority control method for intelligent terminal
CN113542235A (en) * 2021-06-28 2021-10-22 上海浦东发展银行股份有限公司 Security mutual access system and method based on token mutual trust mechanism
CN113536250A (en) * 2021-06-02 2021-10-22 上海硬通网络科技有限公司 Token generation method, login verification method and related equipment
CN113806810A (en) * 2021-07-12 2021-12-17 统信软件技术有限公司 Authentication method, authentication system, computing device, and storage medium
CN113992408A (en) * 2021-10-27 2022-01-28 上海妃鱼网络科技有限公司 Multi-system unified login information processing method and system
CN113993127A (en) * 2021-12-28 2022-01-28 支付宝(杭州)信息技术有限公司 Method and device for realizing one-key login service
CN114158047A (en) * 2021-12-30 2022-03-08 支付宝(杭州)信息技术有限公司 Method and device for realizing one-key login service
CN114422266A (en) * 2022-02-28 2022-04-29 深圳市中悦科技有限公司 IDaaS system based on dual verification mechanism
CN114448715A (en) * 2022-02-25 2022-05-06 中国农业银行股份有限公司 Token-based authentication method, device, equipment and storage medium
CN114629721A (en) * 2022-04-18 2022-06-14 欧普照明股份有限公司 Method for acquiring network service authority and method for sending authorization code
WO2023236925A1 (en) * 2022-06-08 2023-12-14 华为技术有限公司 Authentication method and communication device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102984127A (en) * 2012-11-05 2013-03-20 武汉大学 User-centered mobile internet identity managing and identifying method
CN107347073A (en) * 2017-07-18 2017-11-14 广州知迅行信息技术有限公司 A kind of resource information processing method
CN107852404A (en) * 2015-06-30 2018-03-27 维萨国际服务协会 Secret communication is mutually authenticated
CN109547400A (en) * 2017-09-22 2019-03-29 三星电子株式会社 The server registration method of communication means, integrity verification method and client
US20190123901A1 (en) * 2017-10-19 2019-04-25 Autnhive Corporation System and method for generating and depositing keys for multi-point authentication
CN109698746A (en) * 2019-01-21 2019-04-30 北京邮电大学 Negotiate the method and system of the sub-key of generation bound device based on master key

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102984127A (en) * 2012-11-05 2013-03-20 武汉大学 User-centered mobile internet identity managing and identifying method
CN107852404A (en) * 2015-06-30 2018-03-27 维萨国际服务协会 Secret communication is mutually authenticated
CN107347073A (en) * 2017-07-18 2017-11-14 广州知迅行信息技术有限公司 A kind of resource information processing method
CN109547400A (en) * 2017-09-22 2019-03-29 三星电子株式会社 The server registration method of communication means, integrity verification method and client
US20190123901A1 (en) * 2017-10-19 2019-04-25 Autnhive Corporation System and method for generating and depositing keys for multi-point authentication
CN109698746A (en) * 2019-01-21 2019-04-30 北京邮电大学 Negotiate the method and system of the sub-key of generation bound device based on master key

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
杨宇: "基于PKI身份认证系统的研究和实现", 《CNKI全文数据库》 *

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111836085A (en) * 2020-07-15 2020-10-27 北京奇艺世纪科技有限公司 Television screen projection method and device, cloud server and terminal equipment
CN111898110A (en) * 2020-08-05 2020-11-06 苏州朗动网络科技有限公司 Method, device, server and storage medium for acquiring user identity information
CN112039857B (en) * 2020-08-14 2022-05-13 苏州浪潮智能科技有限公司 Calling method and device of public basic module
CN112039857A (en) * 2020-08-14 2020-12-04 苏州浪潮智能科技有限公司 Calling method and device of public basic module
CN112016073A (en) * 2020-08-31 2020-12-01 北京中软华泰信息技术有限责任公司 Method for constructing server zero trust connection architecture
CN112016073B (en) * 2020-08-31 2023-12-19 北京中软华泰信息技术有限责任公司 Construction method of server zero trust connection architecture
CN112261008A (en) * 2020-09-27 2021-01-22 苏州浪潮智能科技有限公司 Authentication method based on temporary token, client and server
CN112231366A (en) * 2020-12-11 2021-01-15 国网区块链科技(北京)有限公司 Enterprise credit report query method, device and system based on block chain
CN112600831A (en) * 2020-12-11 2021-04-02 析云网络科技(苏州)有限公司 Network client identity authentication system and method
CN112788019A (en) * 2020-12-30 2021-05-11 杭州天谷信息科技有限公司 Application fusion scheme under zero trust concept
CN112686767A (en) * 2020-12-31 2021-04-20 上海掌门科技有限公司 User management method, device and storage medium
CN112788033B (en) * 2021-01-13 2022-09-20 京东方科技集团股份有限公司 Authentication method and authentication system
CN112788033A (en) * 2021-01-13 2021-05-11 京东方科技集团股份有限公司 Authentication method and authentication system
CN113079175A (en) * 2021-04-14 2021-07-06 上海浦东发展银行股份有限公司 Authorization system and method based on oauth2 protocol enhancement
CN113536250A (en) * 2021-06-02 2021-10-22 上海硬通网络科技有限公司 Token generation method, login verification method and related equipment
CN113536250B (en) * 2021-06-02 2023-07-04 上海硬通网络科技有限公司 Token generation method, login verification method and related equipment
CN113542235A (en) * 2021-06-28 2021-10-22 上海浦东发展银行股份有限公司 Security mutual access system and method based on token mutual trust mechanism
CN113542235B (en) * 2021-06-28 2023-04-07 上海浦东发展银行股份有限公司 Safe mutual access method based on token mutual trust mechanism
CN113438246A (en) * 2021-06-29 2021-09-24 四川巧夺天工信息安全智能设备有限公司 Data security and authority control method for intelligent terminal
CN113434889A (en) * 2021-07-07 2021-09-24 数字广东网络建设有限公司 Service data access method, device, equipment and storage medium
CN113806810A (en) * 2021-07-12 2021-12-17 统信软件技术有限公司 Authentication method, authentication system, computing device, and storage medium
CN113806810B (en) * 2021-07-12 2024-05-14 统信软件技术有限公司 Authentication method, authentication system, computing device, and storage medium
CN113992408A (en) * 2021-10-27 2022-01-28 上海妃鱼网络科技有限公司 Multi-system unified login information processing method and system
CN113992408B (en) * 2021-10-27 2024-05-10 上海妃鱼网络科技有限公司 Multi-system unified login information processing method and system
CN113993127A (en) * 2021-12-28 2022-01-28 支付宝(杭州)信息技术有限公司 Method and device for realizing one-key login service
CN113993127B (en) * 2021-12-28 2022-05-06 支付宝(杭州)信息技术有限公司 Method and device for realizing one-key login service
CN114158047A (en) * 2021-12-30 2022-03-08 支付宝(杭州)信息技术有限公司 Method and device for realizing one-key login service
CN114448715A (en) * 2022-02-25 2022-05-06 中国农业银行股份有限公司 Token-based authentication method, device, equipment and storage medium
CN114448715B (en) * 2022-02-25 2024-05-14 中国农业银行股份有限公司 Authentication method, device, equipment and storage medium based on token
CN114422266A (en) * 2022-02-28 2022-04-29 深圳市中悦科技有限公司 IDaaS system based on dual verification mechanism
CN114629721A (en) * 2022-04-18 2022-06-14 欧普照明股份有限公司 Method for acquiring network service authority and method for sending authorization code
WO2023236925A1 (en) * 2022-06-08 2023-12-14 华为技术有限公司 Authentication method and communication device

Also Published As

Publication number Publication date
CN111212095B (en) 2020-07-21

Similar Documents

Publication Publication Date Title
CN111212095B (en) Authentication method, server, client and system for identity information
US9838205B2 (en) Network authentication method for secure electronic transactions
US9231925B1 (en) Network authentication method for secure electronic transactions
US8532620B2 (en) Trusted mobile device based security
US9830447B2 (en) Method and system for verifying an access request
KR101265873B1 (en) Distributed single sign-on service
US11336641B2 (en) Security enhanced technique of authentication protocol based on trusted execution environment
WO2016177052A1 (en) User authentication method and apparatus
CN110800248B (en) Method for mutual symmetric authentication between a first application and a second application
WO2018021708A1 (en) Public key-based service authentication method and system
KR20210095093A (en) Method for providing authentification service by using decentralized identity and server using the same
CN112804269B (en) Method for realizing website interface anti-crawler
CN113051540B (en) Application program interface safety grading treatment method
CN111800426A (en) Method, device, equipment and medium for accessing native code interface in application program
CN113261252B (en) Node and method for secure server communication
Li et al. Pistis: Issuing trusted and authorized certificates with distributed ledger and TEE
KR20210095061A (en) Method for providing authentification service by using decentralized identity and server using the same
Tiwari et al. Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos
CN114338091B (en) Data transmission method, device, electronic equipment and storage medium
KR20200030345A (en) Method for providing private blockchain based privacy information management service
CN115380506A (en) Privacy-preserving activity aggregation mechanism
CN113079506A (en) Network security authentication method, device and equipment
CN115037549B (en) Application protection method, device and storage medium
Ashouri-Talouki et al. BlindLocation: Supporting user location privacy using blind signature
CN110225515B (en) Authentication management system, method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 100032 room 8018, 8 / F, building 7, Guangyi street, Xicheng District, Beijing

Patentee after: State Grid Digital Technology Holdings Co.,Ltd.

Patentee after: State Grid blockchain Technology (Beijing) Co.,Ltd.

Patentee after: Guowang Xiongan Finance Technology Group Co.,Ltd.

Address before: 100053 8th floor, Xianglong business building, 311 guanganmennei street, Xicheng District, Beijing

Patentee before: STATE GRID ELECTRONIC COMMERCE Co.,Ltd.

Patentee before: State Grid blockchain Technology (Beijing) Co.,Ltd.

Patentee before: Guowang Xiongan Finance Technology Group Co.,Ltd.

CP03 Change of name, title or address