Disclosure of Invention
In view of this, embodiments of the present invention provide an authentication method, a server, a client and a system for identity information, so as to solve the problem of poor security in the current authentication method.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
the first aspect of the embodiment of the invention discloses an authentication method of identity information, which is applied to a server and comprises the following steps:
after receiving a login request sent by a client, generating a first public key and a first private key, and sending the first public key to the client to enable the client to generate a second public key and a second private key;
determining whether the login request passes authentication according to the second public key, the user name, a first client timestamp and a first short-time token fed back by the client, wherein the first short-time token is generated by a server according to user identity information, equipment fingerprint information and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to the security trust level of the client, and the security trust level is determined according to the user identity information or the equipment fingerprint information;
if the login request passes the authentication, updating the first random number and the first validity period corresponding to the first short-time token, generating a second short-time token, and feeding the second short-time token back to the client, so that the client replaces the first short-time token with the second short-time token;
receiving a service request sent by a client, and acquiring the second short-time token and a second client timestamp carried in the service request;
if the second client timestamp meets a time condition and the second short-time token is not expired, determining that the service request passes authentication;
and determining the operation authority of the client according to an operation authority table and the safety trust of the client, and processing the service request according to the operation authority, wherein the operation authority comparison table comprises the corresponding relation between the safety trust and the operation authority.
Preferably, the determining whether the login request is authenticated according to the second public key, the user name, the first client timestamp, and the first short-time token fed back by the client includes:
receiving a first signature fed back by the client, wherein the first signature is obtained by encrypting the second public key, the user name, the first client timestamp and a second signature by the client by using the first public key, and the second signature is obtained by encrypting the first short-time token and the first client timestamp by the client by using a preset encryption algorithm;
decrypting the first signature by using the first private key to obtain the second public key, the user name, the first client timestamp and the second signature;
if the difference value between the first server timestamp and the first client timestamp is larger than or equal to a first time threshold value, determining that the login request is not authenticated;
if the difference value between the first server timestamp and the first client timestamp is smaller than the first time threshold, determining a corresponding password and a corresponding device ID according to the user name;
encrypting the second public key, the device ID, the first client timestamp and the second signature by using the first public key to obtain a third signature;
and if the third signature is verified to be consistent with the first signature, determining that the login request passes the authentication.
Preferably, the feeding back the second short-time token to the client includes:
encrypting the second short-time token by using the second public key to obtain a fourth signature;
and feeding back the fourth signature to the client, so that the client decrypts the fourth signature by using the second private key to obtain the second short-time token.
Preferably, the receiving a service request sent by a client, and acquiring the second short-time token and the second client timestamp carried in the service request includes:
receiving a service request which is sent by the client and carries a fifth signature, wherein the fifth signature is obtained by encrypting a sixth signature and the second client timestamp by the client according to the first public key, and the sixth signature is obtained by encrypting the second short-time token and the second client timestamp by the client according to a preset encryption algorithm;
decrypting the fifth signature by using the first private key to obtain a sixth signature and a second client timestamp;
and decrypting the sixth signature by using the preset encryption algorithm to obtain the second short-time token.
Preferably, if the second client timestamp meets the time condition and the second short-time token is not expired, determining that the service request is authenticated includes:
and if the difference value between the second server timestamp and the second client timestamp is smaller than a second time threshold value and the second short-time token is determined to be not expired according to a second validity period, determining that the service request passes the authentication.
Preferably, the method further comprises the following steps:
if the second client timestamp meets a time condition and the second short-time token is expired, updating a second random number and a second validity period corresponding to the second short-time token to generate a third short-time token;
and feeding back the third short-time token to the client, so that the client sends a service request carrying the third short-time token and a timestamp of the third client, and returning to execute the step of receiving the service request.
The second aspect of the embodiment of the invention discloses an authentication method of identity information, which is applied to a client, and the method comprises the following steps:
sending a login request to a server, and receiving a first public key fed back by the server, wherein the first public key and a first private key are generated by the server;
generating a second public key and a second private key;
sending the second public key, the user name, a first client timestamp and a first short-time token to the server to enable the server to determine whether the login request passes authentication, wherein the first short-time token is generated by the server according to user identity information, equipment fingerprint information and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to the security trust degree of the client, and the security trust degree is determined according to the user identity information or the equipment fingerprint information;
receiving a second short-time token fed back by the server, replacing the first short-time token with the second short-time token, and determining that the login request passes authentication, wherein the second short-time token is generated by updating the first random number and the first validity period corresponding to the first short-time token by the server;
and sending a service request at least carrying the second short-time token and a second client time stamp to the server, enabling the server to determine whether the service request passes authentication according to the second short-time token and the second client time stamp, and enabling the server to process the service request according to the security trust degree of the client.
Preferably, the sending the second public key, the user name, the first client timestamp, and the first short-time token to the server includes:
encrypting the first short-time token and the first client timestamp by using a preset encryption algorithm to obtain a second signature;
encrypting the second public key, the user name, the first client timestamp and the second signature by using the first public key to obtain a first signature;
and sending the first signature to the server, so that the server decrypts the first signature by using the first private key to obtain the second public key, the user name, the first client timestamp and the second signature.
Preferably, the receiving the second short-time token fed back by the server includes:
receiving a fourth signature fed back by the server, wherein the fourth signature is obtained by encrypting a second short-time token by the server according to the second public key;
and decrypting the fourth signature by using the second private key to obtain the second short-time token.
Preferably, the sending the service request carrying at least the second short-time token and the second client timestamp to the server includes:
encrypting the second short-time token and the timestamp of the second client by using a preset encryption algorithm to obtain a sixth signature;
encrypting the sixth signature and the second client timestamp by using the first public key to obtain a fifth signature;
and sending the service request carrying the fifth signature to the server, so that the server decrypts the fifth signature based on the first private key and the preset encryption algorithm to obtain the second short-time token and the second client timestamp.
Preferably, after sending the service request carrying at least the second short-time token and the second client timestamp to the server, the method further includes:
receiving a third short-time token fed back by the server, wherein the third short-time token is generated by updating a second random number and a second validity period corresponding to the second short-time token by the server;
and sending a service request carrying at least the third short-time token and a third client timestamp to the server.
A third aspect of the embodiments of the present invention discloses a server, including:
the first processing unit is used for generating a first public key and a first private key after receiving a login request sent by a client, and sending the first public key to the client so that the client generates a second public key and a second private key;
a determining unit, configured to determine whether the login request passes authentication according to the second public key, the user name, a first client timestamp, and a first short-time token fed back by the client, where the first short-time token is generated by the server according to user identity information, device fingerprint information, and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to security trust of the client, and the security trust is determined according to the user identity information or the device fingerprint information;
the updating feedback unit is used for updating the first random number and the first validity period corresponding to the first short-time token if the login request passes the authentication, generating a second short-time token, and feeding the second short-time token back to the client, so that the client replaces the first short-time token with the second short-time token;
the second processing unit is used for receiving a service request sent by a client, acquiring a second short-time token and a second client time stamp carried in the service request, and determining that the service request passes authentication if the second client time stamp meets a time condition and the second short-time token is not expired;
and the third processing unit is used for determining the operation authority of the client according to an operation authority table and the safety trust degree of the client, and processing the service request according to the operation authority, wherein the operation authority comparison table comprises the corresponding relation between the safety trust degree and the operation authority.
A fourth aspect of the present invention discloses a client, where the client includes:
the communication unit is used for sending a login request to a server and receiving a first public key fed back by the server, wherein the first public key and a first private key are generated by the server;
a generating unit configured to generate a second public key and a second private key;
a first sending unit, configured to send the second public key, the user name, a first client timestamp, and a first short-time token to the server, so that the server determines whether the login request passes authentication, where the first short-time token is generated by the server according to user identity information, device fingerprint information, and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to security trust of the client, and the security trust is determined according to the user identity information or the device fingerprint information;
the processing unit is used for receiving a second short-time token fed back by the server, replacing the first short-time token with the second short-time token, and determining that the login request passes authentication, wherein the second short-time token is generated by updating the first random number and the first validity period corresponding to the first short-time token by the server;
a second sending unit, configured to send a service request carrying at least the second short-time token and a second client timestamp to the server, so that the server determines, according to the second short-time token and the second client timestamp, whether the service request passes authentication, and makes the server process the service request according to the security trust level of the client.
A fifth aspect of the present invention discloses an authentication system for identity information, the system including: a server disclosed in the third aspect of the embodiments of the present invention and a client disclosed in the fourth aspect of the embodiments of the present invention.
Based on the authentication method, the server, the client and the system for the identity information provided by the embodiment of the invention, the method comprises the following steps: and after receiving the login request of the client, the server generates a first public key and sends the first public key to the client. And the server determines whether the login request passes the authentication or not according to the second public key of the client, the user name, the first client timestamp and the first short-time token. And if the login request passes the authentication, feeding back a newly generated second short-time token to the client, wherein the first short-time token and the second short-time token are generated according to the user identity information, the equipment fingerprint information and the corresponding random number. And the client carries the second short-time token when sending the service request to the server. If the server determines that the service request passes the authentication, the server determines the operation authority of the client according to the predetermined security trust degree of the client and processes the service request according to the operation authority. In the scheme, the server generates the short-time token by using the equipment fingerprint information, and refreshes the short-time token after the login authentication is passed, so that the safety of the short-time token is improved. When the server communicates with the client, the client encrypts the transmission information by using the first public key, and the server encrypts the transmission information by using the second public key, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved. After the service request of the client passes the authentication, the server determines the operation authority of the client through the safety trust degree, and determines whether to respond to the service request according to the operation authority, so that the requirement of dynamic credit granting is realized.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
As can be seen from the background art, in the existing authentication method between the client and the server, a Token (Token) is used as a unique identifier for authentication, when an attacker intercepts the Token, the attacker forges a data request through the Token to steal data of the server, and when a user leaks an account and a password for various reasons, the attacker can log in and steal data of the server by using the obtained account and password, that is, the existing authentication method between the client and the server has poor security.
Therefore, the embodiment of the invention provides an authentication method, a server, a client and a system for identity information. When the server and the client communicate with each other, the client encrypts the transmission information by using the first public key, and the server encrypts the transmission information by using the second public key, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved.
In order to better understand what is shown in the following embodiments of the present invention, some terms referred to in the embodiments of the present invention are explained.
Zero trust security framework: the zero trust security framework is a security model, and the core idea of the zero trust security framework is that no person or thing is trusted.
Device fingerprint information: a globally unique device ID is generated for each operating device using device fingerprinting techniques to represent a unique device characteristic of an operating device. The method for generating the device fingerprint information includes three methods, namely an active generation method, a passive generation method and a hybrid generation method, wherein the hybrid generation method is formed by mixing partial contents of the active generation method and partial contents of the passive generation method.
Safety trust degree: is a quantitative representation of the degree of trust, which is used to measure the magnitude of trust.
Token: in the identity authentication process of the client and the server, the server uses a character string generated by a certain rule, namely the character string is a token for the client to carry out service request.
To better explain the interaction between the client and the server, the illustration is made by the contents shown in fig. 1, and it should be noted that the contents shown in fig. 1 are only for illustration.
Referring to fig. 1, a schematic structural diagram of an authentication system for identity information provided in an embodiment of the present invention is shown, where the authentication system includes a client and a server.
The server side comprises a user registration device, an identity authentication device, a trust degree evaluation device and a dynamic trust device, and the category of the client side is at least as follows: the functions of each device in the PC side, the mobile terminal, and the device side and the server side are explained as follows.
The user registration device: when the client side registers, the client side sends the user identity information and the equipment fingerprint information to the user registration device, the user registration device processes the user identity information and the equipment fingerprint information by using a Hash encryption algorithm to obtain a short-time token, and the short-time token is fed back to the client side.
The identity authentication device: when a client sends a login request to a server, the server needs to perform identity authentication on the client, that is, whether the login request passes the authentication is determined. The client sends the user identity information, the short-time token of the client and the client timestamp to an identity authentication device in an encryption transmission mode, and the identity authentication device performs identity authentication on the client by using the received information. After the client passes the identity authentication, the identity authentication device updates the short-time token and sends the updated short-time token to the client in an encryption transmission mode.
Meanwhile, when the identity authentication device updates the short-time token, the validity period of the short-time token is set according to the security trust degree of the client.
A trust level evaluation device: and establishing the security trust level of the user and the equipment of the client through the user identity information and the equipment fingerprint information, wherein different security trust levels correspond to different security trust degrees.
The dynamic credit granting device: and setting minimum operation authority for the user of the client registered in the server according to the zero trust security framework. And dynamically adjusting the operation authority according to the change of the security trust degree in the process that the user continuously uses the client.
That is to say, after the client sends the service request to the server and the service request passes the authentication, the dynamic trust authority needs to determine the operation authority according to the security trust degree, and responds (executes) the service request on the premise that the operation authority satisfies the service request, and if the operation authority does not satisfy the service request, the service request is not executed.
It should be noted that the content in fig. 1 is only used for illustration, and specific contents of an authentication method, a server, a client, and a system for identity information provided by the embodiment of the present invention are described in detail below.
Referring to fig. 2, a flowchart of an authentication method for identity information according to an embodiment of the present invention is shown, where the authentication method includes the following steps:
step S201: the client sends a login request to the server.
It should be noted that the client completes registration in the server in advance, when the client registers, the client sends the user identity information and the device fingerprint information to the server, the server performs corresponding audit, and after the audit is passed, the server generates a short-time token by using the user identity information, the device fingerprint information and the random number, and sends the short-time token to the client.
The server generates the short-time token in the following way:
server acquires user identity information
The server extracts an Equipment serial number ID or a Mobile Equipment serial number (MEID) from the Equipment fingerprint information, extracts an Equipment International Identity (IMEI) and an International subscriber Identity (IMSI), and uses the obtained Equipment serial number ID, MEID, IMEI, and IMSI as a character string T = generation (ID/MEID, IMEI, IMSI).
The server collects a Random number Random and calculates a hash value of the Random number using a hash encryption algorithm, as in formula (1).
Using a hash encryption algorithm, computing
T and
the hash value of (2).
And calculating the hash value of R by using a hash encryption algorithm, wherein the hash value of R is the short-time token, and the formula (3) is shown.
According to the content in the formulas, the process of generating the short-time token is completed by the server without the assistance of other equipment, so that the privacy of the short-time token is ensured. The server generates the short-time token by using the random number, so that the randomness of the short-time token is ensured. Meanwhile, the server generates the short-time token by utilizing the user identity information, the equipment fingerprint information and the random number, so that the short-time token, the user identity information and the equipment are completely bound, and the uniqueness of the user and the short-time token is ensured.
In the process of implementing step S201 specifically, it should be noted that when the client sends a login request to the server, the user needs to input a user name and a password.
Step S202: the server generates a first public key and a first private key, and the server sends the first public key to the client.
In the process of implementing step S202 specifically, after the server receives the login request sent by the client, the server generates the first public key and the first private key by using rsa (rsa algorithm), and the server stores the first private key in the local memory of the server and sends the first public key to the client.
It should be noted that the server may also use other algorithms to generate the first public key and the first private key, which is not limited in this respect.
Step S203: the client generates a second public key and a second private key.
In the process of implementing step S203, after receiving the first public key sent by the server, the client generates a second public key and a second private key by using an RSA algorithm, and the client stores the second private key in the local memory.
Step S204: and the client sends the second public key, the user name, the first client timestamp and the first short-time token to the server.
It should be noted that the server generates the first short-time token in advance according to the user identity information, the device fingerprint information, and the first random number, the server sets a first validity period of the first short-time token according to the security trust level of the client, and the server sends the first short-time token to the client.
It should be noted that, the manner of generating the first short-time token by the server may refer to the content in step S201, and is not described herein again.
It should be further noted that the server determines the security trust level of the client according to the user identity information or the device fingerprint information, and as can be seen from the foregoing, when the validity period of the short-time token is set, different security trust levels correspond to different validity periods.
For example: when the short-time token corresponding to the client is generated for the 1 st time, the valid period of the short-time token is set as a default value (7 days). With the increase of the security trust degree of the user using the client, the validity period is set to 10 days when the validity period of the short-time token is set next time.
It can be understood that the security trust level of the user and the device of the client is established, and the corresponding security trust level is determined according to the security trust level of the user or the device. The specific way to establish the security trust level of the user and the device is as follows:
establishing a security trust level mode of a user: and establishing a safety trust level of the user according to the use requirement of the service scene. The newly registered user or the user with the service utilization rate lower than the first utilization rate threshold is defined as a new user, the user with the service utilization rate between the first utilization rate threshold and the second utilization rate threshold is defined as a common user, the user with the service utilization rate between the second utilization rate threshold and the third utilization rate threshold is defined as a seed user, and the user with the service utilization rate higher than the third utilization rate threshold and with functional requirements on the service is defined as a core user.
Wherein the third usage threshold is greater than the second usage threshold, which is greater than the first usage threshold.
That is, different security trust degrees are set for users with different security trust levels, wherein the security trust degree of the new user is the lowest, and the security trust degree of the core user is the highest. And as the service utilization rate of the user is increased, the security trust level of the user also changes, for example, as the service utilization rate of the new user is increased to a range from the first utilization rate threshold to the second utilization rate threshold, the security trust level of the new user is increased to a common user.
Establishing a security trust level mode of the equipment: the method comprises the steps of determining the security level of the equipment according to the type of the equipment and the influence of the damaged equipment on a service system, and dividing the equipment into four types according to the security level, namely general equipment, main equipment, key equipment and confidential equipment. The device which has no requirement on safety and is used for butting non-safety services is defined as a common device, the device which is used by a service system with common safety requirement is defined as a main device, the device which has high standard safety requirement and is connected with an important service system of a company is defined as a key device, and the device which bears the core service of the company and is positioned at a key node of the core is defined as a core device.
That is to say, the devices with different security trust levels correspond to different security trust levels, wherein the security trust level of the general device is the lowest, and the security trust level of the core device is the highest.
It can be understood that the security trust level of the user and the device is established by collecting behavior information such as user identity information, frequency of the user using the client and the like, and collecting user track information such as device IP, location characteristics and the like of the user, and when the security trust level of the user or the device changes, the security trust level also changes correspondingly.
In the process of implementing step S204 specifically, the client encrypts the second public key, the user name, the first client timestamp, and the first short-time token by using the first public key and the RSA algorithm, and feeds back the encrypted second public key, the user name, the first client timestamp, and the first short-time token to the server.
Step S205: and the server determines whether the login request passes the authentication or not according to the second public key, the user name, the first client timestamp and the first short-time token. If the login request is authenticated, step S206 is executed, and if the login request is not authenticated, login error information indicating that the login request is not authenticated is fed back to the client.
In the process of specifically implementing step S205, the server decrypts the encrypted second public key, the user name, the first client timestamp, and the first short-time token by using the first private key, so as to obtain the second public key, the user name, the first client timestamp, and the first short-time token.
And the server determines whether the login request passes the authentication or not by utilizing the second public key, the user name, the first client timestamp and the first short-time token.
Step S206: and the server updates the first random number and the first validity period corresponding to the first short-time token, generates a second short-time token and feeds the second short-time token back to the client.
In the process of implementing step S206, it is understood that the server generates the short-time token according to the user identity information, the device fingerprint information and the random number. And the server updates the first random number and the first validity period corresponding to the first short-time token and generates a second short-time token (refreshToken). That is, the server generates a second short-time token according to the user identity information, the device fingerprint information, and the second random number, and sets a second validity period of the second short-time token.
For details of the process of generating the second short-time token, reference may be made to the content in step S201, and details are not described herein again.
And after the server generates the second short-time token, feeding the second short-time token back to the client.
Step S207: the client replaces the first ephemeral token with the second ephemeral token.
In the process of implementing step S207 specifically, when the client receives the second short-time token, it determines that the login request passes authentication. The client saves the second short-time token in the local memory, and replaces the originally saved first short-time token.
Step S208: and the client sends a service request carrying at least a second short-time token and a second client time stamp to the server.
In the process of implementing step S208 specifically, the client encrypts the second short-time token and the timestamp of the second client according to the first public key and the RSA algorithm, and sends the service request carrying the encrypted second short-time token and the encrypted second client to the server.
Step S209: and the server acquires a second short-time token and a second client timestamp carried in the service request.
In the process of implementing step S209 specifically, the server decrypts the encrypted second short-time token and the second client timestamp by using the first private key, so as to obtain the second short-time token and the second client timestamp.
Step S210: the server determines whether the service request passes the authentication, if the service request passes the authentication, step S211 is executed, and if the service request does not pass the authentication, re-login information indicating that re-login is required is fed back to the client.
In the process of implementing step S210 specifically, the server determines whether the timestamp of the second client satisfies the time condition, and if the timestamp of the second client does not satisfy the time condition, the server feeds back re-login information indicating that re-login is required to the client.
The time condition is as follows: the difference between the second server timestamp and the second client timestamp is less than a second time threshold.
And if the difference value between the second server timestamp and the second client timestamp is smaller than a second time threshold value and the second short-time token is determined to be not expired according to the second validity period, the server determines that the service request passes the authentication.
Preferably, if the timestamp of the second client meets the time condition and the second short-time token is expired, the server updates the second random number and the second validity period corresponding to the second short-time token to generate a third short-time token.
And the server feeds the third short-time token back to the client, and the client sends a service request carrying the third short-time token and a timestamp of the third client to the server. That is, returning to the execution of step S209, the second short-time token and the third client time stamp in step S209 are replaced with the third short-time token and the third client time stamp.
And if the difference value between the timestamp of the third server and the timestamp of the third client is smaller than the second time threshold value and the third validity period of the third short-time token determines that the third short-time token is expired, the server feeds back re-login information indicating that re-login is required to the client.
If the difference between the third server timestamp and the third client timestamp is smaller than the second time threshold, and it is determined that the third short-time token is not expired according to the third validity period of the third short-time token, step S211 is executed.
Step S211: and the server determines the operation authority of the client according to the operation authority table and the safety trust degree of the client.
In the process of implementing step S211 specifically, it can be understood that the corresponding relationship between the security trust and the operation authority is preset to obtain the operation authority comparison table, that is, the security trust in the operation authority table has the corresponding operation authority.
And the server determines the operation authority of the client according to the operation authority table and the safety trust degree of the client.
Step S212: the server judges whether the operation authority meets the service request. And if the operation authority meets the service request, responding to the service request, and if the operation authority does not meet the service request, feeding back operation failure information indicating operation failure to the client.
It should be noted that, different operation permissions can satisfy different service requests, and in the process of implementing step S212 specifically, the server determines whether the operation permission satisfies the service request. And if the operation authority meets the service request, responding to the service request, and if the operation authority does not meet the service request, feeding back operation failure information indicating operation failure to the client.
In the embodiment of the invention, the server generates the short-time token by using the equipment fingerprint information, and refreshes the short-time token after the login authentication is passed, thereby improving the safety of the short-time token. When the server communicates with the client, the client encrypts the transmission information by using the first public key, and the server encrypts the transmission information by using the second public key, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved. After the service request of the client passes the authentication, the server determines the operation authority of the client through the safety trust degree, and determines whether to respond to the service request according to the operation authority, so that the requirement of dynamic credit granting is realized.
The above embodiment of the present invention, referring to fig. 3, the process of determining whether the login request is authenticated in step S205 in fig. 2, shows a flowchart of determining whether the login request is authenticated according to the embodiment of the present invention, and includes the following steps:
step S301: the server receives a first signature (sign) fed back by the client.
It should be noted that, when the client receives the first public key, the client splices the first short-time token and the first client timestamp, and then encrypts the first short-time token and the first client timestamp by using a preset encryption Algorithm, for example, using SHA-1 (Secure Hash Algorithm 1) to encrypt the spliced first short-time token and the first client timestamp, so as to obtain the second signature.
The client splices the second public key, the user name, the first client timestamp and the second signature, encrypts the spliced result by using the first public key and an RSA algorithm to obtain a first signature, and feeds the first signature back to the server.
Step S302: the server decrypts the first signature by using the first private key to obtain a second public key, a user name, a first client timestamp and a second signature.
In the process of specifically implementing step S302, as can be known from the content in step S301, the client encrypts the second public key, the user name, the first client timestamp, and the second signature by using the first public key to obtain the first signature. Therefore, the server decrypts the first signature by using the first private key and the RSA algorithm to obtain a second public key, a user name, a first client timestamp and a second signature.
Step S303: if the difference value between the first server time stamp and the first client time stamp is larger than or equal to the first time threshold value, the server determines that the login request is not authenticated.
In the process of implementing step S303, the server obtains a local time (a first server timestamp), compares the first server timestamp with the first client timestamp, and if a difference between the first server timestamp and the first client timestamp is greater than or equal to a first time threshold, the server determines that the login request is not authenticated.
Step S304: and if the difference value between the first server timestamp and the first client timestamp is smaller than a first time threshold, the server determines a corresponding password and a corresponding device ID according to the user name.
In the process of implementing step S304 specifically, if the difference between the first server timestamp and the first client timestamp is smaller than the first time threshold, the server queries the password and the device ID corresponding to the user name according to the user name.
Step S305: and the server encrypts the second public key, the equipment ID, the first client timestamp and the second signature by using the first public key to obtain a third signature.
In the process of implementing step S305, the server repeats the encryption process of the client in step S301, that is, encrypts the second public key, the device ID, the first client timestamp, and the second signature by using the first public key, to obtain a third signature.
It can be understood that, the encryption process and the encryption method of the server and the client are consistent, the server compares the third tag with the first tag, and if the third tag is verified to be consistent with the first tag, it indicates that the content in the first tag is consistent with the content in the third tag. That is, it is determined that the content in the first tag is authenticated, i.e., the server determines that the login request is authenticated.
Step S306: and if the third signature is verified to be consistent with the first signature, the server determines that the login request passes the authentication.
In the embodiment of the invention, when the client transmits information to the server, the client encrypts the transmitted information by using the first public key, and the server decrypts the transmitted information by using the first private key after acquiring the transmitted information, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved.
Fig. 2 shows a process of the server feeding back the second short-time token to the client in step S206, referring to fig. 4, which shows a flowchart of the server feeding back the second short-time token to the client according to the embodiment of the present invention, and includes the following steps:
step S401: and the server encrypts the second short-time token by using the second public key to obtain a fourth signature.
As can be seen from the foregoing, the second public key and the second private key are generated by the client, and the client sends the second public key to the server.
In the process of implementing step S401 specifically, the server encrypts the second short-time token by using the second public key and the RSA algorithm to obtain a fourth signature.
Step S402: and the server feeds the fourth signature back to the client.
Step S403: and the client decrypts the fourth signature by using the second private key to obtain a second short-time token.
In the specific implementation process of step S403, the client decrypts the fourth signature by using the second private key and the RSA algorithm to obtain the second short-time token, and stores the second short-time token in the local memory to replace the first short-time token.
In the embodiment of the invention, the server refreshes the first short-time token after the login authentication is passed, and feeds back the obtained second short-time token to the client in an encryption transmission mode, so that the safety of the short-time token is improved, and the safety of information transmission is also ensured.
In the foregoing embodiment of the present invention, referring to fig. 5, a process of sending, by a client, a service request carrying at least a second short-time token and a second client timestamp to a server in steps S208 and S209 of fig. 2 is shown to show a transmission flowchart of the second short-time token and the second client timestamp provided in the embodiment of the present invention, and includes the following steps:
step S501: and the client encrypts the second short-time token and the second client timestamp by using a preset encryption algorithm to obtain a sixth signature.
In the process of implementing the step S501 specifically, when the client sends the service request to the server after the login request passes the authentication, the client concatenates the second short-time token and the second client timestamp and encrypts the second short-time token and the second client timestamp by using a preset encryption algorithm (for example, SHA-1 algorithm), so as to obtain a sixth signature.
Step S502: and the client encrypts the sixth signature and the second client timestamp by using the first public key to obtain a fifth signature.
In the process of implementing step S502 specifically, the client encrypts the sixth signature and the second client timestamp using the first public key and the RSA algorithm to obtain the fifth signature.
Step S503: and the client sends the service request carrying the fifth signature to the server.
Step S504: and the server decrypts the fifth signature by using the first private key to obtain a sixth signature and a second client timestamp.
In the process of implementing step S504 specifically, the server decrypts the fifth signature by using the first private key and the RSA algorithm to obtain the sixth signature and the second client timestamp.
Step S505: and the server decrypts the sixth signature by using a preset encryption algorithm to obtain a second short-time token.
In the process of implementing step S505 specifically, the server decrypts the sixth signature by using a preset encryption algorithm (for example, SHA-1 algorithm), so as to obtain the second short-time token.
In the embodiment of the invention, when the client transmits information to the server, the client encrypts the transmitted information by using the first public key, and the server decrypts the transmitted information by using the first private key after acquiring the transmitted information, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved.
Corresponding to the authentication method for identity information provided in the foregoing embodiment of the present invention, referring to fig. 6, an embodiment of the present invention further provides a structural block diagram of a server, where the server includes: a first processing unit 601, a determination unit 602, an update feedback unit 603, a second processing unit 604, and a third processing unit 605;
the first processing unit 601 is configured to generate a first public key and a first private key after receiving a login request sent by a client, and send the first public key to the client, so that the client generates a second public key and a second private key.
A determining unit 602, configured to determine whether the login request passes authentication according to a second public key, a user name, a first client timestamp, and a first short-time token fed back by the client, where the first short-time token is generated by the server according to the user identity information, the device fingerprint information, and a first random number and is sent to the client, a first validity period of the first short-time token is preset according to security trust of the client, and the security trust is determined according to the user identity information or the device fingerprint information.
And an update feedback unit 603, configured to update the first random number and the first validity period corresponding to the first short-time token if the login request passes the authentication, generate a second short-time token, and feed the second short-time token back to the client, so that the client replaces the first short-time token with the second short-time token.
In a specific implementation, the update feedback unit is specifically configured to: and encrypting the second short-time token by using the second public key to obtain a fourth signature, and feeding the fourth signature back to the client, so that the client decrypts the fourth signature by using the second private key to obtain the second short-time token.
The second processing unit 604 is configured to receive a service request sent by a client, obtain a second short-time token and a second client timestamp carried in the service request, and determine that the service request passes authentication if the second client timestamp meets a time condition and the second short-time token is not expired.
In a specific implementation, the second processing unit 604 for determining that the service request passes the authentication is specifically configured to: and if the difference value between the second server timestamp and the second client timestamp is smaller than a second time threshold, determining that the second short-time token is not expired according to a second validity period, and determining that the service request passes the authentication.
Preferably, the second processing unit 604 is further configured to: and if the time stamp of the second client meets the time condition and the second short-time token is expired, updating a second random number and a second validity period corresponding to the second short-time token to generate a third short-time token, feeding the third short-time token back to the client, enabling the client to send a service request carrying the third short-time token and the time stamp of the third client, and returning to execute the step of receiving the service request.
The third processing unit 605 is configured to determine an operation authority of the client according to the operation authority table and the security trust level of the client, and process the service request according to the operation authority, where the operation authority comparison table includes a corresponding relationship between the security trust level and the operation authority.
Preferably, in conjunction with fig. 6, the determining unit 602 includes: the system comprises a receiving module, a decryption module, a first processing module and a second processing module, wherein the execution principle of each module is as follows:
the receiving module is used for receiving a first signature fed back by the client, the first signature is obtained by encrypting the second public key, the user name, the first client timestamp and the second signature by the client by using the first public key, and the second signature is obtained by encrypting the first short-time token and the first client timestamp by the client by using a preset encryption algorithm.
And the decryption module is used for decrypting the first signature by using the first private key to obtain a second public key, a user name, a first client timestamp and a second signature.
The first processing module is used for determining that the login request is not authenticated if the difference value between the first server timestamp and the first client timestamp is greater than or equal to a first time threshold; and if the difference value between the first server timestamp and the first client timestamp is smaller than a first time threshold, determining a corresponding password and a corresponding device ID according to the user name, and executing a second processing module.
And the second processing module is used for encrypting the second public key, the equipment ID, the first client timestamp and the second signature by using the first public key to obtain a third signature, and if the third signature is verified to be consistent with the first signature, determining that the login request passes the authentication.
Preferably, in conjunction with fig. 6, the second processing unit 604 includes: the system comprises a receiving module and a decryption module, wherein the execution principle of each module is as follows:
and the receiving module is used for receiving a service request which is sent by the client and carries a fifth signature, the fifth signature is obtained by encrypting a sixth signature and the timestamp of the second client by the client according to the first public key, and the sixth signature is obtained by encrypting the second short-time token and the timestamp of the second client by the client according to a preset encryption algorithm.
And the decryption module is used for decrypting the fifth signature by using the first private key to obtain a sixth signature and a second client timestamp, and decrypting the sixth signature by using a preset encryption algorithm to obtain a second short-time token.
In the embodiment of the invention, the server generates the short-time token by using the equipment fingerprint information, and refreshes the short-time token after the login authentication is passed, thereby improving the safety of the short-time token. When the server communicates with the client, the client encrypts the transmission information by using the first public key, and the server encrypts the transmission information by using the second public key, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved. After the service request of the client passes the authentication, the server determines the operation authority of the client through the safety trust degree, and determines whether to respond to the service request according to the operation authority, so that the requirement of dynamic credit granting is realized.
Corresponding to the authentication method for identity information provided in the foregoing embodiment of the present invention, referring to fig. 7, an embodiment of the present invention further provides a structural block diagram of a client, where the client includes: a communication unit 701, a generation unit 702, a first transmission unit 703, a processing unit 704, and a second transmission unit 705;
a communication unit 701, configured to send a login request to a server, and receive a first public key fed back by the server, where the first public key and a first private key are generated by the server.
A generating unit 702 is configured to generate a second public key and a second private key.
The first sending unit 703 is configured to send the second public key, the user name, the timestamp of the first client, and the first short-time token to the server, so that the server determines whether the login request passes authentication, where the first short-time token is generated by the server according to the user identity information, the device fingerprint information, and the first random number and is sent to the client, a first validity period of the first short-time token is preset according to the security trust level of the client, and the security trust level is determined according to the user identity information or the device fingerprint information.
And the processing unit 704 is configured to receive the second short-time token fed back by the server, replace the first short-time token with the second short-time token, and determine that the login request passes the authentication, where the second short-time token is generated by updating the first random number and the first validity period corresponding to the first short-time token by the server.
In a specific implementation, the processing unit 704 configured to receive the second short-time token fed back by the server is specifically configured to: and receiving a fourth signature fed back by the server, wherein the fourth signature is obtained by encrypting the second short-time token by the server according to the second public key, and decrypting the fourth signature by using the second private key to obtain the second short-time token.
A second sending unit 705, configured to send a service request carrying at least a second short-time token and a second client timestamp to the server, so that the server determines, according to the second short-time token and the second client timestamp, whether the service request passes authentication, and so that the server processes the service request according to the security trust level of the client.
Preferably, the processing unit 704 is further configured to receive a third short-time token fed back by the server, where the third short-time token is generated by updating, by the server, a second random number and a second validity period corresponding to the second short-time token.
Correspondingly, the second sending unit 705 is further configured to: and sending a service request carrying at least a third short-time token and a third client time stamp to the server.
Preferably, with reference to fig. 7, the first sending unit 703 includes: the encryption module and the sending module, the execution principle of each module is as follows:
and the encryption module is used for encrypting the first short-time token and the first client timestamp by using a preset encryption algorithm to obtain a second signature, and encrypting the second public key, the user name, the first client timestamp and the second signature by using the first public key to obtain a first signature.
And the sending module is used for sending the first signature to the server, so that the server decrypts the first signature by using the first private key to obtain a second public key, a user name, a first client timestamp and a second signature.
Preferably, with reference to fig. 7, the second sending unit 705 includes: the encryption module and the sending module, the execution principle of each module is as follows:
and the encryption module is used for encrypting the second short-time token and the second client timestamp by using a preset encryption algorithm to obtain a sixth signature, and encrypting the sixth signature and the second client timestamp by using the first public key to obtain a fifth signature.
And the sending module is used for sending the service request carrying the fifth signature to the server, so that the server decrypts the fifth signature based on the first private key and a preset encryption algorithm to obtain the second short-time token and the second client timestamp.
In the embodiment of the invention, the server generates the short-time token by using the equipment fingerprint information, and refreshes the short-time token after the login authentication is passed, thereby improving the safety of the short-time token. When the server communicates with the client, the client encrypts the transmission information by using the first public key, and the server encrypts the transmission information by using the second public key, so that an attacker is prevented from intercepting the transmitted information, and the communication safety is improved. After the service request of the client passes the authentication, the server determines the operation authority of the client through the safety trust degree, and determines whether to respond to the service request according to the operation authority, so that the requirement of dynamic credit granting is realized.
Corresponding to the authentication method of identity information provided in the embodiment of the present invention, referring to fig. 8, an embodiment of the present invention further provides a structural block diagram of an authentication system of identity information, where the authentication system includes: a server 801 and a client 802.
The implementation principle of the server 801 can be referred to in the above embodiment of the present invention as shown in fig. 6, and the implementation principle of the client 802 can be referred to in the above embodiment of the present invention as shown in fig. 7.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.