CN111800378B - Login authentication method, device, system and storage medium - Google Patents
Login authentication method, device, system and storage medium Download PDFInfo
- Publication number
- CN111800378B CN111800378B CN202010438333.8A CN202010438333A CN111800378B CN 111800378 B CN111800378 B CN 111800378B CN 202010438333 A CN202010438333 A CN 202010438333A CN 111800378 B CN111800378 B CN 111800378B
- Authority
- CN
- China
- Prior art keywords
- terminal
- login
- network management
- certificate
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a login authentication method, a login authentication device, a login authentication system and a storage medium, wherein the login authentication method comprises the following steps: generating and sending login request information to a network management server; receiving login challenge information returned by the network management server according to the login request information; performing signing verification operation on the network management signature data according to the network management signature certificate to obtain a network management signing verification result, and generating and sending login response information to the network management server under the condition that the network management signing verification result indicates that the network management server is legal; and receiving a login result returned by the network management server according to the login response information, wherein the login result represents permission of login or prohibition of login. The embodiment of the invention not only authenticates the user on the terminal by the network management server, but also needs to authenticate whether the network management server is legal or not, thereby improving the security of user login authentication.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a login authentication method, device, system, and storage medium.
Background
The video network is a special network for high-speed transmission of high-definition video and special protocol based on Ethernet hardware, and is a higher-level form of Ethernet and a real-time network.
With the rapid development of the video networking service, the number of video networking terminals is also rapidly increasing. At present, in the process of initiating a login authentication request to a visual networking network management server, authentication request information is easy to intercept, so that the data on the visual networking terminal is stolen by the masquerading visual networking network management server, and the security of user login authentication on the visual networking terminal is lower.
Disclosure of Invention
In view of the foregoing, embodiments of the present invention are directed to providing a login authentication method, apparatus, system, and storage medium that overcome, or at least partially solve, the foregoing problems.
In order to solve the above-mentioned problem, according to a first aspect of an embodiment of the present invention, a login authentication method is disclosed, applied to a terminal, the method includes: generating and sending login request information to a network management server, wherein the login request information comprises a user name and a terminal random number; receiving login challenge information returned by the network management server according to the login request information, wherein the login challenge information comprises a network management random number, network management signature data and a network management signature certificate; performing signing verification operation on the network management signature data according to the network management signature certificate to obtain a network management signing verification result, and generating and sending login response information to the network management server under the condition that the network management signing verification result indicates that the network management server is legal, wherein the login response information comprises terminal signature data and encrypted data, the terminal signature data comprises a password, a network management random number and a terminal random number, and the encrypted data comprises the user name, the password, the network management random number and the terminal random number; and receiving a login result returned by the network management server according to the login response information, wherein the login result represents permission of login or prohibition of login.
Optionally, the generating login request information includes: and calling a terminal middleware to generate the terminal random number, and generating the login request information according to the user name, the terminal random number and a terminal encryption certificate obtained in advance.
Optionally, the login challenge information further includes a symmetric key, and the generating login response information includes: performing signature operation on the password, the network management random number and the terminal random number according to a pre-obtained terminal signature certificate to obtain terminal signature data, and performing encryption operation on the user name, the password, the network management random number and the terminal random number according to the symmetric key to obtain encrypted data; and taking the terminal signature data and the encrypted data as the login response information.
Optionally, the terminal is configured with a first cryptographic device, the first cryptographic device communicates with the certificate issuing device through a security tool, and before the generating and sending the login request information to the network management server, the method further includes: setting the first password equipment according to a preset first parameter value; generating a first certificate request instruction based on the first password device and according to the first parameter value, sending the first certificate request instruction to the security tool, analyzing the first certificate request instruction by the security tool to obtain an analysis result, and sending the first certificate request instruction to the certificate issuing device according to the analysis result, wherein the certificate issuing device is used for generating and returning the terminal signature certificate and the terminal encryption certificate to the security tool according to the first certificate request instruction; and receiving the terminal signature certificate and the terminal encryption certificate returned by the security tool.
According to a second aspect of the embodiment of the present invention, there is also disclosed a login authentication method applied to a network management server, the method including: receiving login request information from a terminal, and detecting the login request information to obtain a detection result, wherein the login request information comprises a user name and a terminal random number; generating and sending login challenge information to the terminal under the condition that the detection result indicates that the login request information is legal, wherein the login challenge information comprises a network management random number, network management signature data and a network management signature certificate; receiving login response information returned by the terminal according to the login challenge information, performing login authentication operation on the terminal according to the login response information to obtain a login result, and returning the login result to the terminal, wherein the login response information comprises terminal signature data and encryption data, the terminal signature data comprises a password, the network management random number and the terminal random number, the encryption data comprises the user name, the password, the network management random number and the terminal random number, and the login result indicates that login is allowed or forbidden.
Optionally, the login request information further includes a terminal encryption certificate, and the detecting operation on the login request information includes: and calling an authentication response interface to perform authentication operation on the terminal encryption certificate to obtain an authentication result, and inquiring whether the user name exists in a database under the condition that the authentication result indicates that the terminal encryption certificate is legal.
Optionally, the generating login challenge information includes: calling a network management middleware to generate the network management random number, and acquiring a symmetric key from a key management server; performing signature operation on the network management random number, the terminal random number and the symmetric key according to the network management signature certificate to obtain network management signature data; and taking the network management random number, the network management signature data and the network management signature certificate as the login challenge information.
Optionally, the performing login authentication operation on the terminal according to the login response information includes: invoking the network management middleware to perform signature verification operation on the terminal signature data to obtain a terminal signature verification result, and performing decryption operation on the encrypted data to obtain the password under the condition that the terminal signature verification result indicates that the terminal is legal; and comparing the password with the password corresponding to the user name stored in the database.
Optionally, the server side is configured with a second cryptographic device, and the second cryptographic device communicates with the certificate issuing device through a security tool, and before the receiving the login request information from the terminal, the method further includes: setting the second password equipment according to a preset second parameter value; generating a second certificate request instruction based on the second password device and according to the second parameter value, sending the second certificate request instruction to the security tool, analyzing the second certificate request instruction by the security tool to obtain an analysis result, and sending the second certificate request instruction to the certificate issuing device according to the analysis result, wherein the certificate issuing device is used for generating and returning the network management signature certificate and the network management encryption certificate to the security tool according to the second certificate request instruction; and receiving the network management signature certificate and the network management encryption certificate returned by the security tool.
According to a third aspect of the embodiments of the present invention, there is also disclosed a login authentication device applied to a terminal, the device including: the request module is used for generating and sending login request information to the network management server, wherein the login request information comprises a user name and a terminal random number; the receiving module is used for receiving login challenge information returned by the network management server according to the login request information, wherein the login challenge information comprises a network management random number, network management signature data and a network management signature certificate; the response module is used for carrying out signature verification operation on the network management signature data according to the network management signature certificate to obtain a network management signature verification result, and generating and sending login response information to the network management server under the condition that the network management signature verification result indicates that the network management server is legal, wherein the login response information comprises terminal signature data and encryption data, the terminal signature data comprises a password, the network management random number and the terminal random number, and the encryption data comprises the user name, the password, the network management random number and the terminal random number; the receiving module is further configured to receive a login result returned by the network management server according to the login response information, where the login result indicates that login is allowed or login is forbidden.
Optionally, the request module is configured to invoke a terminal middleware to generate the terminal random number, and generate the login request information according to the user name, the terminal random number and a terminal encryption certificate obtained in advance.
Optionally, the login challenge information further includes a symmetric key, and the response module is configured to perform a signing operation on the password, the network management random number and the terminal random number according to a pre-obtained terminal signature certificate to obtain the terminal signature data, and perform an encryption operation on the user name, the password, the network management random number and the terminal random number according to the symmetric key to obtain the encrypted data; and taking the terminal signature data and the encrypted data as the login response information.
Optionally, the terminal is configured with a first cryptographic device, and the first cryptographic device communicates with the certificate issuing device through a security tool, and the apparatus further includes: the first setting module is used for setting the first password equipment according to a preset first parameter value before the request module generates and sends login request information to the network management server; the first generation module is used for generating a first certificate request instruction based on the first password equipment and according to the first parameter value, sending the first certificate request instruction to the security tool, analyzing the first certificate request instruction by the security tool to obtain an analysis result, sending the first certificate request instruction to the certificate issuing equipment according to the analysis result, and generating and returning the terminal signature certificate and the terminal encryption certificate to the security tool by the certificate issuing equipment according to the first certificate request instruction; the receiving module is further used for receiving the terminal signature certificate and the terminal encryption certificate returned by the security tool.
According to a fourth aspect of the embodiments of the present invention, there is also disclosed a login authentication device applied to a network management server, the device including: the detection module is used for receiving login request information from the terminal, detecting the login request information to obtain a detection result, wherein the login request information comprises a user name and a terminal random number; the challenge module is used for generating and sending login challenge information to the terminal under the condition that the detection result indicates that the login request information is legal, wherein the login challenge information comprises a network management random number, network management signature data and a network management signature certificate; the authentication module is used for receiving login response information returned by the terminal according to the login challenge information, carrying out login authentication operation on the terminal according to the login response information to obtain a login result, and returning the login result to the terminal, wherein the login response information comprises terminal signature data and encryption data, the terminal signature data comprises a password, the network management random number and the terminal random number, the encryption data comprises the user name, the password, the network management random number and the terminal random number, and the login result represents permission of login or prohibition of login.
Optionally, the login request information further includes a terminal encryption certificate, and the detection module is configured to invoke an authentication response interface to perform an authentication operation on the terminal encryption certificate to obtain an authentication result, and query whether the user name exists in a database when the authentication result indicates that the terminal encryption certificate is legal.
Optionally, the challenge module is configured to invoke a network management middleware to generate the network management random number, and obtain a symmetric key from a key management server; performing signature operation on the network management random number, the terminal random number and the symmetric key according to the network management signature certificate to obtain network management signature data; and taking the network management random number, the network management signature data and the network management signature certificate as the login challenge information.
Optionally, the authentication module is configured to invoke the network management middleware to perform a signature verification operation on the terminal signature data to obtain a terminal signature verification result, and perform a decryption operation on the encrypted data to obtain the password when the terminal signature verification result indicates that the terminal is legal; and comparing the password with the password corresponding to the user name stored in the database.
Optionally, the server side is configured with a second cryptographic device, and the second cryptographic device communicates with the certificate issuing device through a security tool, and the apparatus further includes: the second setting module is used for setting the second password equipment according to a preset second parameter value before the detection module receives login request information from the terminal; the second generation module is used for generating a second certificate request instruction based on the second password equipment and according to the second parameter value, sending the second certificate request instruction to the security tool, analyzing the second certificate request instruction by the security tool to obtain an analysis result, sending the second certificate request instruction to the certificate issuing equipment according to the analysis result, and generating and returning the network management signature certificate and the network management encryption certificate to the security tool by the certificate issuing equipment according to the second certificate request instruction; and the receiving module is used for receiving the network management signature certificate and the network management encryption certificate returned by the security tool.
According to a fifth aspect of an embodiment of the present invention, there is also disclosed a login authentication system, including a terminal and a server, wherein the terminal includes an apparatus according to the third aspect, and the server includes an apparatus according to the fourth aspect.
In a sixth aspect of the embodiments of the present invention, an apparatus is also disclosed, including: one or more processors; and one or more machine readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform the login authentication method according to the first aspect or the second aspect.
According to a seventh aspect of embodiments of the present invention, there is also disclosed a computer-readable storage medium storing a computer program causing a processor to execute the login authentication method according to the first aspect or the second aspect.
The embodiment of the invention has the following advantages:
the embodiment of the invention provides a login authentication scheme, which generates and transmits login request information to a network management server at a terminal side, wherein the login request information can contain a user name and a terminal random number of a user. After receiving the login request information, the network management server returns login challenge information to the terminal. The login challenge information may include a network management random number, network management signature data, and a network management signature certificate. And on the terminal side, the signing verification operation can be carried out on the network management signature data in the login challenge information according to the network management signature certificate in the login challenge information to obtain a network management signing verification result. The network management signature verification result can indicate whether the network management server is legal or not. And generating and sending login response information to the network management server under the condition that the network management label verification result indicates that the network management server is legal. The login response information may include terminal signature data and encrypted data. The terminal signature data may include a password, a network management random number and a terminal random number that are input by the user on the terminal. The encrypted data may contain a user name, a password, a network management random number, and a terminal random number. After receiving the login response information, the network management server can verify the login response information, so as to generate and return a login result to the terminal. The login result may indicate that the user is allowed to login or the user is prohibited from login.
When the embodiment of the invention authenticates the user login on the terminal, the network management server not only authenticates the user on the terminal, but also authenticates whether the network management server is legal, thereby improving the security of the user login authentication.
Drawings
FIG. 1 is a flow chart of steps of an embodiment of a login authentication method of the present invention;
fig. 2 is a schematic flow chart of issuing a signature certificate and an encryption certificate for a terminal and a network management server according to the present invention;
FIG. 3 is a flow chart of steps of another embodiment of a login authentication method of the present invention;
FIG. 4 is a schematic diagram of a user login authentication scheme based on the Internet of view of the present invention;
FIG. 5 is a schematic diagram of an implementation flow of a user login authentication scheme based on the Internet of view according to the present invention;
fig. 6 is a schematic structural diagram of a terminal and a server in a user login authentication scheme based on the internet of view according to the present invention;
FIG. 7 is a block diagram of an embodiment of a login authentication device according to the present invention;
fig. 8 is a block diagram showing another embodiment of a login authentication device according to the present invention.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
In the login authentication scheme provided by the embodiment of the invention, the terminal sends login request information to the network management server, wherein the login request information carries a user name, a terminal random number and the like. The network management server returns login challenge information to the terminal, wherein the login challenge information carries network management random numbers, network management signature data, network management signature certificates and the like. The terminal sends login response information to the network management server, wherein the login response information carries a password for login. The network management server compares the passwords for registration and returns a registration result to the terminal according to the comparison result. The embodiment of the invention realizes the bidirectional authentication between the terminal and the network management server and improves the security of login authentication.
Referring to fig. 1, a flowchart of steps of an embodiment of a login authentication method according to the present invention is shown, and the method may be applied to a terminal. The embodiment of the invention does not limit the type, model, configuration, state, operating system and the like of the terminal in particular. Moreover, the embodiment of the invention does not limit the network environment and the like where the terminal is located. The method specifically comprises the following steps:
step 101, generating and sending login request information to a network management server.
In the embodiment of the invention, a user can input the IP, the port, the login timeout time, the user name, the password and the like of the network management server on the terminal. The terminal receives the information input by the user, invokes the terminal middleware to generate a terminal random number, generates login request information according to the information and the terminal random number, and sends the login request information to the network management server. The login request information may include a user name, a terminal random number, and the like.
Step 102, receiving login challenge information returned by the network management server according to the login request information.
In the embodiment of the invention, after receiving the login request information, the network management server can authenticate the login request information, generate the login challenge information under the condition that the authentication is passed, and return the login challenge information to the terminal. The login challenge information returned by the network management server can comprise network management signature data and a network management signature certificate, and the network management server calls a network management random number generated by the network management middleware.
Step 103, performing signing verification operation on the network management signature data according to the network management signature certificate to obtain a network management signing verification result, and generating and sending login response information to the network management server under the condition that the network management signing verification result indicates that the network management server is legal.
In the embodiment of the invention, the network management server returns login challenge information, which has the effect that the terminal authenticates the validity of the network management server. Therefore, in the process of authenticating the validity of the network management server according to the login challenge information, the network management signature certificate can be utilized to carry out signature verification operation on the network management signature data so as to obtain a network management signature verification result. If the network management signature verification result indicates that the network management server is a legal network management server, further generating login response information and sending the login response information to the network management server.
The login response information may include at least two parts of content, and one part is terminal signature data, where the terminal signature data may include a password, a network management random number, and a terminal random number. The other part is encrypted data, and the encrypted data can comprise a user name, a password, a network management random number and a terminal random number. The terminal signature data is used for authenticating the legality of the terminal by the network management server. The encrypted data is used for authenticating the user password by the network management server.
Step 104, receiving the login result returned by the network management server according to the login response information.
In the embodiment of the invention, after receiving the login response information, the network management server sequentially authenticates the terminal signature data and the encrypted data. And when the authentication of the terminal signature data is passed, authenticating the password in the encrypted data. Thus, the login result returned by the network management server may indicate that login is allowed or that login is prohibited. If the login result indicates that login is prohibited, the login result may further include a reason for prohibiting login, such as a password error.
The embodiment of the invention provides a login authentication scheme, which generates and transmits login request information to a network management server at a terminal side, wherein the login request information can contain a user name and a terminal random number of a user. After receiving the login request information, the network management server returns login challenge information to the terminal. The login challenge information may include a network management random number, network management signature data, and a network management signature certificate. And on the terminal side, the signing verification operation can be carried out on the network management signature data in the login challenge information according to the network management signature certificate in the login challenge information to obtain a network management signing verification result. The network management signature verification result can indicate whether the network management server is legal or not. And generating and sending login response information to the network management server under the condition that the network management label verification result indicates that the network management server is legal. The login response information may include terminal signature data and encrypted data. The terminal signature data may include a password, a network management random number and a terminal random number that are input by the user on the terminal. The encrypted data may contain a user name, a password, a network management random number, and a terminal random number. After receiving the login response information, the network management server can verify the login response information, so as to generate and return a login result to the terminal. The login result may indicate that the user is allowed to login or the user is prohibited from login.
When the embodiment of the invention authenticates the user login on the terminal, the network management server not only authenticates the user on the terminal, but also authenticates whether the network management server is legal, thereby improving the security of the user login authentication.
In an exemplary embodiment of the present invention, the terminal and the network management server may be located in the same network environment or in different network environments, for example, both the terminal and the network management server may access the internet of view, or any one of the terminal and the network management server accesses the internet of view, and the other accesses the internet. If the terminal and the network management server are both connected to the video network, the terminal can be a network management client, and the network management client can be a device for providing visual operation in the video network and is used for uniformly managing the video network terminal. The network management server can be core equipment in the video network, and can control registration, opening and the like of the video network service.
In order to ensure the legitimacy of the terminal and the network management server, in the initial state, respective certificates may be issued for the terminal and the network management server, and specifically, a signature certificate and an encryption certificate may be included. The signature certificate is used for carrying out signature operation on the data so as to ensure the validity and non-repudiation of the data. The encryption certificate is used for encrypting the data so as to ensure the authenticity and the integrity of the data.
As shown in fig. 2, fig. 2 shows a schematic flow chart of issuing a terminal signature certificate and a terminal encryption certificate for a terminal. When a terminal signature certificate and a terminal encryption certificate are issued to a terminal, a first password device configured on the terminal is firstly set according to a first parameter value preset by an administrator, after the setting is finished, a first certificate request instruction is generated based on the first password device, and the first certificate request instruction is sent to a security tool according to a preset transmission protocol. The security tool analyzes the received first certificate request instruction to obtain an analysis result containing the first parameter value, the identification of the terminal, the identification of the first password device and other information, and sends the first certificate request instruction to the certificate issuing device. After receiving the first certificate request instruction, the certificate issuing device may also parse the first certificate request instruction to obtain information such as the first parameter value, the identifier of the terminal, the identifier of the first cryptographic device, and verify at least one of the information such as the first parameter value, the identifier of the terminal, and the identifier of the first cryptographic device. After verification passes, a terminal signature certificate and a terminal encryption certificate are generated. And then the terminal signature certificate and the terminal encryption certificate are sent to a security tool. The security tool returns the terminal signature certificate and the terminal encryption certificate to the terminal.
The certificate issuing device may also generate an encrypted public-private key pair for the terminal, and send the encrypted private key and the root certificate in the encrypted public-private key pair, the terminal signature certificate and the terminal encrypted certificate to the security tool, and then forward the encrypted public-private key and the root certificate to the terminal by the security tool.
After the terminal has the terminal signature certificate and the terminal encryption certificate, the terminal has legal identity in the video network.
In an exemplary embodiment of the present invention, when executing the above step 101, after the user inputs information such as IP, port, timeout, user name, and password of the network management server on the terminal, the terminal invokes the terminal middleware to generate the terminal random number. The terminal random number is used for guaranteeing the uniqueness of the login authentication. The terminal may generate login request information according to the user name, the terminal random number, and the terminal encryption certificate. In addition, when the terminal generates the login request information, the terminal may also generate the login request information according to the user name, the terminal random number, the terminal physical address and the terminal encryption certificate.
In an exemplary embodiment of the present invention, when executing the step 103, the terminal may perform a signature verification operation on the network management signature data according to the network management signature certificate carried in the login challenge information, so as to obtain a terminal random number in the network management signature data. And then, comparing the terminal random number of the signature verification operation with the terminal random number generated in the step 101, and if the terminal random number and the terminal random number are the same, indicating that the network management server is legal. I.e. the network management signature verification result indicates that the network management server is legal. If the two are different, the network management server is illegal. The network management label verification result indicates that the network management server is illegal.
In an exemplary embodiment of the present invention, when the above step 103 is performed, the terminal signature data may be obtained by performing a signature operation on the password, the terminal random number, and the network management random number according to the terminal signature certificate. And the user name, the password, the terminal random number and the network management random number can be encrypted according to the symmetric key carried in the login challenge information to obtain encrypted data. And the terminal signature data and the encrypted data are used as login response information together.
Referring to fig. 3, a flowchart of steps of another embodiment of a login authentication method according to the present invention is shown, and the method may be applied to a network management server. The embodiment of the invention does not limit the type, model, configuration, state, operating system and the like of the network management server. Moreover, the embodiment of the invention does not limit the network environment where the network management server is located, and the like. The method specifically comprises the following steps:
step 301, receiving login request information from a terminal, and performing detection operation on the login request information to obtain a detection result.
In the embodiment of the invention, the network management server can determine the legality of the terminal by detecting the content carried in the login request information. For example, a user name or the like carried in the login request information is detected.
In step 302, when the detection result indicates that the login request information is legal, login challenge information is generated and sent to the terminal.
In the embodiment of the invention, when the detection result shows that the login request information is legal or the terminal is legal, login challenge information is generated and sent to the terminal, so that the terminal can authenticate the login challenge information, namely, the terminal judges whether the network management server is legal or not.
And 303, receiving login response information returned by the terminal according to the login challenge information, performing login authentication operation on the terminal according to the login response information to obtain a login result, and returning the login result to the terminal.
In the embodiment of the invention, the terminal returns login response information carrying the password according to the login challenge information. After receiving the login response information, the login response information can be authenticated to obtain a login result. If the authentication is passed, the login result indicates that login is allowed; if the authentication is not passed, the login result indicates that login is prohibited.
In an exemplary embodiment of the present invention, as shown in fig. 2, fig. 2 shows a schematic flow chart of issuing a network management signature certificate and a network management encryption certificate for a network management server. When issuing a network management signature certificate and a network management encryption certificate for the network management server, firstly setting a second password device configured on the network management server according to a second parameter value preset by an administrator, generating a second certificate request instruction based on the second password device after the setting is finished, and sending the second certificate request instruction to a security tool according to a preset transmission protocol. The security tool analyzes the received second certificate request instruction to obtain an analysis result containing the second parameter value, the identifier of the network management server, the identifier of the second password device and other information, and sends the second certificate request instruction to the certificate issuing device. After receiving the second certificate request instruction, the certificate issuing device may also parse the second certificate request instruction to obtain information such as the second parameter value, the identifier of the network management server, the identifier of the second cryptographic device, and verify at least one of the second parameter value, the identifier of the network management server, the identifier of the second cryptographic device, and the like. After verification, generating a network management signature certificate and a network management encryption certificate. And then the network management signature certificate and the network management encryption certificate are sent to a security tool. The security tool returns the network management signature certificate and the network management encryption certificate to the network management server.
The certificate issuing device may also generate an encrypted public-private key pair for the network management server, and send the encrypted private key and the root certificate in the encrypted public-private key pair, the network management signature certificate and the network management encrypted certificate to the security tool, and then forward the encrypted public-private key and the root certificate to the network management server by the security tool.
After the network management server has the network management signature certificate and the network management encryption certificate, the network management server has legal identity in the video network.
In an exemplary embodiment of the present invention, when executing the above step 301, an authentication response interface in the network management server may be invoked to perform a verification operation on the terminal encryption certificate carried in the login request information to obtain a verification result. And calling an authentication response interface to acquire a legal terminal encryption certificate of the terminal, and comparing the legal terminal encryption certificate with the terminal encryption certificate carried in the login request information. If the two are the same, the terminal is legal; if the two are different, the terminal is illegal. And when the terminal is legal, namely when the verification result shows that the terminal encryption certificate carried in the login request information is legal, inquiring whether the user name carried in the login request information exists in the data. If the login request information is legal, the detection result indicates that the login request information is legal; if the login request information does not exist, the detection result indicates that the login request information is illegal.
In an exemplary embodiment of the present invention, when executing the above step 302, the network management middleware may be invoked to generate a network management random number, obtain a symmetric key from the key management server, and perform a signing operation on the network management random number, the terminal random number and the symmetric key according to the network management signature certificate to obtain network management signature data. Then, the network management random number, the network management signature data and the network management signature certificate are used as login challenge information together.
In an exemplary embodiment of the present invention, when executing the step 303, the network management middleware may be invoked to perform a signature verification operation on the terminal signature data to obtain a terminal signature verification result, and perform a decryption operation on the encrypted data to obtain a password when the terminal signature verification result indicates that the terminal is legal. When the terminal signature data is subjected to signature verification operation, the terminal signature data can be subjected to signature verification operation according to the terminal signature certificate, so that the network management random number carried in the terminal signature data is obtained, the network management random number carried in the terminal signature data is compared with the network management random number generated in the step 302, and if the network management random number and the network management random number are identical, the terminal is legal. I.e. the terminal signature verification result indicates that the terminal is legal. If the two are different, the terminal is illegal. I.e. the terminal signature verification result indicates that the terminal is illegal. When the encrypted data is decrypted, the encrypted data can be decrypted according to the symmetric key obtained in the step 302 to obtain a password, and then the decrypted key is compared with the key corresponding to the user name stored in the database, and if the decrypted key and the key are the same, login is allowed; if the two are different, the login is forbidden.
Based on the above description about a login authentication method, a user login authentication scheme based on the internet of view is described below. As shown in fig. 4, fig. 4 shows a schematic diagram of a framework of a user login authentication scheme based on the internet of view. The user login authentication scheme relates to a terminal and a server in the video networking. The terminal sends login request information carrying information such as a user name to the server, the server authenticates the login request information after receiving the login request information, and if the authentication is passed, a symmetric key s1 is obtained, and the symmetric key s1 is encrypted to generate a ciphertext E A Ciphertext E A And the login challenge information is carried and sent to the terminal. Terminal pair ciphertext E A And performing decryption operation to obtain a symmetric key s1, encrypting the password by using the symmetric key s1, and sending the encrypted password to the server along with the login response information. The server decrypts to obtain the password, compares the passwords stored in the database and corresponding to the user names, and allows the user of the terminal to log in if the passwords are consistent; and if the two are inconsistent, prohibiting the user of the terminal from logging in.
As shown in fig. 5, fig. 5 shows a schematic flow chart of an implementation of a user login authentication scheme based on the internet of view. The server in the user login authentication scheme can be a network management server, the network management server communicates with the key management server through the encryption card, and the symmetric key is acquired from the key management server through the encryption card in an initial state. The network management server can also communicate with a network management database, and the network management database can store registered user names and corresponding passwords. The terminal may comprise three, client 1, client 2 and client 3, respectively. And each client is respectively connected with a respective password device. In an initial state, the certificate issuing equipment issues corresponding signature certificates and encryption certificates for three terminals and a network management server respectively. The signature certificate and the encryption certificate of the terminal may be stored in respective cryptographic devices, and the signature certificate and the encryption certificate of the network management server may be stored in an encryption card.
The terminal firstly acquires the serial number of the password equipment from the accessed password equipment, encrypts the user name, the terminal random number, the terminal signature certificate and the serial number and then sends the encrypted user name, the terminal random number, the terminal signature certificate and the serial number to the network management server. The network management server receives the ciphertext sent by the terminal, decrypts the ciphertext to obtain a terminal signature certificate, encrypts the network management random number, the network management signature certificate and the like, and sends the encrypted network management random number, the network management signature certificate and the like to the terminal. The terminal receives the ciphertext sent by the network management server, decrypts the ciphertext to obtain a network management signature certificate, encrypts the password and sends the encrypted password to the network management server. After the network management server decrypts the password, comparing the password obtained by decryption with the password stored in the network management database, and if the password is the same with the password, allowing a user on the terminal to log in; and if the two are different, prohibiting the user from logging in the terminal.
As shown in fig. 6, fig. 6 shows a schematic structural diagram of a terminal and a server in a user login authentication scheme based on the internet of view. The terminal can comprise a request interface of user authentication, a user authentication client interface, a password middleware and a password operation library. In the terminal, the cryptographic middleware can communicate with the cryptographic operator, the user authenticated request interface, and the user authenticated client interface, respectively. The server may contain a response interface for user authentication, a confirmation interface for user authentication, cryptographic middleware, a cryptographic operator and a database. In the server, the cryptographic middleware may communicate with the cryptographic operator, the response interface of the user authentication, and the confirmation interface of the user authentication, respectively. The database may be in communication with a response interface for user authentication, a confirmation interface for user authentication, respectively. The terminal may generate login request information based on the request interface of the user authentication and transmit the login request information to the server. The server can authenticate the login request information based on the response interface of user authentication and the database, generate login challenge information and send the login request information to the terminal. The terminal can authenticate the login challenge information based on a client interface authenticated by the user, generate login response information and send the login response information to the server. The server can authenticate the login response information based on the authentication interface of the user authentication, and returns a login result to the terminal.
The embodiment of the invention provides a login authentication scheme, which generates and transmits login request information to a network management server at a terminal side, wherein the login request information can contain a user name and a terminal random number of a user. After receiving the login request information, the network management server returns login challenge information to the terminal. The login challenge information may include a network management random number, network management signature data, and a network management signature certificate. And on the terminal side, the signing verification operation can be carried out on the network management signature data in the login challenge information according to the network management signature certificate in the login challenge information to obtain a network management signing verification result. The network management signature verification result can indicate whether the network management server is legal or not. And generating and sending login response information to the network management server under the condition that the network management label verification result indicates that the network management server is legal. The login response information may include terminal signature data and encrypted data. The terminal signature data may include a password, a network management random number and a terminal random number that are input by the user on the terminal. The encrypted data may contain a user name, a password, a network management random number, and a terminal random number. After receiving the login response information, the network management server can verify the login response information, so as to generate and return a login result to the terminal. The login result may indicate that the user is allowed to login or the user is prohibited from login.
When the embodiment of the invention authenticates the user login on the terminal, the network management server not only authenticates the user on the terminal, but also authenticates whether the network management server is legal, thereby improving the security of the user login authentication.
In the initial state, the corresponding signature certificate and encryption certificate can be issued for the terminal and/or the network management server through the password equipment of the terminal and/or the network management server and the security tool and the certificate issuing equipment. After the terminal and/or the network management server acquire the respective signature certificate and encryption certificate, the terminal and/or the network management server has legal identity in the video network.
It should be noted that, for simplicity of description, the method embodiments are shown as a series of acts, but it should be understood by those skilled in the art that the embodiments are not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred embodiments, and that the acts are not necessarily required by the embodiments of the invention.
Referring to fig. 7, there is shown a block diagram of an embodiment of a login authentication device according to the present invention, which may be applied to a terminal, and which may specifically include the following modules:
a request module 71, configured to generate and send login request information to a network management server, where the login request information includes a user name and a terminal random number;
a receiving module 72, configured to receive login challenge information returned by the network management server according to the login request information, where the login challenge information includes a network management random number, network management signature data, and a network management signature certificate;
the response module 73 is configured to perform a signing verification operation on the network management signature data according to the network management signature certificate to obtain a network management signing verification result, and generate and send login response information to the network management server when the network management signing verification result indicates that the network management server is legal, where the login response information includes terminal signature data and encrypted data, the terminal signature data includes a password, the network management random number and the terminal random number, and the encrypted data includes the user name, the password, the network management random number and the terminal random number;
The receiving module 72 is further configured to receive a login result returned by the network management server according to the login response information, where the login result indicates that login is allowed or login is prohibited.
In an exemplary embodiment of the present invention, the request module 71 is configured to invoke a terminal middleware to generate the terminal random number, and generate the login request information according to the user name, the terminal random number, and a terminal encryption certificate obtained in advance.
In an exemplary embodiment of the present invention, the login challenge information further includes a symmetric key, and the response module 73 is configured to perform a signing operation on the password, the network management random number, and the terminal random number according to a pre-obtained terminal signature certificate to obtain the terminal signature data, and perform an encryption operation on the user name, the password, the network management random number, and the terminal random number according to the symmetric key to obtain the encrypted data; and taking the terminal signature data and the encrypted data as the login response information.
In an exemplary embodiment of the present invention, the terminal is configured with a first cryptographic device, the first cryptographic device communicates with a certificate issuing device through a security tool, the apparatus further comprising:
A first setting module, configured to set the first cryptographic device according to a preset first parameter value before the request module 71 generates and sends login request information to a network management server;
the first generation module is used for generating a first certificate request instruction based on the first password equipment and according to the first parameter value, sending the first certificate request instruction to the security tool, analyzing the first certificate request instruction by the security tool to obtain an analysis result, sending the first certificate request instruction to the certificate issuing equipment according to the analysis result, and generating and returning the terminal signature certificate and the terminal encryption certificate to the security tool by the certificate issuing equipment according to the first certificate request instruction;
the receiving module 72 is further configured to receive the terminal signature certificate and the terminal encryption certificate returned by the security tool.
Referring to fig. 8, there is shown a block diagram of another embodiment of a login authentication device according to the present invention, which may be applied to a network management server, and the device may specifically include the following modules:
the detection module 81 is configured to receive login request information from a terminal, and perform a detection operation on the login request information to obtain a detection result, where the login request information includes a user name and a terminal random number;
The challenge module 82 is configured to generate and send login challenge information to the terminal when the detection result indicates that the login request information is legal, where the login challenge information includes a network management random number, network management signature data, and a network management signature certificate;
the authentication module 83 is configured to receive login response information returned by the terminal according to the login challenge information, perform a login authentication operation on the terminal according to the login response information to obtain a login result, and return the login result to the terminal, where the login response information includes terminal signature data and encrypted data, the terminal signature data includes a password, the network management random number, and the terminal random number, and the encrypted data includes the user name, the password, the network management random number, and the terminal random number, and the login result indicates that login is allowed or prohibited.
In an exemplary embodiment of the present invention, the login request information further includes a terminal encryption certificate, and the detection module 81 is configured to invoke an authentication response interface to perform a verification operation on the terminal encryption certificate to obtain a verification result, and query a database for whether the user name exists if the verification result indicates that the terminal encryption certificate is legal.
In an exemplary embodiment of the present invention, the challenge module 82 is configured to invoke a network management middleware to generate the network management random number, and obtain a symmetric key from a key management server; performing signature operation on the network management random number, the terminal random number and the symmetric key according to the network management signature certificate to obtain network management signature data; and taking the network management random number, the network management signature data and the network management signature certificate as the login challenge information.
In an exemplary embodiment of the present invention, the authentication module 83 is configured to invoke the network management middleware to perform a signature verification operation on the terminal signature data to obtain a terminal signature verification result, and perform a decryption operation on the encrypted data to obtain the password when the terminal signature verification result indicates that the terminal is legal; and comparing the password with the password corresponding to the user name stored in the database.
In an exemplary embodiment of the present invention, the server side is configured with a second cryptographic device, and the second cryptographic device communicates with the certificate issuing device through a security tool, and the apparatus further includes:
a second setting module, configured to set the second cryptographic device according to a preset second parameter value before the detection module 81 receives login request information from the terminal;
The second generation module is used for generating a second certificate request instruction based on the second password equipment and according to the second parameter value, sending the second certificate request instruction to the security tool, analyzing the second certificate request instruction by the security tool to obtain an analysis result, sending the second certificate request instruction to the certificate issuing equipment according to the analysis result, and generating and returning the network management signature certificate and the network management encryption certificate to the security tool by the certificate issuing equipment according to the second certificate request instruction;
and the receiving module is used for receiving the network management signature certificate and the network management encryption certificate returned by the security tool.
For the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points.
The embodiment of the invention also provides a login authentication system, which comprises a terminal and a server, wherein the terminal can comprise the login authentication device shown in fig. 7, and the server can comprise the login authentication device shown in fig. 8.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
It will be apparent to those skilled in the art that embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the invention may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or terminal device comprising the element.
The above description of the login authentication method, device, system and storage medium provided by the present invention applies specific examples to illustrate the principles and embodiments of the present invention, and the above examples are only used to help understand the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (14)
1. A login authentication method, applied to a terminal, the method comprising:
generating and sending login request information to a network management server, wherein the login request information comprises a user name and a terminal random number;
receiving login challenge information returned by the network management server according to the login request information, wherein the login challenge information comprises a network management random number, network management signature data and a network management signature certificate;
performing signing verification operation on the network management signature data according to the network management signature certificate to obtain a network management signing verification result, and generating and sending login response information to the network management server under the condition that the network management signing verification result indicates that the network management server is legal, wherein the login response information comprises terminal signature data and encrypted data, the terminal signature data comprises a password, a network management random number and a terminal random number, and the encrypted data comprises the user name, the password, the network management random number and the terminal random number;
receiving a login result returned by the network management server according to the login response information, wherein the login result represents permission of login or prohibition of login;
the terminal signature data is generated through a terminal signature certificate; the login request information is generated through a terminal encryption certificate; the terminal is configured with a first password device, the first password device communicates with a certificate issuing device through a security tool, and before the login request information is generated and sent to the network management server, the method further comprises the steps of:
Setting the first password equipment according to a preset first parameter value;
generating a first certificate request instruction based on the first password device and according to the first parameter value, sending the first certificate request instruction to the security tool, analyzing the first certificate request instruction by the security tool to obtain an analysis result, and sending the first certificate request instruction to the certificate issuing device according to the analysis result, wherein the certificate issuing device is used for generating and returning the terminal signature certificate and the terminal encryption certificate to the security tool according to the first certificate request instruction;
and receiving the terminal signature certificate and the terminal encryption certificate returned by the security tool.
2. The method of claim 1, wherein generating login request information comprises:
and calling a terminal middleware to generate the terminal random number, and generating the login request information according to the user name, the terminal random number and a terminal encryption certificate obtained in advance.
3. The method of claim 2, wherein the login challenge information further comprises a symmetric key, and wherein generating login response information comprises:
Performing signature operation on the password, the network management random number and the terminal random number according to a pre-obtained terminal signature certificate to obtain terminal signature data, and performing encryption operation on the user name, the password, the network management random number and the terminal random number according to the symmetric key to obtain encrypted data;
and taking the terminal signature data and the encrypted data as the login response information.
4. A login authentication method, applied to a network management server, comprising:
receiving login request information from a terminal, and detecting the login request information to obtain a detection result, wherein the login request information comprises a user name and a terminal random number;
generating and sending login challenge information to the terminal under the condition that the detection result indicates that the login request information is legal, wherein the login challenge information comprises a network management random number, network management signature data and a network management signature certificate;
receiving login response information returned by the terminal according to the login challenge information, performing login authentication operation on the terminal according to the login response information to obtain a login result, and returning the login result to the terminal, wherein the login response information comprises terminal signature data and encryption data, the terminal signature data comprises a password, the network management random number and the terminal random number, the encryption data comprises the user name, the password, the network management random number and the terminal random number, and the login result represents permission of login or prohibition of login;
The server side is provided with a second password device, the second password device communicates with the certificate issuing device through a security tool, and before the login request information from the terminal is received, the method further comprises the steps of:
setting the second password equipment according to a preset second parameter value;
generating a second certificate request instruction based on the second password device and according to the second parameter value, sending the second certificate request instruction to the security tool, analyzing the second certificate request instruction by the security tool to obtain an analysis result, and sending the second certificate request instruction to the certificate issuing device according to the analysis result, wherein the certificate issuing device is used for generating and returning the network management signature certificate and the network management encryption certificate to the security tool according to the second certificate request instruction;
and receiving the network management signature certificate and the network management encryption certificate returned by the security tool.
5. The method of claim 4, wherein the login request information further comprises a terminal encryption certificate, and wherein the detecting the login request information comprises:
And calling an authentication response interface to perform authentication operation on the terminal encryption certificate to obtain an authentication result, and inquiring whether the user name exists in a database under the condition that the authentication result indicates that the terminal encryption certificate is legal.
6. The method of claim 4, wherein the generating login challenge information comprises:
calling a network management middleware to generate the network management random number, and acquiring a symmetric key from a key management server;
performing signature operation on the network management random number, the terminal random number and the symmetric key according to the network management signature certificate to obtain network management signature data;
and taking the network management random number, the network management signature data and the network management signature certificate as the login challenge information.
7. The method according to claim 6, wherein the performing login authentication operation on the terminal according to the login response information includes:
invoking the network management middleware to perform signature verification operation on the terminal signature data to obtain a terminal signature verification result, and performing decryption operation on the encrypted data to obtain the password under the condition that the terminal signature verification result indicates that the terminal is legal;
And comparing the password with the password corresponding to the user name stored in the database.
8. A login authentication device, characterized by being applied to a terminal, the device comprising:
the request module is used for generating and sending login request information to the network management server, wherein the login request information comprises a user name and a terminal random number;
the receiving module is used for receiving login challenge information returned by the network management server according to the login request information, wherein the login challenge information comprises a network management random number, network management signature data and a network management signature certificate;
the response module is used for carrying out signature verification operation on the network management signature data according to the network management signature certificate to obtain a network management signature verification result, and generating and sending login response information to the network management server under the condition that the network management signature verification result indicates that the network management server is legal, wherein the login response information comprises terminal signature data and encryption data, the terminal signature data comprises a password, the network management random number and the terminal random number, and the encryption data comprises the user name, the password, the network management random number and the terminal random number;
The receiving module is further configured to receive a login result returned by the network management server according to the login response information, where the login result indicates that login is allowed or login is forbidden;
the terminal signature data is generated through a terminal signature certificate; the login request information is generated through a terminal encryption certificate; the terminal is provided with a first password device, the first password device communicates with a certificate issuing device through a security tool, and the device further comprises: the first setting module is used for setting the first password equipment according to a preset first parameter value before the request module generates and sends login request information to the network management server; the first generation module is used for generating a first certificate request instruction based on the first password equipment and according to the first parameter value, sending the first certificate request instruction to the security tool, analyzing the first certificate request instruction by the security tool to obtain an analysis result, sending the first certificate request instruction to the certificate issuing equipment according to the analysis result, and generating and returning the terminal signature certificate and the terminal encryption certificate to the security tool by the certificate issuing equipment according to the first certificate request instruction; the receiving module is further used for receiving the terminal signature certificate and the terminal encryption certificate returned by the security tool.
9. The apparatus of claim 8, wherein the request module is configured to invoke terminal middleware to generate the terminal nonce and to generate the login request information based on the username, the terminal nonce, and a pre-obtained terminal encryption certificate.
10. A login authentication device, applied to a network management server, comprising:
the detection module is used for receiving login request information from the terminal, detecting the login request information to obtain a detection result, wherein the login request information comprises a user name and a terminal random number;
the challenge module is used for generating and sending login challenge information to the terminal under the condition that the detection result indicates that the login request information is legal, wherein the login challenge information comprises a network management random number, network management signature data and a network management signature certificate;
the authentication module is used for receiving login response information returned by the terminal according to the login challenge information, carrying out login authentication operation on the terminal according to the login response information to obtain a login result, and returning the login result to the terminal, wherein the login response information comprises terminal signature data and encryption data, the terminal signature data comprises a password, the network management random number and the terminal random number, the encryption data comprises the user name, the password, the network management random number and the terminal random number, and the login result represents permission of login or prohibition of login; the server side is configured with a second cryptographic device, the second cryptographic device communicates with the certificate issuing device through a security tool, and the apparatus further comprises: the second setting module is used for setting the second password equipment according to a preset second parameter value before the detection module receives login request information from the terminal; the second generation module is used for generating a second certificate request instruction based on the second password equipment and according to the second parameter value, sending the second certificate request instruction to the security tool, analyzing the second certificate request instruction by the security tool to obtain an analysis result, sending the second certificate request instruction to the certificate issuing equipment according to the analysis result, and generating and returning the network management signature certificate and the network management encryption certificate to the security tool by the certificate issuing equipment according to the second certificate request instruction; and the receiving module is used for receiving the network management signature certificate and the network management encryption certificate returned by the security tool.
11. The apparatus of claim 10, wherein the login request information further includes a terminal encryption certificate, and the detection module is configured to invoke an authentication response interface to perform a verification operation on the terminal encryption certificate to obtain a verification result, and to query a database for the presence of the user name if the verification result indicates that the terminal encryption certificate is legal.
12. A login authentication system comprising a terminal and a server, wherein the terminal comprises the apparatus of claim 8 or 9 and the server comprises the apparatus of claim 10 or 11.
13. An apparatus, comprising:
one or more processors; and
one or more machine readable media having instructions stored thereon, which when executed by the one or more processors, cause the apparatus to perform the method of any of claims 1 to 3 or cause the apparatus to perform the method of any of claims 4 to 7.
14. A computer readable storage medium, characterized in that it stores a computer program causing a processor to perform the method of any one of claims 1 to 3 or causing the processor to perform the method of any one of claims 4 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010438333.8A CN111800378B (en) | 2020-05-21 | 2020-05-21 | Login authentication method, device, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010438333.8A CN111800378B (en) | 2020-05-21 | 2020-05-21 | Login authentication method, device, system and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111800378A CN111800378A (en) | 2020-10-20 |
| CN111800378B true CN111800378B (en) | 2023-08-11 |
Family
ID=72806128
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010438333.8A Active CN111800378B (en) | 2020-05-21 | 2020-05-21 | Login authentication method, device, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111800378B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598481A (en) * | 2020-11-19 | 2022-06-07 | 卫宁健康科技集团股份有限公司 | Authorization authentication method, device, electronic equipment and storage medium |
| CN112291072B (en) * | 2020-12-28 | 2021-03-26 | 视联动力信息技术股份有限公司 | Secure video communication method, device, equipment and medium based on management plane protocol |
| CN112966242A (en) * | 2021-03-29 | 2021-06-15 | 成都卫士通信息产业股份有限公司 | User name and password authentication method, device and equipment and readable storage medium |
| CN114339742B (en) * | 2021-12-27 | 2023-10-31 | 深圳市国电科技通信有限公司 | Offline SSH login authentication method and device based on security chip and terminal |
| CN114866409B (en) * | 2022-04-27 | 2024-03-26 | 阿里巴巴(中国)有限公司 | Password acceleration method and device based on password acceleration hardware |
| CN117424709B (en) * | 2023-12-19 | 2024-04-05 | 鼎铉商用密码测评技术(深圳)有限公司 | Login method and device of terminal device and readable storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110474898A (en) * | 2019-08-07 | 2019-11-19 | 北京明朝万达科技股份有限公司 | Data encrypting and deciphering and key location mode, device, equipment and readable storage medium storing program for executing |
| CN111147471A (en) * | 2019-12-20 | 2020-05-12 | 视联动力信息技术股份有限公司 | Terminal network access authentication method, device, system and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104065616B (en) * | 2013-03-20 | 2017-06-20 | 中国移动通信集团公司 | Single-point logging method and system |
| CN108880822B (en) * | 2018-06-29 | 2021-06-29 | 郑州云海信息技术有限公司 | Identity authentication method, device and system and intelligent wireless equipment |
| CN110661784B (en) * | 2019-08-28 | 2022-03-25 | 视联动力信息技术股份有限公司 | User authentication method, device and storage medium |
-
2020
- 2020-05-21 CN CN202010438333.8A patent/CN111800378B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110474898A (en) * | 2019-08-07 | 2019-11-19 | 北京明朝万达科技股份有限公司 | Data encrypting and deciphering and key location mode, device, equipment and readable storage medium storing program for executing |
| CN111147471A (en) * | 2019-12-20 | 2020-05-12 | 视联动力信息技术股份有限公司 | Terminal network access authentication method, device, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111800378A (en) | 2020-10-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111800378B (en) | Login authentication method, device, system and storage medium | |
| CN108964885B (en) | Authentication method, device, system and storage medium | |
| CN111901346B (en) | Identity authentication system | |
| US20030208681A1 (en) | Enforcing file authorization access | |
| CN106302606B (en) | Across the application access method and device of one kind | |
| IL189131A (en) | Distributed single sign-on service | |
| CN112491881A (en) | Cross-platform single sign-on method, system, electronic equipment and storage medium | |
| KR20130084315A (en) | A bidirectional entity authentication method based on the credible third party | |
| US9398024B2 (en) | System and method for reliably authenticating an appliance | |
| CN111030814A (en) | Key negotiation method and device | |
| CN114900338A (en) | Encryption and decryption method, device, equipment and medium | |
| CN110175448B (en) | Trusted device login authentication method and application system with authentication function | |
| KR101631635B1 (en) | Method, device, and system for identity authentication | |
| CN113010874A (en) | Login authentication method and device, electronic equipment and computer readable storage medium | |
| CN111786996B (en) | Cross-domain synchronous login state method and device and cross-domain synchronous login system | |
| CN115277168B (en) | Method, device and system for accessing server | |
| CN110891065A (en) | Token-based user identity auxiliary encryption method | |
| CN111399980A (en) | Safety authentication method, device and system for container organizer | |
| CN113505353A (en) | Authentication method, device, equipment and storage medium | |
| JP2009003501A (en) | Onetime password authentication system | |
| CN112261103A (en) | Node access method and related equipment | |
| CN116707983A (en) | Authorization authentication method and device, access authentication method and device, equipment and medium | |
| WO2017219886A1 (en) | Simple network protocol authentication method and device | |
| CN114944921A (en) | Login authentication method and device, electronic equipment and storage medium | |
| CN112822217A (en) | Server access method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |