CN112087424B - Security authentication system based on enterprise security computer - Google Patents
Security authentication system based on enterprise security computer Download PDFInfo
- Publication number
- CN112087424B CN112087424B CN202010751065.5A CN202010751065A CN112087424B CN 112087424 B CN112087424 B CN 112087424B CN 202010751065 A CN202010751065 A CN 202010751065A CN 112087424 B CN112087424 B CN 112087424B
- Authority
- CN
- China
- Prior art keywords
- platform server
- client
- module
- disk
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Abstract
The invention discloses a security authentication system based on an enterprise security computer, which comprises a client, a management end, a platform server, a database server, a U disk and a modem, wherein the client and the management end comprise a storage module, a USB interface module and a mainboard module and are combined into computer equipment, the platform server and the database server comprise a CPU (central processing unit) integration module and a storage module, the U disk comprises a fingerprint authentication module, and the client, the platform server and the U disk all comprise clock modules. The invention adopts a multiple authentication mode, so that the login process mainly adopts a physical authentication and password authentication mode, the complicated login process can be greatly reduced, and the login of the local server is prevented from involving network connection.
Description
Technical Field
The invention relates to computer security, in particular to a security authentication system based on an enterprise security computer.
Background
The authentication is very important in the security of enterprise computers, the existing authentication modes are physical authentication and software authentication, the common authentication mode is user + password authentication, and the authentication mode above the authentication mode is developed into double authentication or face identification and fingerprint authentication based on a network protocol.
However, for an enterprise, a long-time complicated authentication mode may cause a reduction in work efficiency and a reduction in authentication enthusiasm, and particularly, in the authentication process of a local server, an attendant needs to watch for a long time because a management terminal for long-term login management needs to be set, and if a cloud server authentication mode is adopted, a client needs to be connected with a server through a stable network, information feedback cannot be generated quickly, and information is easily stolen through the network in the authentication process.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a security authentication system based on an enterprise security computer.
In order to solve the technical problems, the invention provides the following technical scheme:
the invention relates to a security authentication system based on an enterprise security computer, which comprises a client, a management end, a platform server, a database server, a U disk and a modem, wherein the client and the management end comprise a storage module, a USB interface module and a mainboard module and are combined into computer equipment, the platform server and the database server comprise a CPU (central processing unit) integrated module and a storage module, the U disk comprises a fingerprint authentication module, and the client, the platform server and the U disk all comprise clock modules, and the security authentication system specifically comprises the following steps:
A. a user logs in a platform server through a modem at a client through an account number and a password;
B. the platform server sends the dynamic key login information of the USB flash disk to the client;
C. after the user inserts the USB flash disk into the client, the user authenticates the dynamic key and sends fingerprint information to the platform server through the fingerprint authentication module;
D. the platform server compares the fingerprint information stored inside to determine whether to log in.
As a preferred technical solution of the present invention, the step a of confirming the login of the client to the platform server includes:
whether the client has a logged-in account or not;
whether the time of the client, the time of the USB flash disk and the time of the platform server are consistent or not;
whether the dynamic key authentication of the U disk and the platform server is consistent or not is judged;
whether the fingerprint information identified by the USB flash disk is consistent with the fingerprint information of the platform server or not.
As a preferred technical scheme of the invention, the U disk and the platform server mainly calculate the digital string through a TOTP algorithm and verify the digital string to the platform server through the U disk.
As a preferred technical solution of the present invention, the fingerprint identification of the usb disk mainly includes:
the method comprises the steps that user fingerprint information is stored in a platform server for the first time;
the U disk mainly adopts an optical total reflection module and a fingerprint image intercepting algorithm.
As a preferred technical solution of the present invention, the management end and the client end have the same login mode, and the database server and the platform server are electrically connected.
As a preferred technical solution of the present invention, an FTP server module is loaded inside the platform server, a management terminal in the platform server is a full management authority, the platform server and the management terminal are connected in an active mode, a client in the platform server is a limited management authority, and the platform server and the client are connected in a passive mode.
As a preferred technical solution of the present invention, the FTP server module mainly includes the following management policies: only the right is uploaded; only readable rights; read-only modification permissions; read-only and write-only rights; only read-write and download rights.
Compared with the prior art, the invention has the following beneficial effects:
1: the invention adopts a multiple authentication mode, so that the login process mainly adopts a physical authentication and password authentication mode, the complicated login process can be greatly reduced, and the login of the local server is prevented from involving network connection.
2: the invention is provided with a plurality of management strategies of the platform server, so that a management end can change the management strategies according to requirements, the safety maintenance of the database server is increased, and the phenomena of data stealing and data damage of the database server caused by artificial change and downloading are avoided.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a schematic diagram of the overall structure of the present invention;
FIG. 2 is a schematic diagram of a client module architecture of the present invention;
FIG. 3 is a block diagram of the management end module of the present invention;
FIG. 4 is a schematic flow structure of the present invention;
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it should be understood that they are presented herein only to illustrate and explain the present invention and not to limit the present invention.
Example 1
As shown in fig. 1-4, a security authentication system based on an enterprise security computer includes a client, a management end, a platform server, a database server, a USB disk and a modem, where the client and the management end include a storage module, a USB interface module and a motherboard module, and are combined into a computer device, the platform server and the database server include a CPU integrated module and a storage module, the USB disk includes a fingerprint authentication module, and the client, the platform server and the USB disk include clock modules, and specifically include the following steps:
A. a user logs in a platform server through a modem at a client through an account number and a password;
B. the platform server sends the USB flash disk dynamic key login information to the client;
C. after the user inserts the USB flash disk into the client, the user authenticates the dynamic key and sends fingerprint information to the platform server through the fingerprint authentication module;
D. the platform server compares the fingerprint information stored inside to determine whether to log in.
The step A, the confirmation of the client login to the platform server comprises the following steps:
whether the client has a logged-in account or not;
whether the time of the client, the time of the USB flash disk and the time of the platform server are consistent or not;
whether the dynamic key authentication of the U disk and the platform server is consistent or not is judged;
and whether the fingerprint information identified by the USB flash disk is consistent with the fingerprint information of the platform server or not.
The U disk and the platform server mainly calculate the digital string through a TOTP algorithm and verify the digital string to the platform server through the U disk.
The fingerprint identification of the USB flash disk mainly comprises the following steps:
the method comprises the steps that user fingerprint information is stored in a platform server for the first time;
the U disk mainly adopts an optical total reflection module and a fingerprint image intercepting algorithm.
The management terminal and the client terminal have the same login mode, and the database server and the platform server are electrically connected.
The platform server is internally provided with an FTP server module, a management terminal in the platform server is in full management authority, the platform server is in active mode connection with the management terminal, a client in the platform server is in limited management authority, and the platform server is in passive mode connection with the client.
The FTP server module mainly comprises the following management strategies: only upload permissions; only readable rights; only readable modification rights; read-only and write-only rights; only read-write and download rights.
Specifically, the client and the management terminal are both in local LAN port data connection with the platform server through a local modem, the platform server and the database server are directly connected, the client can be divided into groups when necessary, for example, the client 1, the client 2 and the client 3 form a group, and subsequent client users are divided into other groups according to the needs and are both managed through local connection.
When logging in, the client and the management terminal log in to a platform server loaded with an FTP server module mainly by an xftp client, wherein the platform server collects user information locally, when logging in, the platform server logs in by adopting a logging method of adding a password to a user, the platform server compares time information to the client according to a CPU clock module in the logging-in process, and sends dynamic key logging calculated by a TOTP algorithm for calculation after the time is the same, the user can compare the clock information of the client through an internal U disk clock module only by inserting a U disk into the client at the moment, and calculates a random number string according to the TOTP algorithm to obtain the same number to realize the verification in the aspect of software, finally the user puts a finger into a fingerprint identification module of the U disk, and after fingerprint collection by the U disk, the image is sent to the platform server for denoising, definition and gray level processing, and comparing with the user information stored in the platform server to realize the login function, wherein the management terminal has the same login mode as the client terminal.
The difference between the client and the management end is that the client logs in to the platform server mainly in a passive mode, sends a connection establishment request to port 21 of the FTP server through a random port larger than 1024, the platform server sends a similar (xyz, ab) value to the client through port 21 to tell the client the opened random port, opens port xyz 256+ ab, the client connects to the port xyz 256+ ab of the server through a random port for data transmission, the management end logs in to the platform server in an active mode, the management end sends a connection establishment request to port 21 of the FTP server through a random port larger than 1024, the platform server actively links to port random port +1 of the client through port 20 after receiving the request, if the port is occupied, returns to find port random +2 and so on, and finally, the management end and the platform server perform data transmission through 20 ports until finding the idle port of the management end, so that the effect of more rapid management connection of the management end is achieved.
After the login is finished, the client mainly reads the data of the database server through the platform server, so the authority of the client is mainly distinguished according to the authority authenticated by the platform server and is managed through the management terminal, a user can obtain the authority in the authentication information range after logging in the client mainly through a U disk, the authority distinction cannot be generated due to different users of the client, the local machine of the management terminal is the complete management authority in the platform server and is not distinguished by user authentication, the management terminal can modify the management strategy in the platform server, as for the grouping condition of the client, the management terminal can encrypt different information of different database servers according to the grades of different user groups, wherein the management authority generally is as follows: access is denied; only upload permissions; only readable rights; only readable modification rights; read-only and write-only rights; the system can only read and write and download the authority, achieves the effect of ensuring the safety of local information by changing different user authorities, can avoid data damage of the database server caused by misoperation of users, and does not need an on-duty person to watch the management end for a long time for monitoring in the management mode.
In summary, the data detection, the information storage and the information authentication in the invention are respectively located in different devices, a connection chain can be formed during the authentication, and the management end can conveniently carry out authorization and processing authentication according to the authentication information according to requirements, so that the information transmission is limited to local information transmission, the influence of the Internet network on the data stealing of the database server directly is reduced, and the data core database server in the invention is safely guaranteed.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (6)
1. The utility model provides a safety certification system based on enterprise security computer, includes customer end, management end, platform server, database server, USB flash disk and modem, its characterized in that, customer end and management end include storage module, USB interface module and mainboard module, and make up into computer equipment, platform server and database server include CPU integrated module and storage module, the USB flash disk includes fingerprint authentication module, all include the clock module in customer end, platform server and the USB flash disk, specifically include following step:
A. a user logs in a platform server through a modem at a client through an account and a password;
B. the platform server sends the dynamic key login information of the USB flash disk to the client;
C. after the user inserts the USB flash disk into the client, the user authenticates the dynamic key and sends fingerprint information to the platform server through the fingerprint authentication module;
D. the platform server compares the fingerprint information stored inside and confirms whether to log in;
the step A, the confirmation of the client login to the platform server comprises the following steps:
whether the client has a logged-in account or not;
whether the time of the client, the time of the USB flash disk and the time of the platform server are consistent or not;
whether the dynamic key authentication of the U disk and the platform server is consistent or not is judged;
whether the fingerprint information identified by the USB flash disk is consistent with the fingerprint information of the platform server or not;
the platform server locally collects user information, when logging in, the platform server logs in by adopting a user password-added logging method, the platform server compares time information with a client according to a CPU clock module in the logging process, and sends dynamic key logging calculated by a TOTP algorithm after the time is the same, and a user can compare the clock information of the client by an internal U disk clock module only by inserting a U disk into the client at the moment, and calculates a random number string according to the TOTP algorithm to obtain the same number to realize software verification.
2. The enterprise security computer-based security authentication system as claimed in claim 1, wherein the U disk and the platform server mainly calculate the digital string by the TOTP algorithm, and the digital string is verified to the platform server through the U disk.
3. The system of claim 1, wherein the U-disk fingerprinting mainly comprises:
the method comprises the steps that user fingerprint information is stored in a platform server for the first time;
the U disk mainly adopts an optical total reflection module and a fingerprint image intercepting algorithm.
4. The system of claim 1, wherein the management side and the client side are logged in the same way, and the database server and the platform server are electrically connected.
5. The system of claim 4, wherein the platform server has an FTP server module loaded therein, the platform server has a management side with full management authority, and the platform server and the management side are connected in an active mode, the platform server has a client with limited management authority, and the platform server and the client are connected in a passive mode.
6. An enterprise security computer based security authentication system as claimed in claim 5, wherein said FTP server module contains the following management policies: only the right is uploaded; only readable rights; only readable modification rights; read-only and write-only rights; only read-write and download rights.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010751065.5A CN112087424B (en) | 2020-07-30 | 2020-07-30 | Security authentication system based on enterprise security computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010751065.5A CN112087424B (en) | 2020-07-30 | 2020-07-30 | Security authentication system based on enterprise security computer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112087424A CN112087424A (en) | 2020-12-15 |
| CN112087424B true CN112087424B (en) | 2022-08-26 |
Family
ID=73734784
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010751065.5A Active CN112087424B (en) | 2020-07-30 | 2020-07-30 | Security authentication system based on enterprise security computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112087424B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101662364A (en) * | 2009-09-17 | 2010-03-03 | 北京飞天诚信科技有限公司 | Method and system for safe login |
| CN102368230A (en) * | 2011-10-31 | 2012-03-07 | 北京天地融科技有限公司 | Mobile memory and access control method thereof as well as system |
| CN105743853A (en) * | 2014-12-09 | 2016-07-06 | 航天信息股份有限公司 | Fingerprint USB KEY and fingerprint center server for identity authentication, and system and method |
| CN106899635A (en) * | 2015-12-18 | 2017-06-27 | 中国移动通信集团四川有限公司 | FTP data link realizes the method and device of fixed communication port |
| CN109960916A (en) * | 2017-12-22 | 2019-07-02 | 苏州迈瑞微电子有限公司 | A kind of identity authentication method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11032275B2 (en) * | 2018-10-05 | 2021-06-08 | Mimecast Services Ltd. | System for improved identification and authentication |
-
2020
- 2020-07-30 CN CN202010751065.5A patent/CN112087424B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101662364A (en) * | 2009-09-17 | 2010-03-03 | 北京飞天诚信科技有限公司 | Method and system for safe login |
| CN102368230A (en) * | 2011-10-31 | 2012-03-07 | 北京天地融科技有限公司 | Mobile memory and access control method thereof as well as system |
| CN105743853A (en) * | 2014-12-09 | 2016-07-06 | 航天信息股份有限公司 | Fingerprint USB KEY and fingerprint center server for identity authentication, and system and method |
| CN106899635A (en) * | 2015-12-18 | 2017-06-27 | 中国移动通信集团四川有限公司 | FTP data link realizes the method and device of fixed communication port |
| CN109960916A (en) * | 2017-12-22 | 2019-07-02 | 苏州迈瑞微电子有限公司 | A kind of identity authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112087424A (en) | 2020-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9338161B2 (en) | System and method for biometric protocol standards | |
| CN107222476B (en) | A kind of authentication service method | |
| CN109257209A (en) | A kind of data center server centralized management system and method | |
| CN104320389B (en) | A kind of fusion identity protection system and method based on cloud computing | |
| KR20200105997A (en) | System and method for blockchain-based authentication | |
| US20080263653A1 (en) | Apparatus, system, and method for establishing a reusable and reconfigurable model for fast and persistent connections in database drivers | |
| WO2020155761A1 (en) | Method for logging into multiple service clusters, apparatus, computer device and storage medium | |
| CN105577835B (en) | Cross-platform single sign-on system based on cloud computing | |
| CN108632241B (en) | Unified login method and device for multiple application systems | |
| CN110149328A (en) | Interface method for authenticating, device, equipment and computer readable storage medium | |
| CN113221093B (en) | Single sign-on system, method, equipment and product based on block chain | |
| US7747597B2 (en) | Security execution context for a database management system | |
| US20080320574A1 (en) | System, method and program for authentication and access control | |
| US20030158945A1 (en) | Single sign on computer system and method of use | |
| CN102571874B (en) | On-line audit method and device in distributed system | |
| CN108881218B (en) | Data security enhancement method and system based on cloud storage management platform | |
| US8677446B2 (en) | Centrally managed impersonation | |
| US7743255B2 (en) | Trust model for a database management system supporting multiple authorization domains | |
| CN114567491A (en) | Medical record sharing method and system based on zero trust principle and block chain technology | |
| CN112087424B (en) | Security authentication system based on enterprise security computer | |
| CN109120596B (en) | Multi-single sign-on integration method | |
| CN105790935A (en) | Independent-software-and-hardware-technology-based trusted authentication server | |
| CN114978677A (en) | Asset access control method, device, electronic equipment and computer readable medium | |
| CN113364798A (en) | Redis-based user access frequency processing device | |
| CN111680277A (en) | Enterprise application login system based on unified identity authentication mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |