CN112667992A - Authentication method, authentication device, storage medium, and electronic apparatus - Google Patents
Authentication method, authentication device, storage medium, and electronic apparatus Download PDFInfo
- Publication number
- CN112667992A CN112667992A CN202110096740.XA CN202110096740A CN112667992A CN 112667992 A CN112667992 A CN 112667992A CN 202110096740 A CN202110096740 A CN 202110096740A CN 112667992 A CN112667992 A CN 112667992A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- key
- identity
- authentication information
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The disclosure provides an authentication method, an authentication device, a computer readable storage medium and an electronic device, and relates to the technical field of information security. The authentication method comprises the following steps: the first end encrypts authentication information by using a first key in the asymmetric keys to obtain a first ciphertext; sending the first ciphertext to the second end, enabling the second end to decrypt the first ciphertext by using a second key corresponding to the first key and compare the plaintext of the first ciphertext with authentication information so as to authenticate the identity of the first end; receiving a second ciphertext sent by the second end, wherein the second ciphertext is a ciphertext obtained by the second end encrypting the authentication information by using a second key; and decrypting the second ciphertext by using the first key, and comparing the plaintext of the second ciphertext with the authentication information to authenticate the identity of the second end. The method and the device realize bidirectional identity authentication, improve the security of computer communication and reduce the information interaction cost.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to an authentication method, an authentication apparatus, a computer-readable storage medium, and an electronic device.
Background
In computer communications, it is often necessary to transfer information between two parties, such as a client and a server in a session. In the related art, a transmission link is mostly encrypted to prevent the transmitted information from being stolen. However, if an attacker masquerades as one of the two ends and performs key agreement and session with the other end, the way of encrypting the transmission link fails, for example, the attacker masquerades as a server end and can steal user privacy information through a phishing site.
Disclosure of Invention
The present disclosure provides an authentication method, an authentication apparatus, a computer-readable storage medium, and an electronic device, thereby improving security of computer communication at least to some extent.
According to a first aspect of the present disclosure, there is provided an authentication method comprising: the first end encrypts authentication information by using a first key in the asymmetric keys to obtain a first ciphertext; sending the first ciphertext to a second end, so that the second end decrypts the first ciphertext by using a second key corresponding to the first key and compares the plaintext of the first ciphertext with the authentication information to authenticate the identity of the first end; receiving a second ciphertext sent by the second end, wherein the second ciphertext is a ciphertext obtained by encrypting the authentication information by the second end by using the second key; and decrypting the second ciphertext by using the first key, and comparing the plaintext of the second ciphertext with the authentication information to authenticate the identity of the second end.
According to a second aspect of the present disclosure, there is provided an authentication method comprising: a second end receives a first ciphertext sent by a first end, wherein the first ciphertext is a ciphertext obtained by the first end encrypting authentication information by using a first key in an asymmetric key; decrypting the first ciphertext by using a second key corresponding to the first key, and comparing the plaintext of the first ciphertext with the authentication information to authenticate the identity of the first end; encrypting the authentication information by using the second key to obtain a second ciphertext; and sending the second ciphertext to the first end, so that the first end decrypts the second ciphertext by using the first secret key and compares the plaintext of the second ciphertext with the authentication information to authenticate the identity of the second end.
According to a third aspect of the present disclosure, there is provided an authentication apparatus comprising: the encryption unit is configured to encrypt the authentication information by using a first key in the asymmetric key at the first end to obtain a first ciphertext; a sending unit configured to send the first ciphertext to a second end, so that the second end decrypts the first ciphertext by using a second key corresponding to the first key and compares plaintext of the first ciphertext with the authentication information to perform identity authentication on the first end; a receiving unit configured to receive a second ciphertext sent by the second end, where the second ciphertext is a ciphertext obtained by the second end encrypting the authentication information with the second key; and the decryption unit is configured to decrypt the second ciphertext by using the first key and compare the plaintext of the second ciphertext with the authentication information so as to authenticate the identity of the second end.
According to a fourth aspect of the present disclosure, there is provided an authentication apparatus comprising: the sending unit is configured to receive a first ciphertext sent by a first end by a second end, wherein the first ciphertext is a ciphertext obtained by encrypting authentication information by the first end by using a first key in an asymmetric key; the decryption unit is configured to decrypt the first ciphertext by using a second key corresponding to the first key, and compare the plaintext of the first ciphertext with the authentication information to authenticate the identity of the first end; an encryption unit configured to encrypt the authentication information with the second key to obtain a second ciphertext; a sending unit configured to send the second ciphertext to the first end, so that the first end decrypts the second ciphertext by using the first key and compares plaintext of the second ciphertext with the authentication information to perform identity authentication on the second end.
According to a fifth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the authentication method of the first or second aspect described above and possible implementations thereof.
According to a sixth aspect of the present disclosure, there is provided an electronic device comprising: a processor; a memory for storing executable instructions of the processor; and the communication module is used for communicating with other equipment. Wherein the processor is configured to perform the authentication method of the first or second aspect described above and possible implementations thereof via execution of the executable instructions.
The technical scheme of the disclosure has the following beneficial effects:
on one hand, the scheme of performing bidirectional identity authentication on two communication ends is provided, and the two ends can identify whether the identity of the other party is real or not by comparing whether the decrypted authentication information is consistent with the original text of the authentication information or not, so that the attack of a man in the middle by disguising the identity can be prevented, the client can particularly identify a false server, and the security of computer communication is improved. On the other hand, the bidirectional identity authentication is realized based on encryption and decryption of the same authentication information, different authentication information does not need to be configured at two ends, and the information interaction cost can be reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
FIG. 1 illustrates a system architecture diagram of an environment in which the present exemplary embodiment operates;
fig. 2 shows a schematic configuration diagram of an electronic apparatus in the present exemplary embodiment;
FIG. 3 illustrates a flowchart of the steps of a method of authentication in the present exemplary embodiment;
FIG. 4 is a schematic diagram illustrating an interaction of negotiating an asymmetric key and authentication information in the exemplary embodiment;
FIG. 5 is an interaction diagram illustrating authentication of a first end in the exemplary embodiment;
FIG. 6 is an interaction diagram illustrating identity authentication of a second end in the exemplary embodiment;
FIG. 7 is a flowchart illustrating the steps of a process for encrypting communication data in the exemplary embodiment;
FIG. 8 is a schematic diagram illustrating an interaction between obtaining and updating a random key in the exemplary embodiment;
FIG. 9 is a flowchart illustrating the steps of one process for adding an identity token in the exemplary embodiment;
FIG. 10 is a schematic diagram illustrating an interaction between obtaining and updating an identity token in the exemplary embodiment;
FIG. 11 is a flowchart illustrating another authentication method in the exemplary embodiment;
fig. 12 is a schematic diagram showing the structure of an authentication apparatus in the present exemplary embodiment;
fig. 13 is a schematic diagram showing the structure of another authentication apparatus in the present exemplary embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the steps. For example, some steps may be decomposed, and some steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
Exemplary embodiments of the present disclosure provide an authentication method, application scenarios of which include but are not limited to: when the client and the server interact, the authentication method of the exemplary embodiment can be used for bidirectional identity authentication to ensure the true identities of the client and the server, so that service interaction such as data reading and writing is performed, and the method is particularly suitable for interaction scenes with high sensitivity such as payment and personal information input; when the two terminals perform direct communication through bluetooth and the like, bidirectional identity authentication can be performed through the authentication method of the exemplary embodiment to ensure the authenticity of the identities of the two terminals.
Fig. 1 is a system architecture diagram showing an environment in which the authentication method operates in the present exemplary embodiment. As shown in fig. 1, the system 100 includes a first end 110, a network 120, and a second end 130. The first end 110 and the second end 130 are two ends for performing computer communication, for example, the first end 110 is a client and the second end 130 is a server, or the first end 110 is a server and the second end 130 is a client, or both the first end 110 and the second end 130 are terminals. The network 120 is used to provide a communication link, which may be a wired or wireless communication link, between the first end 110 and the second end 130.
The exemplary embodiment of the present disclosure also provides an electronic device, which may be the first terminal 110 or the second terminal 130 described above, for executing the authentication method of the present exemplary embodiment. The electronic device may be a terminal or a server. Generally, the electronic device includes a processor, a memory, and a communication unit. The memory is used for storing executable instructions of the processor and can also be used for storing application data, such as image data, video data and the like; the communication module is used for communicating with other equipment; the processor is configured to perform the authentication method of the present exemplary embodiment via execution of executable instructions.
The structure of the electronic device is exemplarily described below by taking the mobile terminal 200 in fig. 2 as an example. It will be appreciated by those skilled in the art that the configuration of figure 2 can also be applied to fixed type devices, in addition to components specifically intended for mobile purposes.
As shown in fig. 2, the mobile terminal 200 may specifically include: a processor 210, an internal memory 221, an external memory interface 222, a USB (Universal Serial Bus) interface 230, a charging management Module 240, a power management Module 241, a battery 242, an antenna 1, an antenna 2, a mobile communication Module 250, a wireless communication Module 260, an audio Module 270, a speaker 271, a microphone 272, a microphone 273, an earphone interface 274, a sensor Module 280, a display 290, a camera Module 291, a pointer 292, a motor 293, a button 294, and a Subscriber Identity Module (SIM) card interface 295.
Processor 210 may include one or more processing units, such as: the Processor 210 may include an Application Processor (AP), a modem Processor, a Graphics Processing Unit (GPU), an Image Signal Processor (ISP), a controller, an encoder, a decoder, a Digital Signal Processor (DSP), a baseband Processor, and/or a Neural Network Processor (NPU), and the like.
In some embodiments, processor 210 may include one or more interfaces through which connections are made to other components of mobile terminal 200.
Internal memory 221 may be used to store computer-executable program code, including instructions. The internal Memory 221 may include a volatile Memory such as a DRAM (Dynamic Random Access Memory), an SRAM (Static Random Access Memory), and a nonvolatile Memory such as at least one disk Memory device, a flash Memory device, and the like. The external memory interface 222 may be used to connect external memory to enable expansion of the memory capabilities of the mobile terminal 200.
The USB interface 230 is an interface conforming to the USB standard specification, and may be used to connect a charger to charge the mobile terminal 200, or connect an earphone or other electronic devices.
The charge management module 240 is configured to receive a charging input from a charger. While the charging management module 240 charges the battery 242, the power management module 241 may also supply power to the device; the power management module 241 may also monitor the status of the battery.
The wireless communication function of the mobile terminal 200 may be implemented by the antenna 1, the antenna 2, the mobile communication module 250, the wireless communication module 260, a modem processor, a baseband processor, and the like. The antennas 1 and 2 are used for transmitting and receiving electromagnetic wave signals. The mobile communication module 250 may provide a solution including 2G/3G/4G/5G wireless communication applied on the mobile terminal 200. The Wireless Communication module 260 may provide Wireless Communication solutions including a Wireless Local Area Network (WLAN) (e.g., a Wireless Fidelity (Wi-Fi) network), Bluetooth (BT), a Global Navigation Satellite System (GNSS), Frequency Modulation (FM), Near Field Communication (NFC), Infrared (IR), and the like, which are applied to the mobile terminal 200.
The mobile terminal 200 may implement a display function through the GPU, the display screen 290, the application processor, and the like, may implement a photographing function through the ISP, the camera module 291, the encoder, the decoder, the GPU, the display screen 290, the application processor, and the like, and may implement an audio function through the audio module 270, the speaker 271, the receiver 272, the microphone 273, the earphone interface 274, the application processor, and the like.
The sensor module 280 may include a depth sensor 2801, a pressure sensor 2802, a gyroscope sensor 2803, a barometric pressure sensor 2804, and the like.
Indicator 292 may be an indicator light that may be used to indicate a state of charge, a change in charge, or may be used to indicate a message, missed call, notification, etc. The motor 293 may generate a vibration cue, may also be used for touch vibration feedback, and the like. The keys 294 include a power-on key, a volume key, and the like.
The mobile terminal 200 may support one or more SIM card interfaces 295 for connecting to a SIM card to enable voice calls and mobile communications.
Fig. 3 shows an exemplary flow of an authentication method performed by a first end, which may include:
step S310, the first end encrypts authentication information by using a first secret key in the asymmetric secret key to obtain a first ciphertext;
step S320, sending the first ciphertext to the second end, enabling the second end to decrypt the first ciphertext by using a second key corresponding to the first key and compare the plaintext of the first ciphertext with authentication information so as to authenticate the identity of the first end;
step S330, receiving a second ciphertext sent by the second end, wherein the second ciphertext is a ciphertext obtained by the second end encrypting the authentication information by using a second key;
step S340 decrypts the second ciphertext using the first key, and compares the plaintext of the second ciphertext with the authentication information to perform identity authentication on the second end.
Based on the method shown in fig. 3, a scheme for performing bidirectional identity authentication on two ends of communication is provided, and the two ends can identify whether the identity of the other party is real or not by comparing whether the decrypted authentication information is consistent with the original text of the authentication information, so that the attack of a man in the middle by disguising the identity can be prevented, particularly, a client can identify a false server, and the security of computer communication is improved. On the other hand, the bidirectional identity authentication is realized based on encryption and decryption of the same authentication information, different authentication information does not need to be configured at two ends, and the information interaction cost can be reduced.
Each step in fig. 3 is explained in detail below.
In step S310, the first end encrypts the authentication information using the first key in the asymmetric key to obtain a first ciphertext.
The asymmetric key typically includes a pair of a Public key (Public key) and a Private key (Private key), the first key may be the Public key and the corresponding second key the Private key, or the first key may be the Private key and the corresponding second key the Public key. The authentication information (Auth) is used for bidirectional authentication between the first end and the second end, and may be any character string, for example, a random character string generated by the second end according to a certain rule (including a predetermined length, character type, complexity, etc.) is used as the authentication information.
In this exemplary embodiment, the first end and the second end may negotiate in advance to agree on the asymmetric key and the authentication information. Referring to fig. 4, the first end is taken as a client, and the second end is taken as a server for example, and the client sends a negotiation request to the server; the server side responds to the negotiation request and generates an asymmetric key and authentication information, wherein the asymmetric key is a pair of a public key (namely a first key) and a private key (namely a second key); the server side sends the public key and the authentication information to the client side, and the client side stores the public key and the authentication information; the server side stores the private key and the authentication information. It should be noted that, in fig. 4, it is shown that the server sends the public key and the authentication information to the client at the same time, in practical applications, the public key and the authentication information may not be sent at the same time, for example, the client and the server negotiate to agree with the public key and the private key at a certain time, and negotiate to agree with the authentication information at another time.
The asymmetric key and the authentication information may be generated by either the first end or the second end, for example, the asymmetric key and the authentication information may be generated by the service end in fig. 4, or the asymmetric key may be generated by one end and the authentication information may be generated by the other end, or the asymmetric key and the authentication information may be generated by the other third end. In one embodiment, the client and the server may negotiate and agree on an asymmetric key, configure a public key at the client, configure a private key at the server, and generate authentication information from another authentication terminal (i.e., a third terminal, where the authentication terminal and the server may be different servers) and send the authentication information to the client and the server.
The above process of negotiating the agreed asymmetric key and the authentication information may be performed after the connection is established. In one embodiment, the first end establishes a connection with the second end, negotiates an agreed asymmetric key and authentication information after the connection is successful, and then performs step S310. The above-described process of negotiating asymmetric keys and authentication information may also be performed before establishing a connection. In an embodiment, the first end and the second end may negotiate the agreed asymmetric key and the authentication information periodically, for example, periodically negotiate to update the asymmetric key and the authentication information, so that the agreed asymmetric key and the authentication information may be directly called after the connection is established during the session, and step S310 is executed.
In one embodiment, the first end may perform a preliminary authentication on the identity of the second end according to the digital certificate, and perform the above-mentioned process of negotiating and agreeing the asymmetric key and the authentication information with the second end after the authentication is passed.
After determining the first key and the authentication information, the first end may encrypt the authentication information using the first key to obtain a first ciphertext.
Referring to fig. 3, in step S320, the first ciphertext is sent to the second end, so that the second end decrypts the first ciphertext by using the second key corresponding to the first key and compares the plaintext of the first ciphertext with the authentication information to authenticate the identity of the first end.
The first end sends the first ciphertext to the second end, and the second end decrypts the first ciphertext by using the second key to obtain the plaintext of the first ciphertext. If the first key held by the first end and the second key held by the second end are a pair of asymmetric keys, the second end decrypts the first ciphertext in step S320, which is the reverse process of the first end encrypting the authentication information in step S310, and the plaintext of the first ciphertext should be consistent with the authentication information. Therefore, the second end compares the plaintext of the first ciphertext with the authentication information, and actually compares whether the encrypted and decrypted authentication information is consistent with the plaintext of the authentication information. If the plaintext of the first ciphertext is consistent with the authentication information, determining that the identity authentication of the first end passes; if the plaintext of the first ciphertext is inconsistent with the authentication information, at least one of the first key and the authentication information held by the first end is judged to be wrong, and the first end can be determined not to pass the identity authentication. The second end may return the result of the authentication to the first end, such as returning a specific error code when the authentication fails.
Referring to fig. 5, the identity authentication process of the first end will be specifically described. The client encrypts the authentication information by using the public key to obtain a first ciphertext; the client sends the first ciphertext to the server; the server decrypts the first ciphertext by using the private key to obtain a corresponding plaintext, compares whether the plaintext is consistent with the authentication information or not, and determines an identity authentication result of the client; and the server returns the identity authentication result to the client.
The above steps S310 and S320 are the authentication process of the second end to the first end, and then the authentication process of the first end to the second end is performed.
With continued reference to fig. 3, in step S330, a second ciphertext sent by the second end is received, where the second ciphertext is a ciphertext obtained by the second end encrypting the authentication information with the second key.
And the second end encrypts the authentication information by using the second key to obtain a second ciphertext. In addition, although the same piece of authentication information is encrypted in step S310 and step S330, the first ciphertext and the second ciphertext are different because the key used is different. The second end then sends the second ciphertext to the first end.
In one embodiment, the second key is a private key of the asymmetric key, and the second end encrypts the authentication information using the private key, substantially signing the authentication information.
With reference to fig. 3, in step S340, the second ciphertext is decrypted by using the first key, and the plaintext of the second ciphertext is compared with the authentication information, so as to authenticate the second end.
The first end decrypts the second ciphertext by using the first key to obtain a corresponding plaintext, and the identity authentication can be performed on the second end by comparing whether the plaintext is consistent with the authentication information. If the first key held by the first end and the second key held by the second end are a pair of asymmetric keys, the process of decrypting the second ciphertext by the first end in step S340 is the reverse process of encrypting the authentication information by the second end in step S330, and the plaintext of the second ciphertext should be consistent with the authentication information. Therefore, the first terminal compares the plaintext of the second ciphertext with the authentication information, and actually compares whether the encrypted and decrypted authentication information is identical with the plaintext of the authentication information. If the plaintext of the second ciphertext is consistent with the authentication information, determining that the identity authentication of the second end passes; if the plaintext of the second ciphertext is inconsistent with the authentication information, at least one of the first key and the authentication information held by the second end is judged to be wrong, and the second end identity authentication can be determined not to pass. The first end may return the result of the authentication to the first end.
Referring to fig. 6, the identity authentication process of the second end will be specifically described. The server side encrypts the authentication information by using a private key to obtain a second ciphertext, and the process is essentially to sign the authentication information; the server side sends the second ciphertext to the client side; the client decrypts the second ciphertext by using the public key to obtain a corresponding plaintext, compares whether the plaintext is consistent with the authentication information or not, and determines an identity authentication result of the server, wherein the process is essentially to authenticate the signature of the server; and the client returns the identity authentication result to the server.
It should be noted that, in the authentication process of the first end and the second end, the same authentication information is used, so that the authentication information is negotiated in advance and deployed once, and different authentication information does not need to be configured at the first end and the second end, thereby reducing the information interaction cost.
It should be understood that the identities of the first peer and the second peer may be interchanged, for example, fig. 4 to 6 show that the first peer is a client and the second peer is a server, and the two may be interchanged, so that the first peer is a server and the second peer is a client. The order of the authentication process of the first end and the second end may also be changed, for example, steps S330 and S340 are performed first to authenticate the second end, and then steps S310 and S320 are performed to authenticate the first end.
After the bidirectional identity authentication is passed, service interaction can be carried out. In one embodiment, referring to fig. 7, after the second end identity authentication is passed, the following steps may be performed:
step S710, acquiring a random key;
and S720, encrypting the communication data by using the random key and sending the encrypted communication data to the second end.
The communication data may be any data that needs to be sent to the second end in the service interaction. The Random key (Random key) is used to encrypt the communication data, and may be any type of key, such as a symmetric key or an asymmetric key, which is not limited in this disclosure.
The random key may be another set of keys different from the first key, the second key. In one embodiment, the first and second ends may negotiate a commitment random key. Referring to fig. 8, the client may send a key request to the server, and the server generates a random key in response to the key request and returns the random key to the client. The client can utilize the first key for encryption when sending the key request, so as to improve the security of the negotiation process.
In one embodiment, step S710 may be implemented by:
receiving a random key ciphertext sent by the second end;
and decrypting the random key ciphertext by using the first key to obtain the random key.
For example, in fig. 8, the server may send the random key ciphertext encrypted by the second key to the client. The first end can decrypt the random key ciphertext by using the first key to obtain the plaintext of the random key. Therefore, in the transmission process of the random key, even if an attacker steals the random key ciphertext, the attacker cannot decrypt the random key due to the fact that the attacker does not have the first key, and therefore the safety in the transmission process is improved.
And after the first end acquires the random key, the first end encrypts the communication data by using the random key, and sends the ciphertext of the communication data to the second end, and the second end decrypts the ciphertext to obtain the plaintext of the communication data. Thereby improving the security of the communication data.
In one embodiment, an expiration mechanism for the random key may be set. Specifically, when the first end receives the key expiration information sent by the second end, a key request may be sent to the second end to obtain a new random key. The key expiration information is used to indicate that the random key of the first end is expired, and may be a specific error code or other form of information. For example, the validity period of the random key is set to 5 minutes (usually from the time of generating the random key), and the second peer may transmit the key expiration information to the first peer when 5 minutes passes, or transmit the key expiration information to the first peer when communication data encrypted with the random key, which is transmitted by the first peer, is received after 5 minutes passes. When the first end receives the key expiration information, a key request can be sent to the second end, and the second end generates a new random key and returns the new random key to the first end in response to the key request. Referring to fig. 8, after the client sends the communication data to the server, if the server detects that the random key is expired, an error code indicating that the key is expired is returned; and after receiving the error code, the client sends a key request to the server, and the server responds to the key request, generates a new random key and returns the new random key to the client. In the process, the client can utilize the first key to encrypt the key request, and the server can utilize the second key to encrypt the random key, so that the interactive security of the process is improved.
In the process of service interaction, rapid identity authentication can be realized through the identity token. In one embodiment, referring to fig. 9, after the second end identity authentication is passed, the following steps may be performed:
step S910, obtaining an identity token;
and step S920, adding the identity token to the communication data and sending the identity token to the second end.
The identity Token (Token) is used to identify the identity information of the first end, and may be an identification character string randomly generated by the second end for the first end. Therefore, the first end can add the identity token into the communication data each time the communication data is sent, so that the second end can rapidly identify and authenticate the identity of the first end after identifying the identity token.
In one embodiment, the second end may generate and send the identity token of the first end to the first end after the identity authentication of the first end is passed.
In another embodiment, the first end may send a token request to the second end after the second end passes identity authentication, and the second end generates an identity token of the first end and sends the identity token to the first end in response to the token request.
In one embodiment, step S910 may be implemented by:
receiving an identity token ciphertext sent by the second end;
and decrypting the identity token ciphertext by using the first key to obtain the identity token.
And the identity token ciphertext is a ciphertext obtained by encrypting the identity token by the second end by using the second key. The first end can decrypt the identity token ciphertext by using the first key to obtain the plaintext of the identity token. Therefore, in the transmission process of the identity token, even if an attacker steals the identity token ciphertext, the attacker cannot decrypt the identity token due to the fact that the attacker does not have the first secret key, and therefore the safety in the transmission process is improved.
Referring to fig. 10, the client may send a token request to the server, and the server generates an identity token of the first end in response to the token request and returns the identity token to the client. The client can utilize the first secret key for encryption when sending the secret key request, and the server can utilize the second secret key for encryption when returning the identity token, thereby improving the interactive security of the process.
In one embodiment, an expiration mechanism for the identity token may be set. In particular, when the first end receives the token expiry information sent by the second end, a token request may be sent to the second end to obtain a new identity token. The token expiration information is used to indicate that the identity token of the first end is expired, and may be a specific error code (different from the key expiration information) or other form of information. For example, the validity period of the identity token is set to 1 hour (usually, the validity period of the identity token may be longer than that of the random key from the time of generating the identity token), the second end may send the token expiry information to the first end when 1 hour is exceeded, or send the token expiry information to the first end when receiving the communication data carrying the identity token sent by the first end after 1 hour is exceeded. When the first end receives the token expiration information, a token request may be sent to the second end, which generates a new identity token and returns it to the first end in response to the token request. Referring to fig. 10, after the client sends communication data to the server, if the server detects that the identity token is expired, an error code indicating that the token is expired is returned; and after receiving the error code, the client sends a token request to the server, and the server responds to the token request, generates a new identity token and returns the new identity token to the client. In the process, the client can utilize the first secret key to encrypt the token request, and the server can utilize the second secret key to encrypt the identity token, so that the interaction security of the process is improved.
In one embodiment, the random key may be employed simultaneously with the identity token in the business interaction. Specifically, when the first end sends the communication data, the identity token may be added to the communication data, the communication data to which the identity token is added is encrypted by using the random key, and the encrypted data is sent to the second end. Therefore, the safety of communication data can be improved, and the second end can quickly identify and authenticate the first end.
Fig. 11 shows an exemplary flow of an authentication method performed by the second end, which may include:
step S1110, the second end receives a first ciphertext sent by the first end, where the first ciphertext is a ciphertext obtained by the first end encrypting the authentication information by using a first key in the asymmetric key;
step S1120, decrypting the first ciphertext with a second key corresponding to the first key, and comparing the plaintext of the first ciphertext with the authentication information to authenticate the identity of the first end;
step S1130, encrypting the authentication information by using a second secret key to obtain a second ciphertext;
step S1140 is to send the second ciphertext to the first end, so that the first end decrypts the second ciphertext using the first key and compares the plaintext of the second ciphertext with the authentication information to perform the identity authentication on the second end.
The method flow of fig. 11 is substantially the same as the method flow of fig. 3, except that the execution body changes from a first end to a second end. For example, when the first end is a client and the second end is a server, fig. 11 is a flow of a method executed by the server. Based on the method shown in fig. 11, a scheme of bidirectional identity authentication can be realized, a man in the middle is prevented from attacking through disguised identity, the security of computer communication is improved, the scheme can be realized based on encryption and decryption of the same authentication information, and the information interaction cost can be reduced.
Exemplary embodiments of the present disclosure also provide an authentication apparatus. Referring to fig. 12, the authentication apparatus 1200 may include:
an encrypting unit 1210 configured to encrypt the authentication information by using a first key in the asymmetric key at the first end to obtain a first ciphertext;
a sending unit 1220, configured to send the first ciphertext to the second end, so that the second end decrypts the first ciphertext by using a second key corresponding to the first key and compares the plaintext of the first ciphertext with the authentication information to authenticate the identity of the first end;
a receiving unit 1230, configured to receive a second ciphertext sent by the second end, where the second ciphertext is a ciphertext obtained by the second end encrypting the authentication information with the second key;
and the decryption unit 1240 is configured to decrypt the second ciphertext by using the first key, and compare the plaintext of the second ciphertext with the authentication information to authenticate the second end.
In one embodiment, the first key is a public key and the second key is a private key corresponding to the public key.
In one embodiment, after the decryption unit 1240 passes the second end identity authentication, the receiving unit 1230 is configured to obtain a random key; an encryption unit 1210 configured to encrypt communication data with a random key; a transmitting unit 1220 configured to transmit the encrypted communication data to the second end.
In an embodiment, the receiving unit 1230 is configured to receive the key expiration information sent by the second end; the sending unit 1220 is configured to send a key request to the second end in response to the key expiration information to obtain a new random key.
In one embodiment, the receiving unit 1230 is configured to receive the random key ciphertext transmitted by the second end; and a decryption unit 1240 configured to decrypt the random key ciphertext with the first key to obtain a random key.
In one embodiment, after the decryption unit 1240 passes the identity authentication of the second end, the receiving unit 1230 is configured to obtain an identity token, where the identity token is used to identify the identity information of the first end; the sending unit 1220 is configured to add the identity token to the communication data and send the identity token to the second end.
In one embodiment, the receiving unit 1230 is configured to receive the token expiration information sent by the second end; the sending unit 1220 is configured to send a token request to the second end in response to the token expiration information to obtain a new identity token.
In one embodiment, the receiving unit 1230 is configured to receive the identity token ciphertext sent by the second end; and the decryption unit 1240 is configured to decrypt the identity token ciphertext by using the first key to obtain the identity token.
Exemplary embodiments of the present disclosure also provide another authentication apparatus. Referring to fig. 13, the authentication apparatus 1300 may include:
a receiving unit 1310 configured to receive, by the second end, a first ciphertext sent by the first end, where the first ciphertext is a ciphertext obtained by encrypting, by the first end, the authentication information by using a first key in the asymmetric key;
a decryption unit 1320 configured to decrypt the first ciphertext using a second key corresponding to the first key, and compare a plaintext of the first ciphertext with the authentication information to authenticate the first end;
an encrypting unit 1330 configured to encrypt the authentication information with a second key to obtain a second ciphertext;
the sending unit 1340 is configured to send the second ciphertext to the first end, so that the first end decrypts the second ciphertext by using the first key and compares plaintext of the second ciphertext with the authentication information to authenticate the second end.
The details of the above-mentioned parts of the apparatus have been described in detail in the method part embodiments, and thus are not described again.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit, according to exemplary embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Exemplary embodiments of the present disclosure also provide a computer-readable storage medium, which may be implemented in the form of a program product, including program code for causing an electronic device to perform the steps according to various exemplary embodiments of the present disclosure described in the above-mentioned "exemplary method" section of this specification, when the program product is run on the electronic device. In one embodiment, the program product may be embodied as a portable compact disc read only memory (CD-ROM) and include program code, and may be run on an electronic device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
As will be appreciated by one skilled in the art, aspects of the present disclosure may be embodied as a system, method or program product. Accordingly, various aspects of the present disclosure may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system. Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the following claims.
Claims (13)
1. An authentication method, comprising:
the first end encrypts authentication information by using a first key in the asymmetric keys to obtain a first ciphertext;
sending the first ciphertext to a second end, so that the second end decrypts the first ciphertext by using a second key corresponding to the first key and compares the plaintext of the first ciphertext with the authentication information to authenticate the identity of the first end;
receiving a second ciphertext sent by the second end, wherein the second ciphertext is a ciphertext obtained by encrypting the authentication information by the second end by using the second key;
and decrypting the second ciphertext by using the first key, and comparing the plaintext of the second ciphertext with the authentication information to authenticate the identity of the second end.
2. The method of claim 1, wherein the first key is a public key and the second key is a private key corresponding to the public key.
3. The method of claim 1, wherein after the second end identity authentication is passed, the method further comprises:
acquiring a random key;
and encrypting communication data by using the random key and sending the communication data to the second end.
4. The method of claim 3, further comprising:
and when receiving the key expiration information sent by the second end, sending a key request to the second end to acquire a new random key.
5. The method of claim 3, wherein the obtaining the random key comprises:
receiving a random key ciphertext sent by the second end;
and decrypting the random key ciphertext by using the first key to obtain the random key.
6. The method of claim 1, wherein after the second end identity authentication is passed, the method further comprises:
acquiring an identity token, wherein the identity token is used for identifying identity information of the first end;
and adding the identity token to communication data and sending the identity token to the second end.
7. The method of claim 6, further comprising:
and when receiving the token expiration information sent by the second end, sending a token request to the second end to obtain a new identity token.
8. The method of claim 6, wherein obtaining the identity token comprises:
receiving an identity token ciphertext sent by the second end;
and decrypting the identity token ciphertext by using the first key to obtain the identity token.
9. An authentication method, comprising:
a second end receives a first ciphertext sent by a first end, wherein the first ciphertext is a ciphertext obtained by the first end encrypting authentication information by using a first key in an asymmetric key;
decrypting the first ciphertext by using a second key corresponding to the first key, and comparing the plaintext of the first ciphertext with the authentication information to authenticate the identity of the first end;
encrypting the authentication information by using the second key to obtain a second ciphertext;
and sending the second ciphertext to the first end, so that the first end decrypts the second ciphertext by using the first secret key and compares the plaintext of the second ciphertext with the authentication information to authenticate the identity of the second end.
10. An authentication apparatus, comprising:
the encryption unit is configured to encrypt the authentication information by using a first key in the asymmetric key at the first end to obtain a first ciphertext;
a sending unit configured to send the first ciphertext to a second end, so that the second end decrypts the first ciphertext by using a second key corresponding to the first key and compares plaintext of the first ciphertext with the authentication information to perform identity authentication on the first end;
a receiving unit configured to receive a second ciphertext sent by the second end, where the second ciphertext is a ciphertext obtained by the second end encrypting the authentication information with the second key;
and the decryption unit is configured to decrypt the second ciphertext by using the first key and compare the plaintext of the second ciphertext with the authentication information so as to authenticate the identity of the second end.
11. An authentication apparatus, comprising:
the receiving unit is configured to receive a first ciphertext sent by a first end by a second end, wherein the first ciphertext is a ciphertext obtained by encrypting authentication information by the first end by using a first key in an asymmetric key;
the decryption unit is configured to decrypt the first ciphertext by using a second key corresponding to the first key, and compare the plaintext of the first ciphertext with the authentication information to authenticate the identity of the first end;
an encryption unit configured to encrypt the authentication information with the second key to obtain a second ciphertext;
a sending unit configured to send the second ciphertext to the first end, so that the first end decrypts the second ciphertext by using the first key and compares plaintext of the second ciphertext with the authentication information to perform identity authentication on the second end.
12. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1 to 9.
13. An electronic device, comprising:
a processor;
a memory for storing executable instructions of the processor;
the communication module is used for communicating with other equipment;
wherein the processor is configured to perform the method of any of claims 1 to 9 via execution of the executable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110096740.XA CN112667992A (en) | 2021-01-25 | 2021-01-25 | Authentication method, authentication device, storage medium, and electronic apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110096740.XA CN112667992A (en) | 2021-01-25 | 2021-01-25 | Authentication method, authentication device, storage medium, and electronic apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112667992A true CN112667992A (en) | 2021-04-16 |
Family
ID=75414452
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110096740.XA Pending CN112667992A (en) | 2021-01-25 | 2021-01-25 | Authentication method, authentication device, storage medium, and electronic apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112667992A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338197A (en) * | 2021-12-30 | 2022-04-12 | 广州小鹏汽车科技有限公司 | Vehicle and remote cabin connection authentication method, device and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011083309A (en) * | 2009-10-13 | 2011-04-28 | Glory Ltd | Device between machines and game media lending system |
| CN103220271A (en) * | 2013-03-15 | 2013-07-24 | 福建联迪商用设备有限公司 | Downloading method, management method, downloading management method, downloading management device and downloading management system for secret key |
| CN105245338A (en) * | 2014-05-26 | 2016-01-13 | 中兴通讯股份有限公司 | Authentication method, authentication device and authentication system |
| CN108282329A (en) * | 2017-01-06 | 2018-07-13 | 中国移动通信有限公司研究院 | A kind of Bidirectional identity authentication method and device |
| CN110535868A (en) * | 2019-09-05 | 2019-12-03 | 山东浪潮商用系统有限公司 | Data transmission method and system based on Hybrid Encryption algorithm |
-
2021
- 2021-01-25 CN CN202110096740.XA patent/CN112667992A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011083309A (en) * | 2009-10-13 | 2011-04-28 | Glory Ltd | Device between machines and game media lending system |
| CN103220271A (en) * | 2013-03-15 | 2013-07-24 | 福建联迪商用设备有限公司 | Downloading method, management method, downloading management method, downloading management device and downloading management system for secret key |
| CN105245338A (en) * | 2014-05-26 | 2016-01-13 | 中兴通讯股份有限公司 | Authentication method, authentication device and authentication system |
| CN108282329A (en) * | 2017-01-06 | 2018-07-13 | 中国移动通信有限公司研究院 | A kind of Bidirectional identity authentication method and device |
| CN110535868A (en) * | 2019-09-05 | 2019-12-03 | 山东浪潮商用系统有限公司 | Data transmission method and system based on Hybrid Encryption algorithm |
Non-Patent Citations (1)
| Title |
|---|
| 马建峰 等编: "《计算机系统安全 第2版》", 西安电子科技大学出版社, pages: 217 - 218 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338197A (en) * | 2021-12-30 | 2022-04-12 | 广州小鹏汽车科技有限公司 | Vehicle and remote cabin connection authentication method, device and system |
| CN114338197B (en) * | 2021-12-30 | 2024-01-09 | 广州小鹏汽车科技有限公司 | Vehicle and remote cabin connection authentication method, device, system and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109547471B (en) | Network communication method and device | |
| JP6145806B2 (en) | Immediate communication method and system | |
| US20150372813A1 (en) | System and method for generating a random number | |
| CN104852911A (en) | Safety verification method, device and system | |
| CN113572743B (en) | Data encryption and decryption methods and devices, computer equipment and storage medium | |
| CN111327605B (en) | Method, terminal, server and system for transmitting private information | |
| CN113343212B (en) | Device registration method and apparatus, electronic device, and storage medium | |
| US8032753B2 (en) | Server and system for transmitting certificate stored in fixed terminal to mobile terminal and method using the same | |
| CN112994873B (en) | Certificate application method and equipment | |
| CN114553590B (en) | Data transmission method and related equipment | |
| CN110555300A (en) | application program authorization method, client, server, terminal device and medium | |
| KR20130077171A (en) | Authentication method between server and device | |
| CN111935166B (en) | Communication authentication method, system, electronic device, server, and storage medium | |
| CN112182624A (en) | Encryption method, encryption device, storage medium and electronic equipment | |
| CN111030827A (en) | Information interaction method and device, electronic equipment and storage medium | |
| CN109246110A (en) | data sharing method and device | |
| CN109391473B (en) | Electronic signature method, device and storage medium | |
| JP2009193272A (en) | Authentication system and mobile terminal | |
| JP2022117456A (en) | Message transmission system with hardware security module | |
| CN112667992A (en) | Authentication method, authentication device, storage medium, and electronic apparatus | |
| CN105681256A (en) | Audio communication method and audio communication application device | |
| US8327148B2 (en) | Mobile system, service system, and key authentication method to manage key in local wireless communication | |
| CN111064577A (en) | Security authentication method and device and electronic equipment | |
| CN111127014A (en) | Transaction information processing method, server, user terminal, system and storage medium | |
| CN112769759B (en) | Information processing method, information gateway, server and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |