CN112989426A - Authorization authentication method and device, and resource access token acquisition method - Google Patents

Authorization authentication method and device, and resource access token acquisition method Download PDF

Info

Publication number
CN112989426A
CN112989426A CN202110478005.5A CN202110478005A CN112989426A CN 112989426 A CN112989426 A CN 112989426A CN 202110478005 A CN202110478005 A CN 202110478005A CN 112989426 A CN112989426 A CN 112989426A
Authority
CN
China
Prior art keywords
target
encryption function
authorization
character string
target encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110478005.5A
Other languages
Chinese (zh)
Other versions
CN112989426B (en
Inventor
王犇
王旭
曾祥楷
李俊浩
张宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202110478005.5A priority Critical patent/CN112989426B/en
Publication of CN112989426A publication Critical patent/CN112989426A/en
Application granted granted Critical
Publication of CN112989426B publication Critical patent/CN112989426B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

The invention discloses an authorization authentication method and device and a resource access token acquisition method. The authorization authentication method comprises the following steps: sending an authorization code acquisition request to an authorization server; acquiring a target authorization code sent by an authorization server in response to an authorization code acquisition request; sending a token acquisition request to an authorization server; under the condition that the authorization key is the same as the key generated by the authorization server, acquiring a resource access token sent by the authorization server in response to the token acquisition request; target resource information is obtained from the resource server using the resource access token. The technical problem that the safety of resource information is low in the prior art is solved by the scheme.

Description

Authorization authentication method and device, and resource access token acquisition method
Technical Field
The invention relates to the technical field of authentication and authorization, in particular to an authorization and authentication method and device and a resource access token acquisition method.
Background
With the maturity of network environment and technology, network communication has become a part of people's life. In order to protect the integrity and confidentiality of communication data, people gradually develop authentication and authorization techniques to protect the content of the communication data, thereby preventing unauthorized users from stealing and tampering the data.
The existing application software system development platforms are many, most of the existing application software system development platforms carry out authentication and authorization in a unique or partially repeated mode, and an authorization code mode is mainly used. In the authorization code mode, a dynamic random number is used in each interaction between an authorizing party and an authorized party, and the method can reduce the security risk to some extent, but the security is still not strong enough. When the random number is reversely deduced by multiple attempts, a malicious application can pretend to be a legal application to acquire resource information from the resource server, so that the resource information can be stolen or tampered by an illegal user.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides an authorization authentication method and device and a resource access token acquisition method, and at least solves the technical problem of low security of resource information in the prior art.
According to an aspect of an embodiment of the present invention, there is provided an authorization authentication method, including: sending an authorization code acquisition request to an authorization server, wherein the authorization code acquisition request comprises the authorization key, the identifier of the target encryption function and a target iteration number, the target iteration number is the iteration number of the multiple iteration processing, and the authorization key is a key obtained by performing multiple iteration processing on a first character string which is randomly generated through the target encryption function; acquiring a target authorization code sent by the authorization server in response to the authorization code acquisition request, wherein the target authorization code has a corresponding relationship with the authorization key, the identifier of the target encryption function and the target iteration number; sending a token obtaining request to the authorization server, wherein the token obtaining request includes the first character string and the target authorization code; acquiring a resource access token sent by the authorization server in response to the token acquisition request under the condition that the authorization key is the same as a key generated by the authorization server, wherein the key generated by the authorization server is a key generated by the authorization server according to the first character string, the identifier of the target encryption function and the target iteration number; and acquiring target resource information from the resource server by using the resource access token.
According to another aspect of the embodiments of the present invention, there is also provided a method for acquiring a resource access token, including: receiving an authorization code acquisition request sent by a target application, wherein the authorization code acquisition request comprises an authorization key, an identifier of a target encryption function and a target iteration number; responding to the authorization code acquisition request, generating a target authorization code, sending the target authorization code to the target application, and setting a corresponding relation between the target authorization code and the authorization key, the identifier of the target encryption function and the target iteration number; receiving a token acquisition request sent by the target application, wherein the token acquisition request comprises a target character string and the target authorization code; obtaining the authorization key corresponding to the target authorization code, the identifier of the target encryption function and the target iteration number; performing multiple iteration processing on the target character string through the target encryption function corresponding to the identifier to obtain a generated key, wherein the iteration times of the multiple iteration processing are the target iteration times; and sending a resource access token to the target application when the authorization key is the same as the generated key.
According to another aspect of the embodiments of the present invention, there is also provided an authorization authentication apparatus, including: a first sending unit, configured to send an authorization code obtaining request to an authorization server, where the authorization code obtaining request includes the authorization key, an identifier of the target encryption function, and a target iteration count, where the target iteration count is an iteration count of the multiple iteration processes, and the authorization key is a key obtained by performing multiple iteration processes on a first randomly generated character string through the target encryption function; a first obtaining unit, configured to obtain a target authorization code sent by the authorization server in response to the authorization code obtaining request, where the target authorization code has a corresponding relationship with the authorization key, the identifier of the target encryption function, and the target iteration number; a second sending unit, configured to send a token obtaining request to the authorization server, where the token obtaining request includes the first character string and the target authorization code; a second obtaining unit, configured to obtain a resource access token sent by the authorization server in response to the token obtaining request, if the authorization key is the same as a key generated by the authorization server, where the key generated by the authorization server is a key generated by the authorization server according to the first character string, the identifier of the target encryption function, and the target iteration number; and the third sending unit is used for acquiring target resource information from the resource server by using the resource access token.
According to another aspect of the embodiments of the present invention, there is also provided an apparatus for obtaining a resource access token, including: a first receiving unit, configured to receive an authorization code acquisition request sent by a target application, where the authorization code acquisition request includes an authorization key, an identifier of a target encryption function, and a target iteration number; a first sending unit, configured to generate a target authorization code in response to the authorization code acquisition request, send the target authorization code to the target application, and set a corresponding relationship between the target authorization code and the authorization key, an identifier of the target encryption function, and the target iteration number; a second receiving unit, configured to receive a token obtaining request sent by the target application, where the token obtaining request includes a target character string and the target authorization code; a first obtaining unit, configured to obtain the authorization key, the identifier of the target encryption function, and the target iteration number, where the authorization key and the target authorization code have a corresponding relationship; an iteration processing unit, configured to perform multiple iterations on the target character string through the target encryption function corresponding to the identifier to obtain a generated key, where an iteration number of the multiple iterations is the target iteration number; and a second transmitting unit configured to transmit a resource access token to the target application when the authorization key is the same as the generated key, and configured to acquire target resource information from a resource server using the resource access token.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to execute the above authorization authentication method when running.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the authorization authentication method through the computer program.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, in which a computer program is stored, where the computer program is configured to execute the above method for acquiring a resource access token when running.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the method for acquiring a resource access token through the computer program.
In the embodiment of the invention, the randomly generated first character string is subjected to iteration processing for multiple times through the target encryption function to obtain the authorization key, the target authorization code sent by the authorization server is obtained according to the authorization key, the resource access token is obtained according to the target authorization code, and the target resource information is obtained by using the resource access token. In the embodiment of the invention, as the authorization key is obtained by carrying out multiple iterations on the first character string through the target encryption function, malicious applications can not pretend to be authorized by a legal application to acquire the server by continuously trying to acquire the first character string more difficultly so as to steal resource information in the server. Therefore, according to the scheme in the embodiment of the invention, malicious applications can be effectively prevented from masquerading as legal applications, the security of the legal applications for acquiring the resource information is ensured, and the technical problem of lower security of the resource information in the prior art is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of an application environment of an alternative authorization authentication method according to an embodiment of the invention;
FIG. 2 is a flow diagram of an alternative authorization authentication method according to an embodiment of the invention;
FIG. 3 is a flow diagram of an alternative target encryption function operation according to an embodiment of the present invention;
FIG. 4 is a flow chart of an alternative target encryption function operation according to an embodiment of the present invention;
FIG. 5 is a flow diagram of an alternative resource access token acquisition method according to an embodiment of the invention;
FIG. 6 is a flowchart illustrating an alternative method for a target application to obtain resource information, according to an embodiment of the present invention;
FIG. 7 is an architecture diagram illustrating an alternative method for securing authorized access to a mobile terminal application in accordance with an embodiment of the present invention;
FIG. 8 is a flow diagram of an alternative method for securing authorized access to a mobile terminal application in accordance with embodiments of the present invention;
fig. 9 is a schematic structural diagram of an alternative authorization and authentication device according to an embodiment of the present invention;
FIG. 10 is a schematic structural diagram of an alternative apparatus for obtaining a resource access token according to an embodiment of the present invention;
FIG. 11 is a schematic diagram of an alternative electronic device according to an embodiment of the invention;
fig. 12 is a schematic structural diagram of another alternative electronic device according to an embodiment of the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an aspect of the embodiments of the present invention, there is provided an authorization authentication method, which may be, but is not limited to, applied to the environment shown in fig. 1 as an optional implementation manner. A first application 101, an authorization server 102, a resource server 103, wherein the authorization server 102 and the resource server 103 are servers of a second application 104.
The process of the first application 101 acquiring the resource information of the second application 104 is specifically as follows:
s1) the first application 101 carries out iteration processing on the first character string generated randomly through the target encryption function to obtain the authorization key
S2) sending an authorization code acquisition request carrying an authorization key and a first character string to the authorization server 102;
s3) the authorization server 102 sends the target authorization code to the first application 101 on condition that the authorization key is verified to be legitimate;
s4) the first application 101 sends a token acquisition request to the authorization server 102; the authorization server 102 performs multiple iterative processes on the first character string through a target encryption function to obtain a key generated by the authorization server, and sends a resource access token to the first application 101 under the condition that the authorization key is matched with the key generated by the authorization server;
s5) the first application 101 acquires target resource information of the second application 104 from the resource server 103 using the resource access token.
Optionally, the first application may include, but is not limited to, an instant messaging application, a video application, a browser, an education application, and the like, and the second application may include, but is not limited to, an instant messaging application, a video application, a browser, an education application, and the like.
The authorization authentication method may be understood as acquiring information of an authorized application when the authorization information passes the authentication. For example, the game application 1 may send an authorization request to the instant messaging application 2, so as to further obtain authorization of the instant messaging application, and further obtain resource information of the instant messaging application, for example, a queen sends an authorization request to a WeChat to obtain WeChat authorization, and further obtain a resource from a WeChat server, where the resource may include, but is not limited to, account information of the WeChat, or historical data of the WeChat. The above is merely an example, and this is not limited in this embodiment.
The authorization or resource server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN, a big data and artificial intelligence platform, and the like. The terminal may be, but is not limited to, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.
Optionally, the resource information obtaining method may also be applied to obtaining Cloud resources, where Cloud Security (Cloud Security) refers to a generic name of Security software, hardware, users, organizations, and Security Cloud platforms applied based on a Cloud computing business model. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.
The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.
Optionally, as an optional implementation manner, as shown in fig. 2, the authorization authentication method includes:
step S202, an authorization code obtaining request is sent to an authorization server, wherein the authorization code obtaining request comprises an authorization key, an identifier of a target encryption function and a target iteration number, the target iteration number is an iteration number of multiple iteration processing, and the authorization key is a key obtained by performing multiple iteration processing on a first character string which is randomly generated through the target encryption function.
Step S204, the target authorization code sent by the authorization server in response to the authorization code acquisition request is acquired, where the target authorization code has a corresponding relationship with the authorization key, the identifier of the target encryption function, and the target iteration number.
Step S206, a token obtaining request is sent to the authorization server, wherein the token obtaining request comprises a first character string and a target authorization code.
Step S208, under the condition that the authorization key is the same as the key generated by the authorization server, acquiring the resource access token sent by the authorization server in response to the token acquisition request, wherein the key generated by the authorization server is the key generated by the authorization server according to the first character string, the identifier of the target encryption function and the target iteration number;
step S210, obtaining target resource information from the resource server using the resource access token.
Optionally, in this embodiment, the authorization authentication method may include, but is not limited to, an authentication process applied to a terminal application APP, and after the APP is authenticated by an authorization server, target resource information may be obtained from an authorization application.
The target encryption Function may include, but is not limited to, generating using a PBKDF2 (private-Based key Derivation Function, PBKDF for short) algorithm, where PBKDF2 is a Function for deriving a key, and may be used to generate an encrypted Password, and its basic principle is through a pseudo-random Function (e.g., HMAC Function). The plaintext and a salt value are used as input parameters, then the operation is repeated, and finally the key is generated. If the repetition times are large enough, the cracking cost becomes high, and the addition of the research also increases the attack difficulty of the rainbow table, that is, the attack difficulty of the authorization key obtained through the iterative processing of the target encryption function is large, and an illegal user can hardly crack the authorization key to obtain the first character string.
Optionally, in this embodiment, the first character string is generated randomly, and may be understood as a random number. The authorization key generation process may include, but is not limited to: the first method is as follows: directly inputting the first character string into a target encryption function, and performing iterative processing on the first character string through the target encryption function to obtain an authorization key; the second method comprises the following steps: and performing salt adding processing on the first character string, inputting the first character string subjected to salt adding processing into a target encryption function, and performing iterative processing on the first character string subjected to salt adding processing through the encryption function to obtain the authorization key.
Wherein, the target iteration times are the times of the target encryption function operation.
As shown in S1 to S5 of fig. 3, the target encryption function operation flow chart (one). In fig. 3, the encryption iteration process may be directly performed on the first character string according to the digest algorithm to obtain the authorization key, and the specific process is as follows: generating a first character string at any time, inputting the first character string into a target encryption function, outputting a secret key 1, inputting the output secret key 1 as input into the target encryption function again, outputting a secret key 2, inputting the output secret key 2 as input into the target encryption function, outputting a secret key 3, and outputting the target encryption function as input of the next target encryption function each time until iteration is carried out for N times to obtain an authorization secret key. It should be noted that the greater the number of iterations, the greater the difficulty in cracking the authorization key.
The target encryption function includes but is not limited to encrypting the first character string by using an abstract algorithm, and the abstract algorithm can be understood as a hash algorithm, which indicates inputting data with any length and outputting data with fixed length, wherein the same input data always obtains the same output, and different input data obtain different outputs as much as possible.
As shown in S1 to S5 of fig. 4, the target encryption function operation flow chart (two). In the encryption process of the first character string in fig. 4, the first character string may be subjected to salt adding processing, that is, the second character string is spliced to a preset position of the first character string, the first character string subjected to salt adding processing is input into a target encryption function, a key 11 is output, the key 11 serves as a salt value and is added to the first character string for salt value processing, the first character string subjected to the key 11 processing is input into the target encryption function, a key 12 is output, the key 12 serves as a salt value and is added to the first character string, the first character string processed by the key 12 is input into the target encryption function, a key 13 is output, the target encryption function is output as a salt value each time, salt adding processing is performed on the first character string according to the salt value, the first character string subjected to salt adding processing serves as input of the target encryption function, and an authorization key is obtained until N iterations are performed. It should be noted that the greater the number of iterations, the greater the difficulty in cracking the authorization key.
In this embodiment, the first character string may be salted, and the salting process may include, but is not limited to, splicing the second character string to the first character string to obtain a spliced character string, where the splicing process is a salting process. If the first string is 1233 drffbdefvffg and the second string may be 457890ertyu, the second string may be inserted at any position in the beginning, end, or middle of the first string. The salted first string may be 457890ertyu1233 drffbdefvffg.
According to the embodiment provided by the application, the authorization key is obtained by performing multiple iterations on the first character string through the target encryption function, and malicious applications are difficult to acquire the first character string through continuous attempts and cannot impersonate legal applications to acquire the authorization of the server so as to steal resource information in the server. Therefore, according to the scheme in the embodiment of the invention, malicious applications can be effectively prevented from masquerading as legal applications, the security of the legal applications for acquiring the resource information is ensured, and the technical problem of lower security of the resource information in the prior art is solved. In addition, in the embodiment of the invention, the security of the target application for acquiring the target resource information can be further ensured through the double verification of the target authorization code and the resource access token.
Optionally, in this embodiment, the first character string is subjected to iteration processing N times through the target encryption function, so as to obtain the authorization key, where in the first iteration processing, an input of the target encryption function includes the first character string, in each iteration processing, an output of the target encryption function is used as an input of the target encryption function in next iteration processing, N is 2 or a natural number greater than 2, and the target iteration number is N.
Optionally, in this embodiment, performing iteration processing on the first character string for N times through the target encryption function to obtain the authorization key may include: repeatedly executing the following steps for N times, wherein in the first iteration processing, the input of the target encryption function is a first character string: acquiring the input of a target encryption function during the iteration processing; and processing the input in the current iteration processing by using the target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function is the output of the target encryption function in the current iteration processing in the next iteration processing.
In this embodiment, when the first character string is encrypted by the digest algorithm for the first time, the input of the digest algorithm is the first character string, and after the first character string is processed by the digest algorithm, the input of the digest algorithm is input to the output of the digest algorithm, that is, after the first digest algorithm, the input of the digest algorithm is the output of the previous digest algorithm until N iterations are performed, and the authorization key is output.
The obtaining the authorization key by performing N iterations on the first character string through the target encryption function may include: repeatedly executing the following steps N times, wherein in the first iteration processing, the input of the target encryption function is a first character string and a second character string: acquiring the input of a target encryption function during the iteration processing; and processing the input in the current iteration processing by using a target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function is the output of the target encryption function and the first character string in the current iteration processing in the next iteration processing.
Wherein, using the target encryption function to process the input of the current iteration processing to obtain the output of the target encryption function of the current iteration processing, may further include: during the first iteration, inserting the second character string into a preset position in the first character string to obtain a spliced character string; during iterative processing after the first iterative processing, inserting the output of the target encryption function during the last iterative processing into a preset position in a first character string to obtain a spliced character string, wherein the input of the target encryption function during the current iterative processing is the output of the target encryption function during the last iterative processing and the first character string, and the preset positions are the same during N times of iterative processing; and processing the spliced character string by using the target encryption function to obtain the output of the target encryption function in the current iteration processing and obtain the output of the target encryption function in the current iteration processing.
As shown in fig. 4, when the first string is subjected to the first operation, the second string may be used as a salt value and inserted into a preset position in the first string to obtain a spliced string, the spliced string is input to the target encryption function, an iteration result is output, the iteration result is used as a salt value of the next operation and inserted into a preset position in the first string to obtain the spliced string again, the spliced string is input to the target encryption function, and the iteration result is output until the N-time operation is performed to obtain the authorization key.
It should be noted that, no matter how many iterations are performed, the position of the first string into which the salt value is inserted may be the same or different, for example, in the process of N iterations, the salt value is always inserted into the starting position of the first string during each iteration calculation. For example, in the N iteration processes, the salt value may be inserted into the start position of the first character string during the first N-3 iteration calculations, and the salt value may be inserted into the last position of the first character string during the last 3 iteration processes.
Optionally, obtaining the target resource information from the resource server using the resource access token may include: sending a resource acquisition request to a resource server, wherein the resource acquisition request comprises a resource access token; and under the condition that the resource server verifies that the resource access token passes, acquiring target resource information sent by the resource server.
Optionally, the method may further include: after the authorization server receives the authorization code acquisition request, generating and sending a target authorization code on the authorization server, and setting a corresponding relation between the target authorization code and an authorization key, a mark of a target encryption function and a target iteration number; after the authorization server receives the token acquisition request, acquiring an authorization key corresponding to the target authorization code, an identifier of a target encryption function and a target iteration number on the authorization server; performing iteration processing on the first character string for N times on the authorization server through identifying a corresponding target encryption function to obtain a key generated by the authorization server, wherein in the first iteration processing, the input of the target encryption function comprises the first character string, in each iteration processing, the output of the target encryption function is used as the input of the target encryption function in the next iteration processing, N is 2 or a natural number greater than 2, and the target iteration number is N; in the case where the authorization key is the same as the key generated by the authorization server, the resource access token is sent on the authorization server.
Optionally, as an optional implementation manner, as shown in fig. 5, the method for obtaining the resource access token includes:
step S502, receiving an authorization code acquisition request sent by a target application, wherein the authorization code acquisition request comprises an authorization key, an identifier of a target encryption function and a target iteration number;
step S504, respond to the authorization code and obtain the request, produce the goal authorization code, send the goal authorization code to the target application, and set up the goal authorization code and authorize the corresponding relation of the identifier and goal iteration number of the key, goal encryption function;
step S506, a token obtaining request sent by the target application is received, where the token obtaining request includes a target character string and a target authorization code.
Step S508, obtain the authorization key, the identifier of the target encryption function, and the target iteration number that have a corresponding relationship with the target authorization code.
And step S510, carrying out multiple iteration processing on the target character string by identifying the corresponding target encryption function to obtain a key generated by the authorization server, wherein the iteration times of the multiple iteration processing are the target iteration times.
In step S512, the resource access token is sent to the target application when the authorization key is the same as the key generated by the authorization server.
Optionally, in this embodiment, the method for obtaining the resource access token may include, but is not limited to, in a process of authenticating the authorized application by the application authorization server, where the resource access token is a token for the target application to obtain the authorized application.
Optionally, in this embodiment, the authorization key may include, but is not limited to, a result obtained by a target application (a legitimate application) through iterative processing of a randomly generated first character string by using a target encryption function, and may also be obtained by a malicious application through an illegal means. That is, the authorization server may obtain the authorization key, where the authorization key may be sent by the target application that generated the authorization key, or may be sent by the malicious application through an illegal means.
After receiving the authorization code acquisition request, the authorization server responds to the authorization code acquisition request to generate a target authorization code, sends the target authorization code to the target application, and binds the target authorization code with the authorization key, the target encryption ambiguous identifier and the target iteration number.
The method comprises the steps of obtaining a token obtaining request sent by a target application at an authorization server, obtaining an authorization key, a target encryption function identifier and a target iteration number which have a corresponding relation with a target authorization code according to the token obtaining request, carrying out iteration processing on a target character string for multiple times through the target encryption function corresponding to the identifier to obtain a key generated by the authorization server, and sending a resource access token to the target application under the condition that the authorization key is the same as the key generated by the authorization server.
It should be noted that, if the authorization key is intercepted by the malicious application, since the malicious application cannot obtain the first character string, the key generated by the authorization server and generated by the authorization server will not be the same as the authorization key, and the malicious application will not be able to obtain the resource access token, and further, the malicious application will not be able to access the resource server, thereby preventing the malicious application from obtaining and tampering the resource in the resource server.
As shown in fig. 6, a flowchart for the target application to obtain resource information is shown. As shown in fig. 6, a legal target application APP sends an authorization code acquisition request to an authorization server, and the authorization server returns a target authorization code to the legal APP in response to the authorization request, where the authorization code acquisition request carries an authorization key for the legal application APP to perform iterative encryption processing on a randomly generated first character string through a target encryption function, that is, the authorization server may send the target authorization code to the legal application APP according to the authorization key.
The authorization key in the authorization code acquisition request is at risk of being illegally stolen by a malicious application, and the malicious application APP can acquire the target authorization code according to the authorization key.
If the legal application APP sends a token obtaining request to the authorization server, the authorization server can obtain a corresponding authorization key, a first character string, a target encryption function and the iteration times of the target encryption function according to the target authorization code, the authorization server can obtain a key generated by the authorization server according to the first character string, the target encryption function and the iteration times, the first character string can be obtained due to the target authorization code sent by the legal application APP, the authorization server can obtain the first character string, and obtain a key generated by the authorization server which is the same as the authorization key according to the target encryption function and the iteration times, the legal application APP can obtain a resource access token, and then the legal resource can obtain target resource information from the resource server.
The authorization key can be obtained by the malicious APP, and the encryption process of the authorization key is difficult to crack, so that the first character string cannot be obtained according to the authorization key, further, the authorization server cannot obtain the key generated by the authorization server which is the same as the authorization key according to the authorization key sent by the malicious APP, the authorization server cannot send the resource access token to the malicious APP, and therefore the malicious APP can be prevented from obtaining the target resource information from the resource server, and tampering of the target resource by the malicious APP is prevented.
Optionally, in this embodiment, when the authorization key is different from the key generated by the authorization server, target prompt information is sent to the target application, where the target prompt information is used to indicate that the issuance of the resource access token is denied.
By the embodiment provided by the application, through the double verification of the target authorization code and the resource access token, the security of the target application for acquiring the target resource information can be ensured, even if the malicious application can acquire the authorization key sent by the legal application, the target authorization code can be acquired by the general authorization key, since the authorization key is obtained by iterating the first character string through the target encryption function, the malicious application cannot acquire the first character string, because the first character string can not be obtained, the server can not generate the authorization key according to the authorization key and the target authorization code sent by the malicious application, and the malicious application can not be authorized by the server, so that the attack of the malicious application on the legal application can be prevented, the security of the legal application for acquiring the resource information is ensured, and the technical problem of lower security for acquiring the resource information in the prior art is solved.
Optionally, performing multiple iterative processes on the target character string by identifying the corresponding target encryption function to obtain the key generated by the authorization server, which may include: and carrying out N times of iteration processing on the target character string by identifying a corresponding target encryption function to obtain a key generated by the authorization server, wherein in the first iteration processing, the input of the target encryption function comprises the target character string, in each iteration processing, the output of the target encryption function is used as the input of the target encryption function in the next iteration processing, N is 2 or a natural number more than 2, and the target iteration number is N.
The obtaining the key generated by the authorization server by performing iteration processing on the target character string N times through the target encryption function corresponding to the identifier may include: repeatedly executing the following steps for N times, wherein in the first iteration processing, the input of the target encryption function is a target character string: acquiring the input of a target encryption function during the iteration processing; and processing the input in the current iteration processing by using the target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function is the output of the target encryption function in the current iteration processing in the next iteration processing.
As shown in fig. 3, the first character string may be directly encrypted and iterated according to a digest algorithm to obtain the authorization key, and the specific process is as follows: generating a first character string at any time, inputting the first character string into a target encryption function, outputting a secret key 1, inputting the output secret key 1 as input into the target encryption function again, outputting a secret key 2, inputting the output secret key 2 as input into the target encryption function, outputting a secret key 3, and outputting the target encryption function as input of the next target encryption function each time until iteration is carried out for N times to obtain an authorization secret key. It should be noted that the greater the number of iterations, the greater the difficulty in cracking the authorization key.
Optionally, the obtaining the key generated by the authorization server by performing iteration processing on the target character string N times through the target encryption function corresponding to the identifier may include: repeatedly executing the following steps for N times, wherein in the first iteration processing, the input of the target encryption function is the target character string and the second character string: acquiring the input of a target encryption function during the iteration processing; and processing the input in the current iteration processing by using a target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function is the output of the target encryption function and the target character string in the current iteration processing in the next iteration processing.
In the encryption process of the first character string in fig. 4, the first character string may be subjected to salt adding processing, that is, the second character string is spliced to a preset position of the first character string, the first character string subjected to salt adding processing is input into a target encryption function, a key 11 is output, the key 11 serves as a salt value and is added to the first character string for salt value processing, the first character string subjected to the key 11 processing is input into the target encryption function, a key 12 is output, the key 12 serves as a salt value and is added to the first character string, the first character string processed by the key 12 is input into the target encryption function, a key 13 is output, the target encryption function is output as a salt value each time, salt adding processing is performed on the first character string according to the salt value, the first character string subjected to salt adding processing serves as input of the target encryption function, and an authorization key is obtained until N iterations are performed. It should be noted that the greater the number of iterations, the greater the difficulty in cracking the authorization key.
It should be noted that, processing the input in the current iteration process by using the target encryption function to obtain the output of the target encryption function in the current iteration process may further include: during the first iteration, inserting the second character string into a preset position in the target character string to obtain a spliced character string; during the iteration processing after the first iteration processing, inserting the output of the target encryption function during the last iteration processing into a preset position in a target character string to obtain a spliced character string, wherein the input of the target encryption function during the current iteration processing is the output of the target encryption function during the last iteration processing and the target character string, and the preset positions are the same during the N times of iteration processing; and processing the spliced character string by using the target encryption function to obtain the output of the target encryption function in the current iteration processing and obtain the output of the target encryption function in the current iteration processing.
It should be noted that, no matter how many iterations are performed, the position of the first string into which the salt value is inserted may be the same or different, for example, in the process of N iterations, the salt value is always inserted into the starting position of the first string during each iteration calculation. For another example, in the N iteration processes, the salt value is always inserted into the start position of the first character string during the first N-3 iteration calculations, and the salt value may be inserted into the last position of the first character string during the last 3 iteration processes.
Optionally, as an optional implementation manner, an optional embodiment is a method for securely obtaining authorized access by an application program of a mobile terminal.
The method for obtaining the authorized access safely by the mobile phone application program may include, but is not limited to: a third party application App needs to use an authorization service to verify the identity of a user and obtain a resource Access token Access _ token, and then can use the resource Access token Access _ token to Access a resource server, wherein the Access _ token represents the authority of an Access party and the identity of the Access party, so that the obtaining of the Access _ token is very important and cannot be impersonated by a malicious App, and the impersonation of the malicious App is prevented. The mobile terminal may include, but is not limited to, a mobile phone, a tablet computer, and the like.
In the application scenario in this embodiment, there are mainly five roles, which are: 1. the user: a natural person who needs an entity of the solution resource server to exist; 2. an App program: when a mobile terminal needs to access a certain App of a resource server, a user directly contacts a used inlet; 3. the browser: the browser is also a presentation mode of a User-Agent, and is mainly used as a way and a method for obtaining authorization code transmission; 4. and (3) authorization service: a third party service providing authentication and authorization services; 5. resource service: resource services that the App program will eventually access.
As shown in fig. 7, an architecture diagram of a method for a mobile terminal application to securely obtain authorized access. The method comprises the steps that a mobile terminal APP sends an authorization code acquisition request to an authorization server, the authorization server can send a target authorization code to the mobile terminal APP, the mobile terminal APP sends a token acquisition request to the authorization server, the authorization server can send a resource access token to the mobile terminal APP, the mobile terminal APP sends a resource information request to a resource server by using the resource access token, and the resource server sends target resource information to the mobile terminal APP.
It should be noted that the mobile terminal APP may directly send the authorization code acquisition request to the authorization server, and the browser may also forward the authorization code acquisition request of the mobile terminal APP to the authorization server. The authorization server needs to send a target authorization code to the mobile terminal APP according to the password server.
Optionally, the process of the method for securely obtaining the authorized access by the application program of the mobile terminal includes the following steps:
step 1, obtaining an authorization code: the App program acquires an authorization code;
step 2, obtaining Access _ token: the App program acquires Access _ token through the authorization code;
step 3, verifying the Access _ token: the App program uses the Access _ token to Access the resource service, and the resource service verifies the correctness of the Access _ token through the authorization service.
Wherein, the mobile terminal App: the user directly touches the access subject; the browser: the User-Agent is a User Agent of the mobile terminal App for accessing the authorization service; and (3) authorization service: an authorization service issuing a target authorization code and a resource access Token; resource service: providing resource service, and service side protected by authorized service; cryptographic service: a service that provides cryptographic services for authorization services.
In order to make the implementation process more clear in this embodiment, the parameters involved in this embodiment are described as follows: random number: random is used as a code number; code verification Code: code _ verifier; code calculation Code: code _ iter; code challenge Code: code _ challenge; the Code algorithm: code _ method; authorization code: code.
In the embodiment, as shown in fig. 8, a flowchart of a method for a mobile terminal application to securely obtain an authorized access is shown. As shown in fig. 8, the method for securely obtaining authorized access by an application program of a mobile terminal includes three stages: generating a code stage; an Access _ token phase is generated and an Access _ token phase is verified. The method comprises the following steps: a mobile terminal APP801, a browser 802, an authorization server 803, a password server 804 and a resource server 805. Referring to fig. 8, a flow chart of a method for a mobile terminal application to securely obtain authorized access is shown. The concrete description is as follows.
First, generating code stage
The purpose of this stage is to obtain a target authorization code, where an authorization key is generated in the mobile terminal APP801 through steps S801 and S802, and a resource access token access _ token can be further obtained by obtaining the target authorization code, in this embodiment, the purpose of obtaining the code is that the mobile terminal APP801 cannot directly obtain the code but needs to obtain the code by opening a browser of a third party or other application programs, if the access _ token is directly obtained by the browser of the third party, there is a risk of being intercepted, so the code needs to be obtained first, and then the access _ token is obtained by the code.
1. The mobile terminal App801 first generates a Random number Random (equivalent to a first character string) as a code _ modifier; then, the mobile terminal App801 executes step S801 to generate code _ challenge (equivalent to an authorization key) = PBKDF2(SM3, code _ challenge, Salt value, number of iterations code _ iter, length dklen of code _ challenge desired to be output) through digest calculation according to code _ revifier; it should be noted that code _ verifier needs to be transmitted to the authorization server 803 to check the basic data;
2. the mobile terminal App801 executes step S802 to carry code _ challenge, code _ method (equivalent to a target encryption function), and code _ iter executes step S803 to initiate an authorization code acquisition request through the browser 802; the mobile terminal APP801 executes the step S809 to obtain a target authorization code;
3. the browser 802 executes step S803 to initiate a request for obtaining the authorization code, and the browser 802 is equivalent to a user-agent that does not perform any processing on the data, but only passes the data through to an authorization server; the browser 803 executes step S807 to return the target authorization code;
4. the authorization server 803 executes step S804 to acquire and store code _ challenge, code _ method, and code _ iter, and stores code _ challenge, code _ method, and code _ iter as values in a redis cache for verifying the correctness of code _ verifier; then the authorization service 803 returns an authorization code to the mobile terminal App 801;
5. the mobile terminal App801 executes step S808 to acquire a target authorization code and temporarily store the code for subsequent use in acquiring an access _ token;
second, generating Access _ token stage
The purpose of this stage is to trade code for the access token.
1. The mobile terminal App801 executes step S809 to carry the first character string and the target authorization code request resource access token, that is, to carry the code _ verifier generated by itself and the code generated by the authorization server 803 and returned to the mobile terminal App801, so as to initiate a request for obtaining the resource access token access _ token to the authorization server 803;
2. the authorization server 803 executes step S810 to call the password server 804 through the first character string/authorization key/target encryption function/iteration number, executes step S812 to generate a resource access token according to the verification result, that is, to acquire code _ verifier and code, and queries the value stored in redis, which has been acquired before, from the redis by using code as key: code _ challenge, code _ method, code _ iter; then, the inquired data is used as an input parameter, and an API (application program interface) of the password server 804 is called for verification;
3. the cryptographic server 804 performs step S811 to verify the authorization key, i.e., calculates code _ challenge1= PBKDF2(SM3, code _ verifier, Salt, code _ iter, dklen) from the input; then, comparing whether the code _ challenge and the code _ challenge1 are matched or not;
4. the password server 804 returns the verification result to the authorization server 803, and if the returned result is verification success, the authorization server 803 issues Access _ token; if the verification fails, the issue of access token is refused;
5. if the matching is successful, the mobile terminal App801 may obtain and save an access _ token as a primary credential for the subsequent mobile terminal App801 to access the resource server 805.
Third, verifying Access token stage
The purpose of this stage is that the mobile terminal App801 accesses the resource service acquisition resource by using the access token access _ token as a credential, and the resource server 805 determines whether or not to provide the resource to the mobile terminal App801 by verifying the validity of the access _ token.
1. The mobile terminal App801 executes step S814 to Access the resource of the resource server 805 by carrying the resource Access token, that is, may carry the obtained Access _ token to Access the resource server 805;
2. resource server 805 must verify the validity of Access _ token; the validity of the Access token needs to be verified by calling the interface of the authorization service 803; the authorization server 805 executes step S815 to obtain a resource access token, and step S817 returns the resource.
3. The authorization server 803 executes step S816 to obtain the resource Access token, that is, it first verifies whether the Access _ token itself is correct, and then determines whether the validity period of the token has expired; if the judgment is correct and the judgment is not overdue, the result returned to the resource server 805 is correct; otherwise, the result returned to the resource server 805 is a judgment error;
4. the resource server 805 determines whether to return the resource to the mobile terminal App801 according to the return result, if the determination result is that the token is valid, the resource is provided to the mobile terminal App, and if the determination result is invalid, the resource server 805 refuses to provide the resource to the mobile terminal App.
It should be noted that, in this embodiment, the algorithm for calculating code _ challenge may include, but is not limited to, using PBKDF2 algorithm for generation, where using PBKDF2 algorithm may increase the difficulty of cracking of an attacker through iteration of multiple rounds of calculation, and since both parties do not have a pre-trust process, Salt value Salt cannot be preset; under the condition, multiple rounds of iteration are used as an important parameter, so that the complexity of a single hash algorithm can be improved under the condition of no salt value, and the safety is improved; wherein the whole is made more compliant by replacing the standard SHA series algorithm in PBKDF2 with the SM3 algorithm issued by the national crypto bureau.
Note that, in this embodiment, Salt is empty; the SM3 represents the algorithm identification ID of the SM3 single-item hashing algorithm issued by the national crypto authority; code _ verifier is a code verification code described in the previous flow; code _ iter is the round of PBKDF2 iterations; dklen is the length of code _ challenge that is desired to be output, which is typically a constant 64; a calculation result generated by the code _ challenge is subsequently used as a first step for acquiring a code challenge value used by an authorization code; code _ challenge = PBKDF2(SM3, code _ verifier, Salt, code _ iter, dklen).
According to the embodiment provided by the application, the mobile phone client and the server use the same signature method, and the method for respectively transmitting the signature data and the signature result in the two interaction processes is used for verifying that the initiator of the two interactions is the same client, so that the possibility that the authorization code is intercepted in the process of obtaining the authorized access by the application program at the mobile phone end is reduced.
It should be noted that, in this embodiment, the following improvement is made to the code _ challenge calculation method: 1. the safety is improved and is higher than that of a pure single hash algorithm; 2. the usability is easy, the existing logic of the open authorization protocol OAuth2.0 is not modified, and no additional interaction is needed to be added; 3. compliance, using the SM3 algorithm to make the overall solution more compliant; 4. on the premise of certain safety, the cracking difficulty can be increased only by increasing turns, the idea of increasing the code _ verifier length is more effective than that of the existing scheme, and the size of a data packet is saved.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
According to another aspect of the embodiment of the present invention, there is also provided an authorization authentication apparatus for implementing the above authorization authentication method. As shown in fig. 9, the authorization authentication device includes: a first sending unit 901, a first acquiring unit 903, a second sending unit 905, a second acquiring unit 907, and a third acquiring unit 909.
A first sending unit 901, configured to send an authorization code obtaining request to an authorization server, where the authorization code obtaining request includes an authorization key, an identifier of a target encryption function, and a target iteration number, the target iteration number is an iteration number of multiple iteration processes, and the authorization key is a key obtained by performing multiple iteration processes on a first randomly generated character string through the target encryption function.
A first obtaining unit 903, configured to obtain a target authorization code sent by an authorization server in response to an authorization code obtaining request, where the target authorization code has a corresponding relationship with an authorization key, an identifier of a target encryption function, and a target iteration number.
A second sending unit 905, configured to send a token obtaining request to the authorization server, where the token obtaining request includes the first character string and the target authorization code.
A second obtaining unit 907, configured to obtain the resource access token sent by the authorization server in response to the token obtaining request, where the authorization key is the key generated by the authorization server according to the first character string, the identifier of the target encryption function, and the target iteration number, and is the same as the key generated by the authorization server.
A third obtaining unit 909, configured to obtain the target resource information from the resource server using the resource access token.
By way of example, as provided herein, due to the dual authentication by the target authorization code and the resource access token, the security of the target application for acquiring the target resource information can be ensured, even if the malicious application can acquire the authorization key sent by the legal application, the target authorization code can be acquired by the general authorization key, since the authorization key is obtained by iterating the first character string through the target encryption function, the malicious application cannot acquire the first character string, because the first character string can not be obtained, the server can not generate the authorization key according to the authorization key and the target authorization code sent by the malicious application, and the malicious application can not be authorized by the server, so that the attack of the malicious application on the legal application can be prevented, the security of the legal application for acquiring the resource information is ensured, and the technical problem of lower security of the resource information in the prior art is solved.
Optionally, the first sending unit 901 may further include: and the iteration processing module is used for carrying out N times of iteration processing on the first character string through the target encryption function to obtain the authorization key, wherein in the first iteration processing, the input of the target encryption function comprises the first character string, in each iteration processing, the output of the target encryption function is used as the input of the target encryption function in the next iteration processing, N is 2 or a natural number greater than 2, and the target iteration number is N.
Wherein, the iterative processing module may further include: the first obtaining submodule is used for repeatedly executing the following steps for N times, wherein in the first iteration processing, the input of the target encryption function is a first character string: acquiring the input of a target encryption function during the iteration processing; and the first iteration processing submodule is used for processing the input in the current iteration processing by using the target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function is the output of the target encryption function in the current iteration processing in the next iteration processing.
Optionally, the iterative processing module may further include: and the second obtaining submodule is used for repeatedly executing the following steps for N times, wherein in the first iteration processing, the input of the target encryption function is the first character string and the second character string: acquiring the input of a target encryption function during the iteration processing; and the second iteration submodule is used for processing the input in the current iteration processing by using the target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function in the next iteration processing is the output of the target encryption function in the current iteration processing and the first character string.
The second iterative processing submodule may be further configured to perform the following operations: during the first iteration, inserting the second character string into a preset position in the first character string to obtain a spliced character string; during iterative processing after the first iterative processing, inserting the output of the target encryption function during the last iterative processing into a preset position in a first character string to obtain a spliced character string, wherein the input of the target encryption function during the current iterative processing is the output of the target encryption function during the last iterative processing and the first character string, and the preset positions are the same during N times of iterative processing; and processing the spliced character string by using the target encryption function to obtain the output of the target encryption function in the current iteration processing and obtain the output of the target encryption function in the current iteration processing.
Optionally, the third obtaining unit 909 may include: the system comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending a resource obtaining request to a resource server, and the resource obtaining request comprises a resource access token; and the acquisition module is used for acquiring the target resource information sent by the resource server under the condition that the resource server verifies that the resource access token passes.
Optionally, the apparatus may further include: the generation unit is used for generating and sending a target authorization code on the authorization server after the authorization server receives the authorization code acquisition request, and setting the corresponding relation between the target authorization code and the authorization key, the identifier of the target encryption function and the target iteration number; a fourth obtaining unit, configured to obtain, on the authorization server, an authorization key having a correspondence with the target authorization code, an identifier of the target encryption function, and a target iteration number after the authorization server receives the token obtaining request; the iteration unit is used for carrying out N times of iteration processing on the first character string on the authorization server through a target encryption function corresponding to the identifier to obtain a key generated by the authorization server, wherein in the first time of iteration processing, the input of the target encryption function comprises the first character string, in each time of iteration processing, the output of the target encryption function is used as the input of the target encryption function in the next iteration processing, N is 2 or a natural number greater than 2, and the target iteration number is N; and a third sending unit, configured to send the resource access token on the authorization server if the authorization key is the same as the key generated by the authorization server.
According to another aspect of the embodiment of the present invention, there is also provided an apparatus for acquiring a resource access token, which is used for implementing the method for acquiring a resource access token. As shown in fig. 10, the apparatus for obtaining a resource access token includes: a first receiving unit 1001, a first transmitting unit 1003, a second receiving unit 1005, a first acquiring unit 1007, an iterative processing unit 1009, and a second transmitting unit 1011.
A first receiving unit 1001, configured to receive an authorization code acquisition request sent by a target application, where the authorization code acquisition request includes an authorization key, an identifier of a target encryption function, and a target iteration number.
A first sending unit 1003, configured to generate a target authorization code in response to the authorization code obtaining request, send the target authorization code to the target application, and set a corresponding relationship between the target authorization code and the authorization key, the identifier of the target encryption function, and the target iteration number.
A second receiving unit 1005, configured to receive a token obtaining request sent by a target application, where the token obtaining request includes a target character string and a target authorization code.
A first obtaining unit 1007, configured to obtain an authorization key, an identifier of a target encryption function, and a target iteration number that have a corresponding relationship with a target authorization code.
The iteration processing unit 1009 is configured to perform multiple iterations on the target character string by identifying the corresponding target encryption function to obtain the key generated by the authorization server, where the iteration number of the multiple iterations is the target iteration number.
A second sending unit 1011, configured to send the resource access token to the target application if the authorization key is the same as the key generated by the authorization server.
Through the embodiment provided by the application, the first receiving unit 1001 receives an authorization code acquisition request sent by a target application, where the authorization code acquisition request includes an authorization key, an identifier of a target encryption function, and a target iteration number; the first sending unit 1003 generates a target authorization code in response to the authorization code acquisition request, sends the target authorization code to the target application, and sets a corresponding relationship between the target authorization code and the authorization key, the identifier of the target encryption function, and the target iteration number; the second receiving unit 1005 receives a token obtaining request sent by a target application, where the token obtaining request includes a target character string and a target authorization code; the first obtaining unit 1007 obtains an authorization key, an identifier of a target encryption function, and a target iteration number that have a correspondence with a target authorization code; the iteration processing unit 1009 performs multiple iteration processing on the target character string by identifying the corresponding target encryption function to obtain a key generated by the authorization server, wherein the iteration times of the multiple iteration processing are the target iteration times; the second transmitting unit 1011 transmits the resource access token to the target application in the case where the authorization key is the same as the key generated by the authorization server. The security of the target application for acquiring the target resource information can be ensured through the double verification of the target authorization code and the resource access token, even if malicious applications can acquire the authorization key sent by legal applications, the target authorization code can be acquired through a general authorization key, because the authorization key is obtained by iterating the first character string through a target encryption function, the malicious applications cannot acquire the first character string, and because the first character string cannot be acquired, the server cannot generate the authorization key according to the authorization key and the target authorization code sent by the malicious applications, and further the malicious applications cannot obtain the authorization of the server, so that the attack of the malicious applications on the legal applications can be prevented, the security of the legal applications for acquiring the resource information is ensured, and the technical problem of low security of the resource information in the prior art is solved.
Optionally, the iteration processing unit 1009 may include: and the iteration processing module is used for carrying out N times of iteration processing on the target character string through the target encryption function corresponding to the identifier to obtain the key generated by the authorization server, wherein in the first time of iteration processing, the input of the target encryption function comprises the target character string, in each time of iteration processing, the output of the target encryption function is used as the input of the target encryption function in the next time of iteration processing, N is 2 or a natural number greater than 2, and the target iteration number is N.
Wherein, the iterative processing module may include: the obtaining submodule is used for repeatedly executing the following steps for N times, wherein in the first iteration processing, the input of the target encryption function is a target character string: acquiring the input of a target encryption function during the iteration processing; and the iteration processing submodule is used for processing the input in the current iteration processing by using the target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function is the output of the target encryption function in the current iteration processing in the next iteration processing.
It should be noted that, the iterative processing submodule may be further configured to perform the following operations: repeatedly executing the following steps for N times, wherein in the first iteration processing, the input of the target encryption function is the target character string and the second character string: acquiring the input of a target encryption function during the iteration processing; and processing the input in the current iteration processing by using a target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function is the output of the target encryption function and the target character string in the current iteration processing in the next iteration processing.
Optionally, the iterative processing sub-module may be further configured to perform the following operations: during the first iteration, inserting the second character string into a preset position in the target character string to obtain a spliced character string; during the iteration processing after the first iteration processing, inserting the output of the target encryption function during the last iteration processing into a preset position in a target character string to obtain a spliced character string, wherein the input of the target encryption function during the current iteration processing is the output of the target encryption function during the last iteration processing and the target character string, and the preset positions are the same during the N times of iteration processing; and processing the spliced character string by using the target encryption function to obtain the output of the target encryption function in the current iteration processing and obtain the output of the target encryption function in the current iteration processing.
According to another aspect of the embodiment of the present invention, there is also provided an electronic apparatus for implementing the authorization authentication method, where the electronic apparatus may be a terminal device or a server running a first application shown in fig. 1. The present embodiment takes the electronic device as a client as an example for explanation. As shown in fig. 11, the electronic device comprises a memory 1104 and a processor 1102, wherein the memory 1104 has a computer program stored therein, and the processor 1102 is configured to execute the steps of any of the above method embodiments by the computer program.
Optionally, in this embodiment, the electronic apparatus may be located in at least one network device of a plurality of network devices of a computer network.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, sending an authorization code obtaining request to an authorization server, wherein the authorization code obtaining request comprises an authorization key, an identifier of a target encryption function and a target iteration number, the target iteration number is an iteration number of multiple iteration processing, and the authorization key is a key obtained by performing multiple iteration processing on a first character string which is randomly generated through the target encryption function;
s2, acquiring a target authorization code sent by the authorization server in response to the authorization code acquisition request, wherein the target authorization code has a corresponding relation with the authorization key, the identifier of the target encryption function and the target iteration number;
s3, sending a token obtaining request to an authorization server, wherein the token obtaining request comprises a first character string and a target authorization code;
s4, under the condition that the authorization key is the same as the key generated by the authorization server, acquiring the resource access token sent by the authorization server in response to the token acquisition request, wherein the key generated by the authorization server is the key generated by the authorization server according to the first character string, the identifier of the target encryption function and the target iteration number;
s5, obtaining the target resource information from the resource server using the resource access token.
Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 11 is only an illustration, and the electronic device may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 11 is a diagram illustrating a structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 11, or have a different configuration than shown in FIG. 11.
The memory 1104 may be used to store software programs and modules, such as program instructions/modules corresponding to the authorization authentication method and apparatus in the embodiments of the present invention, and the processor 1102 executes various functional applications and data processing by running the software programs and modules stored in the memory 1104, that is, implements the authorization authentication method described above. The memory 1104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 1104 may further include memory located remotely from the processor 1102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The memory 1104 may be specifically, but not limited to, used for storing the first character string, the second character string, the concatenation character string, the target authorization code, the resource access token, and the like. As an example, as shown in fig. 11, the memory 1104 may include, but is not limited to, a first sending unit 901, a first obtaining unit 903, a second sending unit 905, a second obtaining unit 907, and a third obtaining unit 909 in the authorization authentication device. In addition, other module units in the authorization authentication device may also be included, but are not limited to these, and are not described in this example again.
Optionally, the transmitting device 1106 is used for receiving or transmitting data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 1106 includes a Network adapter (NIC) that can be connected to a router via a Network cable to communicate with the internet or a local area Network. In one example, the transmission device 1106 is a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In addition, the electronic device further includes: a display 1108 for displaying screen information; and a connection bus 1110 for connecting the respective module parts in the above-described electronic apparatus.
In other embodiments, the terminal device or the server may be a node in a distributed system, where the distributed system may be a blockchain system, and the blockchain system may be a distributed system formed by connecting a plurality of nodes through a network communication. The nodes may form a Peer-To-Peer (P2P, Peer To Peer) network, and any type of computing device, such as a server, a terminal, and other electronic devices, may become a node in the blockchain system by joining the Peer-To-Peer network.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the authorization authentication method provided in the above-described authorization authentication aspect or various alternative implementations of the authorization authentication aspect. Wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the above-mentioned computer-readable storage medium may be configured to store a computer program for executing the steps of:
s1, sending an authorization code obtaining request to an authorization server, wherein the authorization code obtaining request comprises an authorization key, an identifier of a target encryption function and a target iteration number, the target iteration number is an iteration number of multiple iteration processing, and the authorization key is a key obtained by performing multiple iteration processing on a first character string which is randomly generated through the target encryption function;
s2, acquiring a target authorization code sent by the authorization server in response to the authorization code acquisition request, wherein the target authorization code has a corresponding relation with the authorization key, the identifier of the target encryption function and the target iteration number;
s3, sending a token obtaining request to an authorization server, wherein the token obtaining request comprises a first character string and a target authorization code;
s4, under the condition that the authorization key is the same as the key generated by the authorization server, acquiring the resource access token sent by the authorization server in response to the token acquisition request, wherein the key generated by the authorization server is the key generated by the authorization server according to the first character string, the identifier of the target encryption function and the target iteration number;
s5, obtaining the target resource information from the resource server using the resource access token.
According to another aspect of the embodiment of the present invention, there is also provided an electronic apparatus for implementing the method for acquiring a resource access token, where the electronic apparatus may be a terminal device or a server running a first application shown in fig. 1. The present embodiment takes the electronic device as a client as an example for explanation. As shown in fig. 12, the electronic device comprises a memory 1204 and a processor 1202, the memory 1204 having stored therein a computer program, the processor 1202 being arranged to perform the steps of any of the above-described method embodiments by means of the computer program.
Optionally, in this embodiment, the electronic apparatus may be located in at least one network device of a plurality of network devices of a computer network.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, receiving an authorization code acquisition request sent by a target application, wherein the authorization code acquisition request comprises an authorization key, an identifier of a target encryption function and a target iteration number;
s2, configured to generate a target authorization code in response to the authorization code acquisition request, send the target authorization code to the target application, and set a corresponding relationship between the target authorization code and an authorization key, an identifier of the target encryption function, and a target iteration number;
s3, receiving a token acquisition request sent by a target application, wherein the token acquisition request comprises a target character string and a target authorization code;
s4, obtaining an authorization key corresponding to the target authorization code, the identifier of the target encryption function and the target iteration number;
s5, carrying out multiple iteration processing on the target character string by identifying the corresponding target encryption function to obtain a key generated by the authorization server, wherein the iteration times of the multiple iteration processing are the target iteration times;
s6, in the case that the authorization key is the same as the key generated by the authorization server, a resource access token is sent to the target application.
Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 12 is only an illustration, and the electronic device may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 12 is a diagram illustrating a structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 12, or have a different configuration than shown in FIG. 12.
The memory 1204 may be used to store software programs and modules, such as program instructions/modules corresponding to the device and the method for acquiring a resource access token in the embodiment of the present invention, and the processor 1202 executes various functional applications and data processing by running the software programs and modules stored in the memory 1204, that is, implements the method for acquiring a resource access token described above. The memory 1204 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 1204 may further include memory located remotely from the processor 1202, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The memory 1204 may be specifically, but not limited to, used for storing the first character string, the second character string, the concatenation character string, the target authorization code, the resource access token, the authorization key, the key generated by the authorization server, and the like. As an example, as shown in fig. 12, the memory 1204 may include, but is not limited to, a first receiving unit 1001, a first transmitting unit 1003, a second receiving unit 1005, a first acquiring unit 1007, an iterative processing unit 1009, and a second transmitting unit 1011 in the acquiring apparatus of the resource access token. In addition, the resource access token may further include, but is not limited to, other module units in the apparatus for acquiring a resource access token, which is not described in this example again.
Optionally, the transmitting device 1206 is configured to receive or transmit data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmitting device 1206 includes a Network adapter (NIC) that can be connected to a router via a Network cable to communicate with the internet or a local area Network. In one example, the transmitting device 1206 is a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
In addition, the electronic device further includes: a display 1208 for displaying screen information; and a connection bus 1210 for connecting the respective module parts in the above-described electronic apparatus.
In other embodiments, the terminal device or the server may be a node in a distributed system, where the distributed system may be a blockchain system, and the blockchain system may be a distributed system formed by connecting a plurality of nodes through a network communication. The nodes may form a Peer-To-Peer (P2P, Peer To Peer) network, and any type of computing device, such as a server, a terminal, and other electronic devices, may become a node in the blockchain system by joining the Peer-To-Peer network.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the resource access token acquisition method provided in the above-described resource access token acquisition aspect or various alternative implementations of the resource access token acquisition aspect. Wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the above-mentioned computer-readable storage medium may be configured to store a computer program for executing the steps of:
s1, receiving an authorization code acquisition request sent by a target application, wherein the authorization code acquisition request comprises an authorization key, an identifier of a target encryption function and a target iteration number;
s2, responding to the authorization code acquisition request, generating a target authorization code, sending the target authorization code to the target application, and setting the corresponding relation between the target authorization code and the authorization key, the identification of the target encryption function and the target iteration times;
s3, receiving a token acquisition request sent by a target application, wherein the token acquisition request comprises a target character string and a target authorization code;
s4, obtaining an authorization key corresponding to the target authorization code, the identifier of the target encryption function and the target iteration number;
s5, carrying out multiple iteration processing on the target character string by identifying the corresponding target encryption function to obtain a key generated by the authorization server, wherein the iteration times of the multiple iteration processing are the target iteration times;
s6, in the case that the authorization key is the same as the key generated by the authorization server, a resource access token is sent to the target application.
Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (15)

1. An authorization authentication method, comprising:
sending an authorization code acquisition request to an authorization server, wherein the authorization code acquisition request comprises an authorization key, an identifier of a target encryption function and a target iteration number, the target iteration number is an iteration number of multiple iteration processing, and the authorization key is a key obtained by performing multiple iteration processing on a first character string which is randomly generated through the target encryption function;
acquiring a target authorization code sent by the authorization server in response to the authorization code acquisition request, wherein the target authorization code has a corresponding relation with the authorization key, the identifier of the target encryption function and the target iteration number;
sending a token obtaining request to the authorization server, wherein the token obtaining request comprises the first character string and the target authorization code;
under the condition that the authorization key is the same as a key generated by the authorization server, acquiring a resource access token sent by the authorization server in response to the token acquisition request, wherein the key generated by the authorization server is a key generated by the authorization server according to the first character string, the identifier of the target encryption function and the target iteration number;
and acquiring target resource information from a resource server by using the resource access token.
2. The method of claim 1, wherein prior to sending the authorization code acquisition request to the authorization server, the method further comprises:
and carrying out N times of iteration processing on the first character string through the target encryption function to obtain the authorization key, wherein in the first iteration processing, the input of the target encryption function comprises the first character string, in each iteration processing, the output of the target encryption function is used as the input of the target encryption function in the next iteration processing, N is 2 or a natural number greater than 2, and the target iteration number is N.
3. The method according to claim 2, wherein the obtaining the authorization key by performing N iterations on the first string through the target encryption function comprises:
repeatedly executing the following steps N times, wherein in the first iteration processing, the input of the target encryption function is the first character string:
acquiring the input of the target encryption function during the current iteration processing;
and processing the input in the current iteration processing by using the target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function is the output of the target encryption function in the current iteration processing in the next iteration processing.
4. The method according to claim 2, wherein the obtaining the authorization key by performing N iterations on the first string through the target encryption function comprises:
repeatedly executing the following steps N times, wherein in the first iteration processing, the input of the target encryption function is the first character string and the second character string:
acquiring the input of the target encryption function during the current iteration processing;
and processing the input in the current iteration processing by using the target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function in the next iteration processing is the output of the target encryption function and the first character string in the current iteration processing.
5. The method according to claim 4, wherein the processing the input at the time of the current iterative process using the target encryption function to obtain an output of the target encryption function at the time of the current iterative process further comprises:
during the first iteration, inserting the second character string into a preset position in the first character string to obtain a spliced character string;
during the iteration processing after the first iteration processing, inserting the output of the target encryption function during the last iteration processing into the preset position in the first character string to obtain the spliced character string, wherein the input of the target encryption function during the current iteration processing is the output of the target encryption function during the last iteration processing and the first character string, and the preset positions are the same during N times of iteration processing;
and processing the spliced character string by using the target encryption function to obtain the output of the target encryption function during the current iteration processing and obtain the output of the target encryption function during the current iteration processing.
6. The method of claim 1, wherein obtaining target resource information from a resource server using the resource access token comprises:
sending a resource acquisition request to the resource server, wherein the resource acquisition request comprises the resource access token;
and under the condition that the resource server verifies that the resource access token passes, acquiring the target resource information sent by the resource server.
7. The method according to any one of claims 1 to 6, further comprising:
after the authorization server receives the authorization code acquisition request, generating and sending the target authorization code on the authorization server, and setting a corresponding relation between the target authorization code and the authorization key, the identifier of the target encryption function and the target iteration number;
after the authorization server receives the token obtaining request, obtaining the authorization key corresponding to the target authorization code, the identifier of the target encryption function and the target iteration number on the authorization server;
performing iteration processing on the first character string on the authorization server for N times through the target encryption function corresponding to the identifier to obtain a key generated by the authorization server, wherein in the first iteration processing, the input of the target encryption function comprises the first character string, in each iteration processing, the output of the target encryption function is used as the input of the target encryption function in the next iteration processing, N is 2 or a natural number greater than 2, and the target iteration number is N;
sending the resource access token on the authorization server if the authorization key is the same as a key generated by the authorization server.
8. A method for obtaining a resource access token, comprising:
receiving an authorization code acquisition request sent by a target application, wherein the authorization code acquisition request comprises an authorization key, an identifier of a target encryption function and a target iteration number;
responding to the authorization code acquisition request, generating a target authorization code, sending the target authorization code to the target application, and setting a corresponding relation between the target authorization code and the authorization key, the identifier of the target encryption function and the target iteration number;
receiving a token acquisition request sent by the target application, wherein the token acquisition request comprises a target character string and the target authorization code;
obtaining the authorization key corresponding to the target authorization code, the identifier of the target encryption function and the target iteration number;
performing multiple iteration processing on the target character string through the target encryption function corresponding to the identifier to obtain a generated key, wherein the iteration times of the multiple iteration processing are the target iteration times;
sending a resource access token to the target application if the authorization key is the same as the generated key.
9. The method according to claim 8, wherein the performing, by the target encryption function corresponding to the identifier, a plurality of iterations on the target character string to obtain a generated key comprises:
and carrying out N times of iteration processing on the target character string through the target encryption function corresponding to the identifier to obtain the generated key, wherein in the first iteration processing, the input of the target encryption function comprises the target character string, in each iteration processing, the output of the target encryption function is used as the input of the target encryption function in the next iteration processing, N is 2 or a natural number greater than 2, and the target iteration number is N.
10. The method according to claim 9, wherein the obtaining the generated key by performing N times of iterative processing on the target character string through the target encryption function corresponding to the identifier comprises:
repeatedly executing the following steps N times, wherein in the first iteration processing, the input of the target encryption function is the target character string:
acquiring the input of the target encryption function during the current iteration processing;
and processing the input in the current iteration processing by using the target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function is the output of the target encryption function in the current iteration processing in the next iteration processing.
11. The method according to claim 9, wherein the obtaining the generated key by performing N times of iterative processing on the target character string through the target encryption function corresponding to the identifier comprises:
repeatedly executing the following steps N times, wherein in the first iteration processing, the input of the target encryption function is the target character string and a second character string:
acquiring the input of the target encryption function during the current iteration processing;
and processing the input in the current iteration processing by using the target encryption function to obtain the output of the target encryption function in the current iteration processing, wherein the input of the target encryption function in the next iteration processing is the output of the target encryption function and the target character string in the current iteration processing.
12. The method according to claim 11, wherein the processing the input at the time of the current iterative process using the target encryption function to obtain an output of the target encryption function at the time of the current iterative process further comprises:
during the first iteration, inserting the second character string into a preset position in the target character string to obtain a spliced character string;
during the iteration processing after the first iteration processing, inserting the output of the target encryption function during the last iteration processing into the preset position in the target character string to obtain the spliced character string, wherein the input of the target encryption function during the current iteration processing is the output of the target encryption function during the last iteration processing and the target character string, and the preset positions are the same during N times of iteration processing;
and processing the spliced character string by using the target encryption function to obtain the output of the target encryption function during the current iteration processing and obtain the output of the target encryption function during the current iteration processing.
13. The method of claim 8, further comprising:
and sending target prompt information to the target application under the condition that the authorization key is different from the generated key, wherein the target prompt information is used for indicating that the resource access token is refused to be issued.
14. A computer-readable storage medium comprising a stored program, wherein the program when executed performs the method of any of claims 1 to 7 or 8 to 13.
15. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 7 or 8 to 13 by means of the computer program.
CN202110478005.5A 2021-04-30 2021-04-30 Authorization authentication method and device, and resource access token acquisition method Active CN112989426B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110478005.5A CN112989426B (en) 2021-04-30 2021-04-30 Authorization authentication method and device, and resource access token acquisition method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110478005.5A CN112989426B (en) 2021-04-30 2021-04-30 Authorization authentication method and device, and resource access token acquisition method

Publications (2)

Publication Number Publication Date
CN112989426A true CN112989426A (en) 2021-06-18
CN112989426B CN112989426B (en) 2021-08-06

Family

ID=76336689

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110478005.5A Active CN112989426B (en) 2021-04-30 2021-04-30 Authorization authentication method and device, and resource access token acquisition method

Country Status (1)

Country Link
CN (1) CN112989426B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113487322A (en) * 2021-07-09 2021-10-08 支付宝(杭州)信息技术有限公司 Data processing method and system
CN113507459A (en) * 2021-06-28 2021-10-15 上海浦东发展银行股份有限公司 Mobile terminal APP secure interaction system and method thereof
CN113553572A (en) * 2021-07-02 2021-10-26 深圳追一科技有限公司 Resource information acquisition method and device, computer equipment and storage medium
CN115001749A (en) * 2022-05-05 2022-09-02 中科创达软件股份有限公司 Device authorization method, device and medium
WO2023221719A1 (en) * 2022-05-17 2023-11-23 腾讯科技(深圳)有限公司 Data processing method and apparatus, computer device, and readable storage medium

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103647645A (en) * 2013-11-05 2014-03-19 北京宏基恒信科技有限责任公司 Method, system and equipment for dynamic password authentication of multiple authentication servers
CN103825727A (en) * 2012-11-19 2014-05-28 厦门雅迅网络股份有限公司 Generation method for random secret key
CN105827573A (en) * 2015-01-07 2016-08-03 中国移动通信集团山东有限公司 System and method for strong authentication of internet of things equipment and related devices
CN106295394A (en) * 2016-07-22 2017-01-04 飞天诚信科技股份有限公司 Resource authorization method and system and authorization server and method of work
US20170250993A1 (en) * 2014-09-12 2017-08-31 Giftagram System, apparatus and method for access and authorization control
CN108463982A (en) * 2015-11-16 2018-08-28 万事达卡国际股份有限公司 Carry out the system and method for certification online user for authorization server safe to use
CN110875925A (en) * 2018-08-30 2020-03-10 佳能株式会社 Information processing apparatus, authorization system, and authentication method
CN111193691A (en) * 2018-11-15 2020-05-22 中国电信股份有限公司 Authorization method, system and related equipment
CN111740818A (en) * 2020-06-24 2020-10-02 浪潮(北京)电子信息产业有限公司 Data processing method, device, equipment and storage medium
CN111756737A (en) * 2020-06-24 2020-10-09 中国平安财产保险股份有限公司 Data transmission method, device, system, computer equipment and readable storage medium
CN111770088A (en) * 2020-06-29 2020-10-13 南方电网科学研究院有限责任公司 Data authentication method, device, electronic equipment and computer readable storage medium
CN112182514A (en) * 2020-09-22 2021-01-05 中国建设银行股份有限公司 Method, apparatus, device and computer readable medium for authorization verification

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103825727A (en) * 2012-11-19 2014-05-28 厦门雅迅网络股份有限公司 Generation method for random secret key
CN103647645A (en) * 2013-11-05 2014-03-19 北京宏基恒信科技有限责任公司 Method, system and equipment for dynamic password authentication of multiple authentication servers
US20170250993A1 (en) * 2014-09-12 2017-08-31 Giftagram System, apparatus and method for access and authorization control
CN105827573A (en) * 2015-01-07 2016-08-03 中国移动通信集团山东有限公司 System and method for strong authentication of internet of things equipment and related devices
CN108463982A (en) * 2015-11-16 2018-08-28 万事达卡国际股份有限公司 Carry out the system and method for certification online user for authorization server safe to use
CN106295394A (en) * 2016-07-22 2017-01-04 飞天诚信科技股份有限公司 Resource authorization method and system and authorization server and method of work
CN110875925A (en) * 2018-08-30 2020-03-10 佳能株式会社 Information processing apparatus, authorization system, and authentication method
CN111193691A (en) * 2018-11-15 2020-05-22 中国电信股份有限公司 Authorization method, system and related equipment
CN111740818A (en) * 2020-06-24 2020-10-02 浪潮(北京)电子信息产业有限公司 Data processing method, device, equipment and storage medium
CN111756737A (en) * 2020-06-24 2020-10-09 中国平安财产保险股份有限公司 Data transmission method, device, system, computer equipment and readable storage medium
CN111770088A (en) * 2020-06-29 2020-10-13 南方电网科学研究院有限责任公司 Data authentication method, device, electronic equipment and computer readable storage medium
CN112182514A (en) * 2020-09-22 2021-01-05 中国建设银行股份有限公司 Method, apparatus, device and computer readable medium for authorization verification

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113507459A (en) * 2021-06-28 2021-10-15 上海浦东发展银行股份有限公司 Mobile terminal APP secure interaction system and method thereof
CN113553572A (en) * 2021-07-02 2021-10-26 深圳追一科技有限公司 Resource information acquisition method and device, computer equipment and storage medium
CN113487322A (en) * 2021-07-09 2021-10-08 支付宝(杭州)信息技术有限公司 Data processing method and system
CN113487322B (en) * 2021-07-09 2024-02-20 支付宝(杭州)信息技术有限公司 Data processing method and system
CN115001749A (en) * 2022-05-05 2022-09-02 中科创达软件股份有限公司 Device authorization method, device and medium
CN115001749B (en) * 2022-05-05 2024-02-09 中科创达软件股份有限公司 Equipment authorization method, device, equipment and medium
WO2023221719A1 (en) * 2022-05-17 2023-11-23 腾讯科技(深圳)有限公司 Data processing method and apparatus, computer device, and readable storage medium

Also Published As

Publication number Publication date
CN112989426B (en) 2021-08-06

Similar Documents

Publication Publication Date Title
CN112989426B (en) Authorization authentication method and device, and resource access token acquisition method
CN109309565B (en) Security authentication method and device
KR101486782B1 (en) One-time password authentication with infinite nested hash chains
US8132020B2 (en) System and method for user authentication with exposed and hidden keys
US8196186B2 (en) Security architecture for peer-to-peer storage system
CN107295011B (en) Webpage security authentication method and device
CN114679293A (en) Access control method, device and storage medium based on zero trust security
CN102026195B (en) One-time password (OTP) based mobile terminal identity authentication method and system
US20090287921A1 (en) Mobile device assisted secure computer network communication
CN108243176B (en) Data transmission method and device
CN110545285B (en) Internet of things terminal security authentication method based on security chip
Nayak et al. An improved mutual authentication framework for cloud computing
US9660981B2 (en) Strong authentication method
CN111130798B (en) Request authentication method and related equipment
WO2016188335A1 (en) Access control method, apparatus and system for user data
US20210241270A1 (en) System and method of blockchain transaction verification
KR101531662B1 (en) Method and system for mutual authentication between client and server
Chen et al. Security analysis and improvement of user authentication framework for cloud computing
CN109716725B (en) Data security system, method of operating the same, and computer-readable storage medium
CN101090321B (en) Device and method for discovering emulated clients
US20160315963A1 (en) A method and apparatus for detecting that an attacker has sent one or more messages to a receiver node
CN113411187A (en) Identity authentication method and system, storage medium and processor
CN110572392A (en) Identity authentication method based on HyperLegger network
CN114070568A (en) Data processing method and device, electronic equipment and storage medium
CN115473655B (en) Terminal authentication method, device and storage medium for access network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40046034

Country of ref document: HK