CN113806798B - User side verification method, system, equipment and medium - Google Patents
User side verification method, system, equipment and medium Download PDFInfo
- Publication number
- CN113806798B CN113806798B CN202110932822.3A CN202110932822A CN113806798B CN 113806798 B CN113806798 B CN 113806798B CN 202110932822 A CN202110932822 A CN 202110932822A CN 113806798 B CN113806798 B CN 113806798B
- Authority
- CN
- China
- Prior art keywords
- token
- base point
- challenge information
- public key
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000012795 verification Methods 0.000 title claims abstract description 22
- 230000004044 response Effects 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 8
- 230000001172 regenerating effect Effects 0.000 claims description 5
- 230000008569 process Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a user side verification method, which comprises the following steps: responding to a login request sent by a server side and determining access rights according to a user name and a password carried in the login request; acquiring registration information corresponding to the user terminal, generating a token by using the registration information and the access right, and returning the token to the user terminal; responding to the user end to receive the token, generating challenge information by using the generated random number and the token, and returning the challenge information to the server end; and responding to the server side to receive the challenge information, and verifying the legitimacy of the user side by using the token, the challenge information and the registration information of the server side. The invention also discloses a system, computer equipment and a readable storage medium. According to the scheme provided by the invention, after the client receives the token, the token is not directly adopted to carry out resource access request on the server, but the token challenge information is constructed to carry out resource access request, so that the confidentiality of the token is ensured.
Description
Technical Field
The present invention relates to the field of servers, and in particular, to a method, a system, a device, and a storage medium for user authentication.
Background
With the rapid development of cloud computing technology, more and more users and enterprises place own data and applications on a cloud computing platform, so that development and maintenance costs of the cloud computing platform are reduced. When a user uses the cloud computing platform, the client needs to frequently request data from the server. In order to verify the legality of the user, the server side frequently goes to the database to inquire the user name and the password, compares the user name and the password, judges whether the user name and the password are correct or not, and gives a corresponding prompt. This approach is very inefficient and presents a risk of user name and password leakage. To this end token technology has evolved.
The Token is a string of character strings generated by the server and is used as a Token for the client to request, after the user logs in for the first time, the server generates a Token and returns the Token to the client, and the client only needs to bring the Token to request data, and does not need to bring the user name and the password again. the purpose of token is to alleviate the stress of the server, reduce frequent queries to the database, and make the server more robust.
There are many types of token such as UUID token, PKI token, fernet token. The UUID token is simple and easy to use and is only 32 bytes in length. However, since the UUID token does not carry other information, the server cannot determine whether the token is valid or not after receiving the token, and cannot learn the user information carried by the token. Every time the server receives a user request, it needs to interact with the database to verify whether the token is valid. PKI token supports local authentication of the remaining service components, but requires the CA to issue a certificate, but too large a certificate may cause the request to fail. Compared with UUID, PKI token carries more user information and is also attached with a digital signature to support local authentication. However, because the PKI token carries more information, the more the number of endpoints carried by the service category, the more easily the maximum HTTP request header size allowed by the HTTP protocol (8 kB by default) is included, resulting in HTTP request failure. The Fernet token is a lightweight secure message format, adopts a cryptology symmetric encryption library to encrypt the token, does not need to persist the token, only encrypts necessary information, and has the length of generally not more than 255 bytes, thereby avoiding the problem of overlarge PKI token. A disadvantage of Fernet token is that the symmetric encryption key used to encrypt the token needs to be distributed and rotated.
And the client side directly uses the token to access the cloud computing platform each time, so that the risk that the token is hijacked exists, and an attacker can impersonate a normal user to access the cloud computing platform.
Disclosure of Invention
In view of this, in order to overcome at least one aspect of the above-mentioned problems, an embodiment of the present invention provides a client authentication method, including the following steps:
responding to a login request sent by a server side to receive a user side, and determining access rights according to a user name and a password carried in the login request;
acquiring registration information corresponding to the user terminal, generating a token by using the registration information and the access right, and returning the token to the user terminal;
responding to the user terminal to receive the token, generating challenge information by using the generated random number and the token, and returning the challenge information to the server terminal;
and responding to the server side to receive the challenge information, and verifying the validity of the user side by utilizing the token of the server side, the challenge information and the registration information.
In some embodiments, obtaining the registration information corresponding to the user side further includes:
the user terminal sends a user name and a password to the server terminal for user registration and receives elliptic curve parameters returned by the server terminal;
generating a first base point and a second base point according to the elliptic curve parameters;
calculating a hash value corresponding to the password to serve as a private key, and multiplying the private key by a first base point and a second base point to obtain a first public key and a second public key;
the user terminal sends the first base point, the second base point, the first public key and the second public key as registration information to a server terminal so that the server terminal can store the registration information.
In some embodiments, generating the first base point and the second base point from the elliptic curve parameters further comprises:
judging whether the first base point is equal to the second base point;
and regenerating the first base point and the second base point in response to the first base point and the second base point being equal.
In some embodiments, the server side generates a token using the registration information and the access rights, further comprising:
generating the token by using the user name, the access right, the elliptic curve parameter, the first base point, the second base point, the first public key and the second public key;
calculating a first hash value of the token;
and storing the token, the first hash value, the first base point, the second base point, the first public key and the second public key in a cache.
In some embodiments, further comprising:
and running the cache in a trusted execution environment.
In some embodiments, the client generates challenge information using the generated random number and the token, further comprising:
calculating a second hash value of the token;
and subtracting the product of the second hash value and the hash value corresponding to the password from the generated random number to obtain first challenge information, and multiplying the first base point and the second base point by the random number to obtain second challenge information and third challenge information.
In some embodiments, verifying the validity of the user terminal using the token of the server terminal, the challenge information, and the registration information further comprises:
obtaining the token, the first hash value, the first base point, the second base point, the first public key and the second public key from the cache;
determining whether a product of the first challenge information and the first base point plus a product of the first hash value and the first public key is equal to the second challenge information, and determining whether a product of the first challenge information and the second base point plus a product of the first hash value and the second public key is equal to the third challenge information;
and determining that the user terminal is legal in response to the product of the first challenge information and the first base point plus the product of the first hash value and the first public key being equal to the second challenge information and the product of the first challenge information and the second base point plus the product of the first hash value and the second public key being equal to the third challenge information.
Based on the same inventive concept, according to another aspect of the present invention, an embodiment of the present invention further provides a client verification system, including:
the determining module is configured to respond to a login request sent by a server side and determine access rights according to a user name and a password carried in the login request;
the token module is configured to acquire registration information corresponding to the user terminal, generate a token by utilizing the registration information and the access right, and return the token to the user terminal;
the challenge information module is configured to respond to the receipt of the token by the user, generate challenge information by using the generated random number and the token, and return the challenge information to the server side;
and the verification module is configured to respond to the receipt of the challenge information by the server and verify the validity of the user terminal by using the token of the server terminal, the challenge information and the registration information.
Based on the same inventive concept, according to another aspect of the present invention, an embodiment of the present invention further provides a computer apparatus, including:
at least one processor; and
a memory storing a computer program executable on the processor, wherein the processor performs the steps of any one of the client authentication methods described above when the processor executes the program.
Based on the same inventive concept, according to another aspect of the present invention, there is also provided a computer-readable storage medium storing a computer program which, when executed by a processor, performs the steps of any one of the client authentication methods described above.
The invention has one of the following beneficial technical effects: according to the scheme provided by the invention, after the client receives the token, the token is not directly adopted to carry out resource access request on the server, but the token challenge information is constructed to carry out resource access request, so that the confidentiality of the token is ensured. And the randomization technology is adopted when the challenge information is constructed, the token challenge information sent to the server end is different each time, and the dynamic property of the token in the use process is ensured, so that the verification of the user end is more reliable.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are necessary for the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention and that other embodiments may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a user side verification method according to an embodiment of the present invention;
fig. 2 is a flowchart of a user side verification method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a user side verification system according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a computer device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer-readable storage medium according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention will be described in further detail with reference to the accompanying drawings.
It should be noted that, in the embodiments of the present invention, all the expressions "first" and "second" are used to distinguish two entities with the same name but different entities or different parameters, and it is noted that the "first" and "second" are only used for convenience of expression, and should not be construed as limiting the embodiments of the present invention, and the following embodiments are not described one by one.
In the embodiment of the invention, SGX is instruction set extension (software guard extensions), aims to provide a trusted execution environment of a user space by taking hardware security as mandatory guarantee and not depending on the security states of firmware and software, and ensures that confidentiality and integrity of key codes and data of users are not damaged by malicious software.
According to an aspect of the present invention, an embodiment of the present invention proposes a client authentication method, as shown in fig. 1, which may include the steps of:
s1, responding to a login request sent by a server side and determining access rights according to a user name and a password carried in the login request;
s2, acquiring registration information corresponding to the user terminal, generating a token by using the registration information and the access right, and returning the token to the user terminal;
s3, responding to the user terminal to receive the token, generating challenge information by using the generated random number and the token, and returning the challenge information to the server terminal;
and S4, responding to the server side to receive the challenge information, and verifying the validity of the user side by using the token of the server side, the challenge information and the registration information.
According to the scheme provided by the invention, after the client receives the token, the token is not directly adopted to carry out resource access request on the server, but the token challenge information is constructed to carry out resource access request, so that the confidentiality of the token is ensured. And the randomization technology is adopted when the challenge information is constructed, the token challenge information sent to the server end is different each time, and the dynamic property of the token in the use process is ensured, so that the verification of the user end is more reliable.
In some embodiments, obtaining the registration information corresponding to the user side further includes:
the user terminal sends a user name and a password to the server terminal for user registration and receives elliptic curve parameters returned by the server terminal;
generating a first base point and a second base point according to the elliptic curve parameters;
calculating a hash value corresponding to the password to serve as a private key, and multiplying the private key by a first base point and a second base point to obtain a first public key and a second public key;
the user terminal sends the first base point, the second base point, the first public key and the second public key as registration information to a server terminal so that the server terminal can store the registration information.
In some embodiments, generating the first base point and the second base point from the elliptic curve parameters further comprises:
judging whether the first base point is equal to the second base point;
and regenerating the first base point and the second base point in response to the first base point and the second base point being equal.
Specifically, as shown in fig. 2, in the registration stage, a user at the user end may select a corresponding user name n and a corresponding password s, and initiate a user registration request to a server at the server end or a cloud server. The user name n and the password s may then be sent to the server side via the encryption protocol SSL. The server receives the user registration request. The login verification module at the server side verifies the compliance of the user name and the password of the user. And if the user name and the password meet the system requirements, registering the user. The server side can preset an asymmetrically encrypted elliptic curve to generate corresponding elliptic curve parameters. After the user registration is completed, the server side sends the elliptic curve to the user side and requests to generate a base point. The user side can generate a first base point G and a second base point H on the elliptic curve according to the elliptic curve, and verify whether the two base points G and H are equal. If equal, regenerating. The user calculates a corresponding Hash value sk=hash(s) according to the password s, and takes sk as a private key of the user. The user calculates a first public key and a second public key of the user according to the private key sk, wherein the first public key is Pk1=sk×G, and the second public key is Pk2=sk×H. The user sends two base points G and H, two public keys pk1=sk×g, pk2=sk×h to the server through the encryption protocol SSL. The server side stores a user name n, an encrypted password s, a public key Pk1, a public key Pk2 and two base points G and H.
In some embodiments, the server side generates a token using the registration information and the access rights, further comprising:
generating the token by using the user name, the access right, the elliptic curve parameter, the first base point, the second base point, the first public key and the second public key;
calculating a first hash value of the token;
and storing the token, the first hash value, the first base point, the second base point, the first public key and the second public key in a cache.
In some embodiments, further comprising:
and running the cache in a trusted execution environment.
Specifically, as shown in fig. 2, when the user side requests to log in, the user selects a corresponding user name n and a corresponding password s, and caches sk=hash(s) in a token challenge generation module of the client side, and sends a login request to the server. The user sends the user name n and the password s to the server via the encryption protocol SSL. The server receives the user name n and the password s of the user, verifies the legality and the access right of the user, and generates a corresponding token for the user. Token may include a user name, a character, an item, a creation time, an expiration time, an accessible item, elliptic curve parameters, two base points G, H, etc. The server calculates the Hash value ht1=hash (token) of the token, and saves the Hash value Ht1 of the token and the token, the two base points G, H, the two public keys Pk1, pk2 as key values in the memcached. The Memcached service module runs in an SGX trusted execution environment and is responsible for confidential protection of a user token. The server sends the token to the user via the encryption protocol SSL.
In some embodiments, the client generates challenge information using the generated random number and the token, further comprising:
calculating a second hash value of the token;
and subtracting the product of the second hash value and the hash value corresponding to the password from the generated random number to obtain first challenge information, and multiplying the first base point and the second base point by the random number to obtain second challenge information and third challenge information.
Specifically, as shown in fig. 2, the client receives the token sent by the server, and transmits the token to the challenge generation module. The challenge generating module analyzes the token and receives two base points G and H. The challenge-generating module calculates a Hash value of the token, ht2=hash (token), and creates a random number v. The challenge generating module calculates first challenge information r=v-Ht 2×sk, second challenge information v×g, and third challenge information v×h. And finally, the challenge information r, vG and vH is sent to the server through an encryption protocol SSL.
In some embodiments, verifying the validity of the user terminal using the token of the server terminal, the challenge information, and the registration information further comprises:
obtaining the token, the first hash value, the first base point, the second base point, the first public key and the second public key from the cache;
determining whether a product of the first challenge information and the first base point plus a product of the first hash value and the first public key is equal to the second challenge information, and determining whether a product of the first challenge information and the second base point plus a product of the first hash value and the second public key is equal to the third challenge information;
and determining that the user terminal is legal in response to the product of the first challenge information and the first base point plus the product of the first hash value and the first public key being equal to the second challenge information and the product of the first challenge information and the second base point plus the product of the first hash value and the second public key being equal to the third challenge information.
Specifically, as shown in fig. 2, the server receives token challenge information of the user, and sends the challenge information to the token verification module. the token verification module runs in an SGX trusted execution environment and is responsible for verifying the validity of a user token. the token verification module establishes trusted connection with the memcached service module, and obtains Ht1 and token, two base points G and H and two public keys Pk1 and Pk2 corresponding to the user from the memcached service module. the token verification module verifies the legality of the user token according to the challenge information sent by the user and the information corresponding to the user token acquired from the memcached service module. the token verification module calculates whether v×g is equal to r×g+ht1×pk1, and v×h is equal to r×h+ht1×pk2. If the two formulas are equal, the user is provided with a token, the cloud computing platform can be accessed, and the user is allowed to access corresponding cloud computing resources.
According to the scheme provided by the embodiment of the invention, aiming at the situations of leakage, counterfeiting and the like in the using process of the token, after the user receives the token, the token is not directly adopted to carry out resource access requests on the cloud server, but the token challenge information is constructed to carry out resource access requests, so that the confidentiality of the token is ensured. And a randomization technology is adopted when challenge information is constructed, the challenge information of the token generated by the cloud service is different every time, and the dynamic property of the token in the using process is ensured. The user terminal combines the user private key with the token challenge information in the token construction process, so that the token cannot be effectively forged. Meanwhile, two modules of the Memcached service module and the token verification module in the server run in the trusted execution environment of the SGX, so that confidential data cannot be stolen.
Based on the same inventive concept, according to another aspect of the present invention, there is further provided a client authentication 400, as shown in fig. 3, including:
the determining module 401 is configured to respond to a login request sent by a server side and determine access rights according to a user name and a password carried in the login request;
the token module 402 is configured to obtain registration information corresponding to the user terminal, generate a token by using the registration information and the access right, and return the token to the user terminal;
a challenge information module 403 configured to generate challenge information using the generated random number and the token in response to the user terminal receiving the token, and return the challenge information to the server terminal;
and a verification module 404 configured to verify, in response to the server side receiving the challenge information, validity of the user side using the token of the server side, the challenge information and the registration information.
In some embodiments, obtaining the registration information corresponding to the user side further includes:
the user terminal sends a user name and a password to the server terminal for user registration and receives elliptic curve parameters returned by the server terminal;
generating a first base point and a second base point according to the elliptic curve parameters;
calculating a hash value corresponding to the password to serve as a private key, and multiplying the private key by a first base point and a second base point to obtain a first public key and a second public key;
the user terminal sends the first base point, the second base point, the first public key and the second public key as registration information to a server terminal so that the server terminal can store the registration information.
In some embodiments, generating the first base point and the second base point from the elliptic curve parameters further comprises:
judging whether the first base point is equal to the second base point;
and regenerating the first base point and the second base point in response to the first base point and the second base point being equal.
In some embodiments, the server side generates a token using the registration information and the access rights, further comprising:
generating the token by using the user name, the access right, the elliptic curve parameter, the first base point, the second base point, the first public key and the second public key;
calculating a first hash value of the token;
and storing the token, the first hash value, the first base point, the second base point, the first public key and the second public key in a cache.
In some embodiments, further comprising:
and running the cache in a trusted execution environment.
In some embodiments, the client generates challenge information using the generated random number and the token, further comprising:
calculating a second hash value of the token;
and subtracting the product of the second hash value and the hash value corresponding to the password from the generated random number to obtain first challenge information, and multiplying the first base point and the second base point by the random number to obtain second challenge information and third challenge information.
In some embodiments, verifying the validity of the user terminal using the token of the server terminal, the challenge information, and the registration information further comprises:
obtaining the token, the first hash value, the first base point, the second base point, the first public key and the second public key from the cache;
determining whether a product of the first challenge information and the first base point plus a product of the first hash value and the first public key is equal to the second challenge information, and determining whether a product of the first challenge information and the second base point plus a product of the first hash value and the second public key is equal to the third challenge information;
and determining that the user terminal is legal in response to the product of the first challenge information and the first base point plus the product of the first hash value and the first public key being equal to the second challenge information and the product of the first challenge information and the second base point plus the product of the first hash value and the second public key being equal to the third challenge information.
According to the scheme provided by the embodiment of the invention, aiming at the situations of leakage, counterfeiting and the like in the using process of the token, after the user receives the token, the token is not directly adopted to carry out resource access requests on the cloud server, but the token challenge information is constructed to carry out resource access requests, so that the confidentiality of the token is ensured. And a randomization technology is adopted when challenge information is constructed, the challenge information of the token generated by the cloud service is different every time, and the dynamic property of the token in the using process is ensured. The user terminal combines the user private key with the token challenge information in the token construction process, so that the token cannot be effectively forged. Meanwhile, two modules of the Memcached service module and the token verification module in the server run in the trusted execution environment of the SGX, so that confidential data cannot be stolen.
Based on the same inventive concept, according to another aspect of the present invention, as shown in fig. 4, an embodiment of the present invention further provides a computer apparatus 501, including:
at least one processor 520; and
the memory 510, the memory 510 stores a computer program 511 executable on a processor, and the processor 520 executes steps of any one of the user side authentication methods described above when executing the program.
According to another aspect of the present invention, as shown in fig. 5, according to the same inventive concept, there is further provided a computer-readable storage medium 601, the computer-readable storage medium 601 storing computer program instructions 610, the computer program instructions 610 when executed by a processor performing the steps of any of the user side authentication methods as above.
Finally, it should be noted that, as will be appreciated by those skilled in the art, all or part of the procedures in implementing the methods of the embodiments described above may be implemented by a computer program for instructing relevant hardware, and the program may be stored in a computer readable storage medium, and the program may include the procedures of the embodiments of the methods described above when executed.
Further, it should be appreciated that the computer-readable storage medium (e.g., memory) herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that as used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The foregoing embodiment of the present invention has been disclosed with reference to the number of embodiments for the purpose of description only, and does not represent the advantages or disadvantages of the embodiments.
It will be appreciated by those of ordinary skill in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by a program to instruct related hardware, and the program may be stored in a computer readable storage medium, where the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will appreciate that: the above discussion of any embodiment is merely exemplary and is not intended to imply that the scope of the disclosure of embodiments of the invention, including the claims, is limited to such examples; combinations of features of the above embodiments or in different embodiments are also possible within the idea of an embodiment of the invention, and many other variations of the different aspects of the embodiments of the invention as described above exist, which are not provided in detail for the sake of brevity. Therefore, any omission, modification, equivalent replacement, improvement, etc. of the embodiments should be included in the protection scope of the embodiments of the present invention.
Claims (6)
1. The user side verification method is characterized by comprising the following steps of:
responding to a login request sent by a server side to receive a user side, and determining access rights according to a user name and a password carried in the login request;
acquiring registration information corresponding to the user terminal, generating a token by using the registration information and the access right, and returning the token to the user terminal;
responding to the user terminal to receive the token, generating challenge information by using the generated random number and the token, and returning the challenge information to the server terminal;
responding to the server side to receive the challenge information, and verifying the validity of the user side by utilizing the token of the server side, the challenge information and the registration information;
acquiring registration information corresponding to the user side, further comprising:
the user terminal sends a user name and a password to the server terminal for user registration and receives elliptic curve parameters returned by the server terminal;
generating a first base point and a second base point according to the elliptic curve parameters;
calculating a hash value corresponding to the password to serve as a private key, and multiplying the private key by a first base point and a second base point to obtain a first public key and a second public key;
the user terminal sends the first base point, the second base point, the first public key and the second public key as registration information to a server terminal so that the server terminal can store the registration information;
the server generates a token by using the registration information and the access right, and the method further comprises the following steps:
generating the token by using the user name, the access right, the elliptic curve parameter, the first base point, the second base point, the first public key and the second public key;
calculating a first hash value of the token;
storing the token, the first hash value, the first base point, the second base point, the first public key and the second public key in a cache;
the client generates challenge information by using the generated random number and the token, and the method further comprises the following steps:
calculating a second hash value of the token;
subtracting the product of the second hash value and the hash value corresponding to the password from the generated random number to obtain first challenge information, and multiplying the first base point and the second base point by the random number to obtain second challenge information and third challenge information;
verifying the validity of the user terminal by using the token of the server terminal, the challenge information and the registration information, and further comprising:
obtaining the token, the first hash value, the first base point, the second base point, the first public key and the second public key from the cache;
determining whether a product of the first challenge information and the first base point plus a product of the first hash value and the first public key is equal to the second challenge information, and determining whether a product of the first challenge information and the second base point plus a product of the first hash value and the second public key is equal to the third challenge information;
and determining that the user terminal is legal in response to the product of the first challenge information and the first base point plus the product of the first hash value and the first public key being equal to the second challenge information and the product of the first challenge information and the second base point plus the product of the first hash value and the second public key being equal to the third challenge information.
2. The method of claim 1, wherein generating a first base point and a second base point from the elliptic curve parameters, further comprises:
judging whether the first base point is equal to the second base point;
and regenerating the first base point and the second base point in response to the first base point and the second base point being equal.
3. The method as recited in claim 1, further comprising:
and running the cache in a trusted execution environment.
4. A client verification system, comprising:
the determining module is configured to respond to a login request sent by a server side and determine access rights according to a user name and a password carried in the login request;
the token module is configured to acquire registration information corresponding to the user terminal, generate a token by utilizing the registration information and the access right, and return the token to the user terminal;
the challenge information module is configured to respond to the receipt of the token by the user, generate challenge information by using the generated random number and the token, and return the challenge information to the server side;
the verification module is configured to respond to the receipt of the challenge information by the server and verify the validity of the user terminal by using the token of the server terminal, the challenge information and the registration information;
the token module is further configured to:
the user terminal sends a user name and a password to the server terminal for user registration and receives elliptic curve parameters returned by the server terminal;
generating a first base point and a second base point according to the elliptic curve parameters;
calculating a hash value corresponding to the password to serve as a private key, and multiplying the private key by a first base point and a second base point to obtain a first public key and a second public key;
the user terminal sends the first base point, the second base point, the first public key and the second public key as registration information to a server terminal so that the server terminal can store the registration information;
the token module is further configured to:
generating the token by using the user name, the access right, the elliptic curve parameter, the first base point, the second base point, the first public key and the second public key;
calculating a first hash value of the token;
storing the token, the first hash value, the first base point, the second base point, the first public key and the second public key in a cache;
the challenge information module is further configured to:
calculating a second hash value of the token;
subtracting the product of the second hash value and the hash value corresponding to the password from the generated random number to obtain first challenge information, and multiplying the first base point and the second base point by the random number to obtain second challenge information and third challenge information;
the authentication module is further configured to:
obtaining the token, the first hash value, the first base point, the second base point, the first public key and the second public key from the cache;
determining whether a product of the first challenge information and the first base point plus a product of the first hash value and the first public key is equal to the second challenge information, and determining whether a product of the first challenge information and the second base point plus a product of the first hash value and the second public key is equal to the third challenge information;
and determining that the user terminal is legal in response to the product of the first challenge information and the first base point plus the product of the first hash value and the first public key being equal to the second challenge information and the product of the first challenge information and the second base point plus the product of the first hash value and the second public key being equal to the third challenge information.
5. A computer device, comprising:
at least one processor; and
a memory storing a computer program executable on the processor, wherein the processor performs the steps of the method of any one of claims 1-3 when the program is executed.
6. A computer readable storage medium storing a computer program, which when executed by a processor performs the steps of the method according to any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110932822.3A CN113806798B (en) | 2021-08-13 | 2021-08-13 | User side verification method, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110932822.3A CN113806798B (en) | 2021-08-13 | 2021-08-13 | User side verification method, system, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113806798A CN113806798A (en) | 2021-12-17 |
| CN113806798B true CN113806798B (en) | 2023-07-14 |
Family
ID=78942946
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110932822.3A Active CN113806798B (en) | 2021-08-13 | 2021-08-13 | User side verification method, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113806798B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201742438U (en) * | 2010-06-12 | 2011-02-09 | 杭州驭强科技有限公司 | Bidirectional authentication type dynamic password token device and dynamic password authentication system |
| CN108092776A (en) * | 2017-12-04 | 2018-05-29 | 南京南瑞信息通信科技有限公司 | A kind of authentication server and authentication token |
| CN111050314A (en) * | 2018-08-23 | 2020-04-21 | 刘高峰 | Client registration method, device and system |
-
2021
- 2021-08-13 CN CN202110932822.3A patent/CN113806798B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201742438U (en) * | 2010-06-12 | 2011-02-09 | 杭州驭强科技有限公司 | Bidirectional authentication type dynamic password token device and dynamic password authentication system |
| CN108092776A (en) * | 2017-12-04 | 2018-05-29 | 南京南瑞信息通信科技有限公司 | A kind of authentication server and authentication token |
| CN111050314A (en) * | 2018-08-23 | 2020-04-21 | 刘高峰 | Client registration method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113806798A (en) | 2021-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230155821A1 (en) | Secure shared key establishment for peer to peer communications | |
| US9124576B2 (en) | Configuring a valid duration period for a digital certificate | |
| JP4896537B2 (en) | Method and system for asymmetric key security | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| US11095635B2 (en) | Server authentication using multiple authentication chains | |
| CN107483509A (en) | A kind of auth method, server and readable storage medium storing program for executing | |
| CN109617692B (en) | Anonymous login method and system based on block chain | |
| US9077546B1 (en) | Two factor validation and security response of SSL certificates | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| US11463431B2 (en) | System and method for public API authentication | |
| CN108259406B (en) | Method and system for verifying SSL certificate | |
| US10897353B2 (en) | Computer-implemented method for generating passwords and computer program products of same | |
| US10257171B2 (en) | Server public key pinning by URL | |
| CN112688773A (en) | Token generation and verification method and device | |
| JP2022534677A (en) | Protecting online applications and web pages that use blockchain | |
| CN113806798B (en) | User side verification method, system, equipment and medium | |
| CN114679284A (en) | Trusted remote attestation system, storage method, verification method and storage medium thereof | |
| CN117640109B (en) | API (application program interface) secure access method and device, electronic equipment and storage medium | |
| McLuskie et al. | X. 509 certificate error testing | |
| CN114079573B (en) | Router access method and router | |
| CN110225011B (en) | Authentication method and device for user node and computer readable storage medium | |
| US20220191023A1 (en) | Systems and methods for registering or authenticating a user with a relying party | |
| CN115459930A (en) | API interface security verification processing method and device | |
| CN116582256A (en) | Certificate-free authentication method, device and system for electric power Internet of things terminal | |
| CN117370952A (en) | Multi-node identity verification method and device based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |