CN114070571B - Method, device, terminal and storage medium for establishing connection - Google Patents
Method, device, terminal and storage medium for establishing connection Download PDFInfo
- Publication number
- CN114070571B CN114070571B CN202111361687.8A CN202111361687A CN114070571B CN 114070571 B CN114070571 B CN 114070571B CN 202111361687 A CN202111361687 A CN 202111361687A CN 114070571 B CN114070571 B CN 114070571B
- Authority
- CN
- China
- Prior art keywords
- data
- ssh
- public key
- signature
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000012795 verification Methods 0.000 claims abstract description 29
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012550 audit Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 4
- 230000001010 compromised effect Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/127—Trusted platform modules [TPM]
Abstract
The invention discloses a method, a device, a terminal and a storage medium for establishing connection, wherein the method comprises the following steps: acquiring login data through an SSH client; sending the login data to the TEE device; if the TEE equipment acquires the biological identity of the user, signing the login data by using a private key corresponding to the biological identity, obtaining signature data and feeding the signature data back to the SSH client; sending the signature data to an SSH server; searching a public key in a public key library to check signature data, recording a user corresponding to the public key with successful signature checking, authenticating login data, and allowing the SSH client to establish connection if the authentication is passed. According to the scheme, the TEE device signs the user password information by using the private key, then the SSH server performs signature verification on the signature data by using the corresponding public key, double-factor authentication is provided, and meanwhile, through biological identity characteristics, identification audit can be performed on personnel performing connection operation.
Description
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a method, an apparatus, a terminal, and a storage medium for establishing a connection.
Background
SSH (Secure Shell protocol) is a set of connection tools for securely accessing remote computers that encrypts all transmitted data, effectively preventing eavesdropping, connection hijacking, and other network-level attacks. However, SSH performs identity authentication based on a user name password, and once the password is compromised, an attacker can invade the system. Meanwhile, by using single user name password authentication, the system can only identify the user in the system; when different people log in the system, the system cannot recognize what person is logged in the system.
Thus, there is a need for a solution to the problems of the prior art.
Disclosure of Invention
In view of the above, the present invention provides a method, apparatus, terminal and storage medium for establishing a connection, which are used for solving the problems in the prior art.
Specifically, the present invention proposes the following specific embodiments:
the embodiment of the invention provides a method for establishing connection, which comprises the following steps:
acquiring login data through an SSH client;
sending the login data to a TEE device through the SSH client;
if the TEE equipment acquires the biological identity characteristics of the user, signing the login data by using a private key corresponding to the biological identity characteristics to obtain signature data and feeding the signature data back to the SSH client;
sending the signature data to an SSH server through the SSH client;
and searching a public key in a public key library through the SSH server to check the signature data, recording a user corresponding to the public key with successful signature checking, authenticating the login data obtained after the successful signature checking, and allowing the SSH client to establish connection if the authentication is passed.
In a specific embodiment, the method further comprises:
acquiring biological identity characteristics of a user;
generating a key pair comprising a private key and a public key based on the biometric characteristic of the user;
storing the private key in the TEE device and the public key in a public key library of the SSH server.
In a specific embodiment, the biometric features include: at least one of a fingerprint, iris and face image;
the login data includes a user name and a password.
In a specific embodiment, after the login data is sent to the TEE device by the SSH client, the method further includes:
prompting a user to input a biometric characteristic on the TEE device.
In a specific embodiment, if the TEE device obtains a biometric feature of a user, signing the login data with a private key corresponding to the biometric feature includes:
if the TEE equipment acquires the biological identity of the user, the TEE equipment performs identity verification on the biological identity, and after the identity verification is passed, the private key corresponding to the biological identity is used for signing the login data.
In a specific embodiment, the sending, by the SSH client, the signature data to the SSH server includes:
encrypting the signature data through the SSH client to obtain encrypted data and sending the encrypted data to an SSH server;
before the signature data is checked by searching the public key in the public key library through the SSH server, the method further comprises the following steps:
and decrypting the encrypted data through the SSH server to obtain the signature data.
In a specific embodiment, the method further comprises:
if the public key in the public key library is traversed to carry out verification and signing or authentication on login data is not passed, the SSH client is refused to establish connection.
In a specific embodiment, the method further comprises:
and feeding back a signature verification result and a login data authentication result to the SSH client through the SSH server.
The embodiment of the invention also provides a device for establishing connection, which comprises:
the acquisition module is used for acquiring login data through the SSH client;
the first sending module is used for sending the login data to the TEE equipment through the SSH client;
the signature module is used for signing the login data by using a private key corresponding to the biological identity characteristic if the TEE equipment acquires the biological identity characteristic of the user, so as to obtain signature data and feeding the signature data back to the SSH client;
the second sending module is used for sending the signature data to an SSH server through the SSH client;
and the verification connection module is used for searching a public key in a public key library through the SSH server to check signature data, recording a user corresponding to the public key with successful signature checking, authenticating login data obtained after successful signature checking, and allowing the SSH client to establish connection if the authentication is passed.
The embodiment of the invention also provides a terminal which comprises a memory and a processor, wherein the memory stores a computer program, and the processor runs the computer program to enable the processor to execute the method for establishing connection.
The embodiment of the invention also provides a storage medium, and a computer program is stored on the storage medium, and the computer program realizes the method for establishing connection when being executed by a processor.
In this way, the embodiment of the invention provides a method, a device, a terminal and a storage medium for establishing connection, wherein the method comprises the following steps: acquiring login data through an SSH client; sending the login data to a TEE device through the SSH client; if the TEE equipment acquires the biological identity characteristics of the user, signing the login data by using a private key corresponding to the biological identity characteristics to obtain signature data and feeding the signature data back to the SSH client; sending the signature data to an SSH server through the SSH client; and searching a public key in a public key library through the SSH server to check the signature data, recording a user corresponding to the public key with successful signature checking, authenticating the login data obtained after the successful signature checking, and allowing the SSH client to establish connection if the authentication is passed. In the scheme, the TEE device signs the user password information by using a private key, and then the SSH server performs signature verification on the signature data by using a corresponding public key, thereby providing double-factor authentication. Meanwhile, through biological identity characteristics, the system can conduct identification audit on personnel performing connection operation.
Drawings
In order to more clearly illustrate the technical solutions of the present invention, the drawings that are required for the embodiments will be briefly described, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope of the present invention. Like elements are numbered alike in the various figures.
Fig. 1 is a schematic flow chart of a method for establishing a connection according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a system in which a method for establishing a connection according to an embodiment of the present invention is located;
fig. 3 is a schematic structural diagram of a device for establishing a connection according to an embodiment of the present invention;
fig. 4 shows another schematic structural diagram of a device for establishing a connection according to an embodiment of the present invention.
Legend description:
201-an acquisition module; 202-a first transmitting module; 203-a signature module; 204-a second transmitting module; 205-verifying the connection module; 206-generating module.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments.
The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by a person skilled in the art without making any inventive effort, are intended to be within the scope of the present invention.
The terms "comprises," "comprising," "including," or any other variation thereof, are intended to cover a specific feature, number, step, operation, element, component, or combination of the foregoing, which may be used in various embodiments of the present invention, and are not intended to first exclude the presence of or increase the likelihood of one or more other features, numbers, steps, operations, elements, components, or combinations of the foregoing.
Furthermore, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which various embodiments of the invention belong. The terms (such as those defined in commonly used dictionaries) will be interpreted as having a meaning that is the same as the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein in connection with the various embodiments of the invention.
Example 1
The embodiment 1 of the invention discloses a method for establishing connection, which is shown in fig. 1 and 2 and comprises the following steps:
step S101, acquiring login data through an SSH client; specifically, the login data includes a user name and a password.
Furthermore, before step S101, the method further includes: acquiring biological identity characteristics of a user; generating a key pair comprising a private key and a public key based on the biometric characteristic of the user; storing the private key in the TEE device and the public key in a public key library of the SSH server.
Specifically, the biometric characteristics of the user, such as the fingerprint of the user a, are obtained in advance, and a key pair is generated based on the fingerprint of the user, so that the signature and verification operations can be performed later.
Step S102, the login data is sent to a TEE (Trusted Execution Environment ) device through the SSH client;
specifically, after the login data is sent to the TEE device by the SSH client, in order to prompt the user, the method further includes: prompting a user to input a biometric characteristic on the TEE device.
Step S103, if the TEE equipment acquires the biological identity characteristics of the user, signing the login data by using a private key corresponding to the biological identity characteristics to obtain signature data and feeding the signature data back to the SSH client;
in particular, through the TEE device, modification and destruction of the biometric authentication environment by an attacker can be prevented. Second, biometric authentication by the TEE device may enable the remote system to identify the user in the external real world.
Further, the biometric features include: at least one of fingerprint, iris and face image.
In addition, to further enhance security, if the TEE device acquires the biometric characteristic of the user in step S103, signing the login data using a private key corresponding to the biometric characteristic includes: if the TEE equipment acquires the biological identity of the user, the TEE equipment performs identity verification on the biological identity, and after the identity verification is passed, the private key corresponding to the biological identity is used for signing the login data.
Specifically, the later signature is performed only after the biological identity of the user is verified, so that the security is enhanced.
Step S104, the signature data is sent to an SSH server through the SSH client;
step 105, searching a public key in a public key library through the SSH server to check the signature data, recording a user corresponding to the public key with successful check, authenticating the login data obtained after the successful check, and allowing the SSH client to establish connection if the authentication is passed.
Specifically, the sending, by the SSH client, the signature data to the SSH server in step S104 includes: encrypting the signature data through the SSH client to obtain encrypted data and sending the encrypted data to an SSH server; thus, before the signature data is checked by searching the public key in the public key library by the SSH server, the method further comprises the following steps: and decrypting the encrypted data through the SSH server to obtain the signature data. Specifically, signature data sent to the SSH server by the SSH client is encrypted, and after receiving the encrypted signature data, the SSH server needs to decrypt and then perform signature verification operation. Encryption and corresponding decryption modes are pre-agreed between the specific SSH client and the SSH server.
In a specific embodiment, the method further comprises:
if the public key in the public key library is traversed to carry out verification and signing or authentication on login data is not passed, the SSH client is refused to establish connection. Specifically, if the public keys in the public key library cannot be checked successfully, the previous private key is unpaired, so that connection establishment is refused; in addition, if the authentication of the login data, specifically, the authentication of the user name and the password is not right, the connection establishment is also refused.
Furthermore, for timely feedback to the user of verification and authentication, the method further comprises: and feeding back a signature verification result and a login data authentication result to the SSH client through the SSH server.
Thus, when the user identity authentication is performed on the SSH, the TEE device signs the login data (user name and password) through a private key, the TEE device verifies the biological identity characteristics of the user, such as fingerprints, during signing, and then the SSH server verifies the signature data through a corresponding public key to provide double-factor authentication. Meanwhile, through biological identity characteristics, the system can identify and audit personnel in the external display world.
Example 2
In order to further describe the present invention, embodiment 2 of the present invention also discloses a device for establishing a connection, as shown in fig. 3, including:
an obtaining module 201, configured to obtain login data through an SSH client;
a first sending module 202, configured to send the login data to a TEE device through the SSH client;
a signature module 203, configured to, if the TEE device obtains a biometric feature of a user, sign the login data with a private key corresponding to the biometric feature, obtain signature data, and feed back the signature data to the SSH client;
a second sending module 204, configured to send, by the SSH client, the signature data to an SSH server;
and the verification connection module 205 is configured to search a public key in a public key library through the SSH server to perform signature verification on the signature data, record a user corresponding to the public key with successful signature verification, authenticate login data obtained after successful signature verification, and allow the SSH client to establish connection if the authentication is passed.
In a specific embodiment, as shown in fig. 4, further includes: a generating module 206, configured to: acquiring biological identity characteristics of a user;
generating a key pair comprising a private key and a public key based on the biometric characteristic of the user; storing the private key in the TEE device and the public key in a public key library of the SSH server.
In a specific embodiment, the biometric features include: at least one of a fingerprint, iris and face image; the login data includes a user name and a password.
Furthermore, the device comprises: and the prompting module is used for prompting a user to input biological identity characteristics on the TEE equipment after the login data are sent to the TEE equipment through the SSH client.
In a specific embodiment, the signature module 203 is configured to: if the TEE equipment acquires the biological identity of the user, the TEE equipment performs identity verification on the biological identity, and after the identity verification is passed, the private key corresponding to the biological identity is used for signing the login data.
In a specific embodiment, the second sending module 204 is configured to: encrypting the signature data through the SSH client to obtain encrypted data and sending the encrypted data to an SSH server;
the method comprises the following steps: and the decryption module is used for decrypting the encrypted data through the SSH server before the signature verification is carried out on the signature data by searching a public key in a public key library through the SSH server, so as to obtain the signature data.
In a specific embodiment, the method further comprises:
and the rejecting module is used for rejecting the SSH client to establish connection if the public key in the public key library is traversed to carry out verification and signing or authentication on login data is not passed.
In a specific embodiment, the method further comprises: and the feedback module is used for feeding back the signature verification result and the authentication result of the login data to the SSH client through the SSH server.
Example 3
The embodiment 3 of the invention also discloses a terminal, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor runs the computer program to enable the processor to execute the method for establishing connection in the embodiment 1.
Example 4
Embodiment 4 of the present invention also discloses a storage medium having stored thereon a computer program which, when executed by a processor, implements the method for establishing a connection described in embodiment 1.
In this way, the embodiment of the invention provides a method, a device, a terminal and a storage medium for establishing connection, wherein the method comprises the following steps: acquiring login data through an SSH client; sending the login data to a TEE device through the SSH client; if the TEE equipment acquires the biological identity characteristics of the user, signing the login data by using a private key corresponding to the biological identity characteristics to obtain signature data and feeding the signature data back to the SSH client; sending the signature data to an SSH server through the SSH client; and searching a public key in a public key library through the SSH server to check the signature data, recording a user corresponding to the public key with successful signature checking, authenticating the login data obtained after the successful signature checking, and allowing the SSH client to establish connection if the authentication is passed. In the scheme, the TEE device signs the user password information by using a private key, and then the SSH server performs signature verification on the signature data by using a corresponding public key, thereby providing double-factor authentication. Meanwhile, through biological identity characteristics, the system can conduct identification audit on personnel performing connection operation.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, of the flow diagrams and block diagrams in the figures, which illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules or units in various embodiments of the invention may be integrated together to form a single part, or the modules may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a smart phone, a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention.
Claims (9)
1. A method of establishing a connection, comprising:
acquiring login data through an SSH client;
sending the login data to a TEE device through the SSH client;
if the TEE equipment acquires the biological identity characteristics of the user, signing the login data by using a private key corresponding to the biological identity characteristics to obtain signature data and feeding the signature data back to the SSH client;
encrypting the signature data through the SSH client to obtain encrypted data and sending the encrypted data to an SSH server;
decrypting the encrypted data through the SSH server to obtain the signature data, searching a public key in a public key library through the SSH server to check the signature data, recording a user corresponding to the public key with successful check, authenticating the login data obtained after the successful check, and allowing the SSH client to establish connection if the authentication is passed.
2. The method as recited in claim 1, further comprising:
acquiring biological identity characteristics of a user;
generating a key pair comprising a private key and a public key based on the biometric characteristic of the user;
storing the private key in the TEE device and the public key in a public key library of the SSH server.
3. The method of claim 1, wherein the biometric identity comprises: at least one of a fingerprint, iris and face image; the login data comprises a user name and a password;
after the login data is sent to the TEE device by the SSH client, the method further includes:
prompting a user to input a biometric characteristic on the TEE device.
4. The method of claim 1, wherein if the TEE device obtains a biometric of a user, signing the login data using a private key corresponding to the biometric comprises:
if the TEE equipment acquires the biological identity of the user, the TEE equipment performs identity verification on the biological identity, and after the identity verification is passed, the private key corresponding to the biological identity is used for signing the login data.
5. The method as recited in claim 1, further comprising:
if the public key in the public key library is traversed to carry out verification and signing or authentication on login data is not passed, the SSH client is refused to establish connection.
6. The method of claim 1 or 5, further comprising:
and feeding back a signature verification result and a login data authentication result to the SSH client through the SSH server.
7. An apparatus for establishing a connection, comprising:
the acquisition module is used for acquiring login data through the SSH client;
the first sending module is used for sending the login data to the TEE equipment through the SSH client;
the signature module is used for signing the login data by using a private key corresponding to the biological identity characteristic if the TEE equipment acquires the biological identity characteristic of the user, so as to obtain signature data and feeding the signature data back to the SSH client;
the second sending module is used for encrypting the signature data through the SSH client to obtain encrypted data and sending the encrypted data to an SSH server;
the verification connection module is used for decrypting the encrypted data through the SSH server to obtain the signature data, searching a public key in a public key library through the SSH server to check the signature data, recording a user corresponding to the public key with successful check, authenticating the login data obtained after the successful check, and allowing the SSH client to establish connection if the authentication is passed.
8. A terminal comprising a memory and a processor, the memory storing a computer program, the processor running the computer program to cause the processor to perform the method of establishing a connection according to any of claims 1-6.
9. A storage medium having stored thereon a computer program which, when executed by a processor, implements a method of establishing a connection according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111361687.8A CN114070571B (en) | 2021-11-17 | 2021-11-17 | Method, device, terminal and storage medium for establishing connection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111361687.8A CN114070571B (en) | 2021-11-17 | 2021-11-17 | Method, device, terminal and storage medium for establishing connection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114070571A CN114070571A (en) | 2022-02-18 |
| CN114070571B true CN114070571B (en) | 2024-01-12 |
Family
ID=80273599
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111361687.8A Active CN114070571B (en) | 2021-11-17 | 2021-11-17 | Method, device, terminal and storage medium for establishing connection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114070571B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116996873A (en) * | 2023-04-11 | 2023-11-03 | 支付宝(杭州)信息技术有限公司 | Security environment body checking method and system based on wireless signals |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103701919A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Remote login method and system |
| US8868913B1 (en) * | 2011-09-29 | 2014-10-21 | Juniper Networks, Inc. | Automatically authenticating a host key via a dynamically generated certificate using an embedded cryptographic processor |
| CN105659520A (en) * | 2013-11-25 | 2016-06-08 | 迈克菲股份有限公司 | Secure proxy to protect private data |
| CN107612940A (en) * | 2017-10-31 | 2018-01-19 | 飞天诚信科技股份有限公司 | A kind of identity identifying method and authentication device |
| CN110035071A (en) * | 2019-03-26 | 2019-07-19 | 南瑞集团有限公司 | A kind of long-range double factor mutual authentication method, client and server-side towards industrial control system |
| CN110351228A (en) * | 2018-04-04 | 2019-10-18 | 阿里巴巴集团控股有限公司 | Remote entry method, device and system |
| WO2019246573A1 (en) * | 2018-06-22 | 2019-12-26 | Avi Networks | A statistical approach for augmenting signature detection in web application firewall |
| CN112153038A (en) * | 2020-09-18 | 2020-12-29 | 山东英信计算机技术有限公司 | Method and device for secure login, authentication terminal and readable storage medium |
| WO2021127575A1 (en) * | 2019-12-20 | 2021-06-24 | HYPR Corp. | Secure mobile initiated authentication |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110252459A1 (en) * | 2010-04-12 | 2011-10-13 | Walsh Robert E | Multiple Server Access Management |
| GB201010546D0 (en) * | 2010-06-23 | 2010-08-11 | Applied Neural Technologies Ltd | Method of indentity verification |
| CN105704123B (en) * | 2016-01-08 | 2017-09-15 | 腾讯科技(深圳)有限公司 | A kind of methods, devices and systems for carrying out business processing |
| US11868995B2 (en) * | 2017-11-27 | 2024-01-09 | Nok Nok Labs, Inc. | Extending a secure key storage for transaction confirmation and cryptocurrency |
| US11178148B2 (en) * | 2018-08-21 | 2021-11-16 | HYPR Corp. | Out-of-band authentication to access web-service with indication of physical access to client device |
-
2021
- 2021-11-17 CN CN202111361687.8A patent/CN114070571B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8868913B1 (en) * | 2011-09-29 | 2014-10-21 | Juniper Networks, Inc. | Automatically authenticating a host key via a dynamically generated certificate using an embedded cryptographic processor |
| CN105659520A (en) * | 2013-11-25 | 2016-06-08 | 迈克菲股份有限公司 | Secure proxy to protect private data |
| CN103701919A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Remote login method and system |
| CN107612940A (en) * | 2017-10-31 | 2018-01-19 | 飞天诚信科技股份有限公司 | A kind of identity identifying method and authentication device |
| CN110351228A (en) * | 2018-04-04 | 2019-10-18 | 阿里巴巴集团控股有限公司 | Remote entry method, device and system |
| WO2019246573A1 (en) * | 2018-06-22 | 2019-12-26 | Avi Networks | A statistical approach for augmenting signature detection in web application firewall |
| CN110035071A (en) * | 2019-03-26 | 2019-07-19 | 南瑞集团有限公司 | A kind of long-range double factor mutual authentication method, client and server-side towards industrial control system |
| WO2021127575A1 (en) * | 2019-12-20 | 2021-06-24 | HYPR Corp. | Secure mobile initiated authentication |
| CN112153038A (en) * | 2020-09-18 | 2020-12-29 | 山东英信计算机技术有限公司 | Method and device for secure login, authentication terminal and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114070571A (en) | 2022-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106612180B (en) | Method and device for realizing session identification synchronization | |
| US8930700B2 (en) | Remote device secure data file storage system and method | |
| US20180082050A1 (en) | Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device | |
| US20190384934A1 (en) | Method and system for protecting personal information infringement using division of authentication process and biometric authentication | |
| US20170063827A1 (en) | Data obfuscation method and service using unique seeds | |
| US9094823B2 (en) | Data processing for securing local resources in a mobile device | |
| US20200358614A1 (en) | Securing Transactions with a Blockchain Network | |
| US7178025B2 (en) | Access system utilizing multiple factor identification and authentication | |
| US11057210B1 (en) | Distribution and recovery of a user secret | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| US20180091487A1 (en) | Electronic device, server and communication system for securely transmitting information | |
| CN111159684B (en) | Safety protection system and method based on browser | |
| CN112425114A (en) | Password manager protected by public-private key pair | |
| EP2339777A2 (en) | Method of authenticating a user to use a system | |
| Studer et al. | Mobile user location-specific encryption (MULE) using your office as your password | |
| KR101739203B1 (en) | Password-based user authentication method using one-time private key-based digital signature and homomorphic encryption | |
| US7913096B2 (en) | Method and system for the cipher key controlled exploitation of data resources, related network and computer program products | |
| CN113472793A (en) | Personal data protection system based on hardware password equipment | |
| US20190311145A1 (en) | National identification number based authentication and content delivery | |
| US20210073359A1 (en) | Secure one-time password (otp) authentication | |
| CN109462572B (en) | Multi-factor authentication method, system, storage medium and security gateway based on encryption card and UsbKey | |
| CN115150180A (en) | Storage device management method, storage device, management device, and storage medium | |
| CN114143082A (en) | Encryption communication method, system and device | |
| US8806216B2 (en) | Implementation process for the use of cryptographic data of a user stored in a data base | |
| CN114070571B (en) | Method, device, terminal and storage medium for establishing connection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |