CN114710340A - Security authentication system and method - Google Patents

Security authentication system and method Download PDF

Info

Publication number
CN114710340A
CN114710340A CN202210307046.2A CN202210307046A CN114710340A CN 114710340 A CN114710340 A CN 114710340A CN 202210307046 A CN202210307046 A CN 202210307046A CN 114710340 A CN114710340 A CN 114710340A
Authority
CN
China
Prior art keywords
terminal
information
target
network
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210307046.2A
Other languages
Chinese (zh)
Other versions
CN114710340B (en
Inventor
杨旭
吕文俊
杜强
薛霁
李梁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhou Lvmeng Chengdu Technology Co ltd
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Shenzhou Lvmeng Chengdu Technology Co ltd
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhou Lvmeng Chengdu Technology Co ltd, Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Shenzhou Lvmeng Chengdu Technology Co ltd
Priority to CN202210307046.2A priority Critical patent/CN114710340B/en
Publication of CN114710340A publication Critical patent/CN114710340A/en
Application granted granted Critical
Publication of CN114710340B publication Critical patent/CN114710340B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a security authentication system, a security authentication method, a security authentication device and a security authentication medium, which are used for improving timeliness and accuracy of security authentication of a terminal. Compared with the prior art that the terminal needs to send the environmental information of the terminal to the environment sensing server across the network and the environmental information of the terminal is subjected to safety certification based on one environment sensing server, on one hand, the application can determine the safety score value of the terminal based on any other terminal, so that the risk of single-point failure can be reduced; on the other hand, because the stability and the real-time performance of the network communication based on P2P are superior to those of the cross-network communication, the timeliness and the accuracy of the security authentication of the terminal can be improved.

Description

Security authentication system and method
Technical Field
The present application relates to the field of network security technologies, and in particular, to a security authentication system, method, apparatus, device, and medium.
Background
The zero trust is a new network security model provided by a head-seat analyst of a research structure Forrester in 2010, breaks through default trust, inherits the principle of continuous verification and never trust, establishes a dynamic security architecture taking identity as the center, continuous authentication, dynamic access control, authorization, audit and monitoring as the core, minimized real-time authorization as the core and multidimensional trust algorithm as the basis and authenticating the end. Wherein context awareness and identity authentication are the heart of the overall security architecture.
The development time of the 'zero trust' is not very long, so that the method has the defect inevitably. For example, the scheme used by combining environment awareness and identity authentication in the existing "zero trust" is generally as follows:
the terminal (environment sensing terminal) uploads local environment information to the environment sensing server at regular time, and the environment sensing server carries out safety certification on the terminal based on the environment information. Specifically, when a user triggers an access request to a terminal, the terminal sends terminal identification information and identity information of the user to an authentication server; the authentication server extracts the terminal identification information, initiates a security authentication request for whether the terminal is safe or not to the environment sensing server, and the environment sensing server performs security authentication on the terminal based on the stored environment information of the terminal and returns a security authentication result to the authentication server. And if the security authentication result returned by the environment sensing server is that the security risk of the terminal is too high, the authentication server blocks the access request of the terminal, otherwise, the authentication server continues to perform the subsequent identity authentication process.
However, in the existing method that the terminal needs to upload the local environment information to the environment sensing server through the network, and the environment sensing server performs the security authentication on the terminal based on the environment information, on one hand, there is a risk of single point failure, for example, when the environment sensing server fails, there may be a risk that the security authentication cannot be performed on the terminal; on the other hand, when the network fails, the terminal may not upload the latest environment information to the environment sensing server in time, and a risk that the terminal cannot be accurately and timely authenticated may occur. Therefore, a technical solution for improving the timeliness and accuracy of the security authentication of the terminal is needed.
Disclosure of Invention
The application provides a security authentication system, a security authentication method, a security authentication device and a security authentication medium, which are used for improving timeliness and accuracy of security authentication of a terminal.
In a first aspect, the present application provides a security authentication system, the system comprising: the terminal, the authentication server and a plurality of other terminals which are positioned in the same peer-to-peer network P2P network with the terminal;
the terminal is configured to send a first authentication request to a target other terminal in the P2P network when receiving an access request for any application installed in the terminal, where the first authentication request carries identification information of the terminal;
the other target terminals are used for searching target environment information corresponding to the terminal of the identification information in the stored environment information according to the identification information; determining a safety score value of the terminal according to whether the target environment information contains set risk environment information; and sending the safe scoring value to the terminal;
the terminal is further used for sending a second authentication request carrying the safe credit value to the authentication server;
and the authentication server is used for carrying out safety authentication on the environmental information of the terminal according to the safety score value and a preset score threshold value.
In a second aspect, the present application provides a security authentication method, which is applied to a first terminal, and includes:
when receiving an access request for any application installed in a terminal, sending a first authentication request to a target other terminal in a plurality of other terminals in the same peer-to-peer network P2P network with the terminal, wherein the first authentication request carries identification information of the terminal;
receiving the safety score values sent by the other target terminals; the safety score value is that the target other terminal searches target environment information corresponding to the terminal of the identification information in stored environment information according to the identification information; determining the safety score value of the terminal according to whether the target environment information contains set risk environment information;
sending a second authentication request carrying the safe score value to an authentication server; and enabling the authentication server to perform security authentication on the environmental information of the terminal according to the security score value and a preset score threshold value.
In a third aspect, the present application provides a security authentication method, where the method is applied to a second terminal, and the method includes:
receiving a first authentication request, wherein the first authentication request is sent by a first terminal located in the same peer-to-peer network P2P network as the second terminal when receiving an access request for any application installed in the first terminal, and the first authentication request carries identification information of the first terminal;
according to the identification information, searching target environment information corresponding to the terminal of the identification information in stored environment information; determining a safety score value of the first terminal according to whether the target environment information contains set risk environment information; sending the safe scoring value to the first terminal; enabling the first terminal to send a second authentication request carrying the safe credit value to an authentication server; and enabling the authentication server to perform security authentication on the environment information of the first terminal according to the security score value and a preset score threshold value.
In a fourth aspect, the present application provides a secure authentication method, which is applied to an authentication server, and includes:
receiving a second authentication request which is sent by the terminal and carries a safe score value; wherein the second authentication request is sent by the terminal when receiving security score values sent by target other terminals of a plurality of other terminals located in the same peer-to-peer network P2P with the terminal; the safety score value is that when the terminal receives an access request for any application installed in the terminal, the terminal sends a first authentication request to the other target terminals, and the other target terminals search for target environment information corresponding to the terminal with the identification information in the stored environment information according to the identification information of the terminal carried in the first authentication request; determining a safety score value of the terminal according to whether the target environment information contains set risk environment information;
and performing safety certification on the environmental information of the terminal according to the safety score value and a preset score threshold value.
In a fifth aspect, the present application provides a security authentication method, which is applied to a context-aware server, and includes:
receiving a first joining request sent by a terminal and joining a peer-to-peer network P2P network; the first joining request carries authentication information of the terminal;
judging whether the authentication information is set compliance authentication information or not, if so, searching a target P2P network to which the target network address belongs in a network address corresponding to a stored P2P network according to the target network address in the authentication information, and sending network identification information of the target P2P network, existing terminal identification information added into the target P2P network and addition verification information to the terminal; sending the joining verification information to the existing terminal joined in the target P2P network; enabling the terminal to receive the network identification information, the existing terminal identification information and the joining verification information, and enabling the terminal to send a second joining request to a target existing terminal corresponding to target existing terminal identification information in a target P2P network corresponding to the network identification information; and enabling the target existing terminal to verify whether the terminal is allowed to join the target P2P network or not according to whether the joining verification information carried in the second joining request is consistent with the joining verification information received from the environment sensing server or not.
In a sixth aspect, the present application provides a security authentication apparatus, the apparatus comprising:
a first sending module, configured to send, when receiving an access request for any application installed in a terminal, a first authentication request to a target other terminal among multiple other terminals located in the same peer-to-peer network P2P network as the terminal, where the first authentication request carries identification information of the terminal;
the first receiving module is used for receiving the safety score values sent by the other target terminals; the safety score value is that the target other terminal searches target environment information corresponding to the terminal of the identification information in stored environment information according to the identification information; determining a safety score value of the terminal according to whether the target environment information contains set risk environment information;
the second sending module is used for sending a second authentication request carrying the safe credit value to an authentication server; and enabling the authentication server to perform security authentication on the environmental information of the terminal according to the security score value and a preset score threshold value.
In a seventh aspect, the present application provides a security authentication apparatus, comprising:
a second receiving module, configured to receive a first authentication request, where the first authentication request is sent by a first terminal in a peer-to-peer network P2P network with a second terminal when receiving an access request for any application installed in the first terminal, and the first authentication request carries identification information of the first terminal;
the first determining module is used for searching target environment information corresponding to the terminal of the identification information in the stored environment information according to the identification information; determining a safety score value of the first terminal according to whether the target environment information contains set risk environment information; sending the safe scoring value to the first terminal; enabling the first terminal to send a second authentication request carrying the safe credit value to an authentication server; and enabling the authentication server to perform security authentication on the environment information of the first terminal according to the security score value and a preset score threshold value.
In an eighth aspect, the present application provides a security authentication apparatus, the apparatus comprising:
the third receiving module is used for receiving a second authentication request which is sent by the terminal and carries the safe credit value; wherein the second authentication request is sent by the terminal when receiving security score values sent by target other terminals of a plurality of other terminals located in the same peer-to-peer network P2P with the terminal; the safety score value is that when the terminal receives an access request for any application installed in the terminal, the terminal sends a first authentication request to the other target terminal, and the other target terminal searches target environment information corresponding to the terminal of the identification information in stored environment information according to the identification information of the terminal carried in the first authentication request; determining a safety score value of the terminal according to whether the target environment information contains set risk environment information;
and the authentication module is used for carrying out safety authentication on the environmental information of the terminal according to the safety score value and a preset score threshold value.
In a ninth aspect, the present application provides a security authentication apparatus, the apparatus comprising:
a fourth receiving module, configured to receive a first join request sent by a terminal to join a peer-to-peer network P2P network; the first joining request carries authentication information of the terminal;
the joining verification module is used for judging whether the authentication information is set compliance authentication information or not, if so, searching a target P2P network to which the target network address belongs in a network address corresponding to a stored P2P network according to the target network address in the authentication information, and sending network identification information of the target P2P network, existing terminal identification information which is already joined to the target P2P network and joining verification information to the terminal; sending the joining verification information to the existing terminal joined in the target P2P network; enabling the terminal to receive the network identification information, the existing terminal identification information and the joining verification information, and enabling the terminal to send a second joining request to a target existing terminal corresponding to target existing terminal identification information in a target P2P network corresponding to the network identification information; and enabling the target existing terminal to verify whether the terminal is allowed to join the target P2P network or not according to whether the joining verification information carried in the second joining request is consistent with the joining verification information received from the environment sensing server or not.
In a tenth aspect, the present application provides an electronic device comprising at least a processor and a memory, the processor being configured to implement the steps of the security authentication method as described in any one of the above when executing a computer program stored in the memory.
In an eleventh aspect, the present application provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the security authentication method as described in any one of the above.
In a twelfth aspect, the present application provides a computer program product comprising: computer program code for causing a computer to perform the steps of the security authentication method as described in any one of the above when said computer program code is run on a computer.
Since the application can determine the safety score value of the terminal based on the environment information of the terminal stored in any other terminal (target other terminal) in the same P2P network as the terminal, and further can perform safety certification on the environment information of the terminal based on the safety score value, compared with the prior art that the terminal needs to send the environment information of the terminal to the environment sensing server across the network and perform safety certification on the environment information of the terminal based on one environment sensing server, on one hand, since the application can determine the safety score value of the terminal based on any other terminal, compared with the prior art that only one environment sensing server performs safety certification on the environment information of the terminal, the risk of single-point failure is reduced; on the other hand, the stability and the real-time performance of the network communication based on the P2P are superior to those of the cross-network communication, so that the timeliness and the accuracy of the security authentication of the terminal can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the implementation manner in the related art, a brief description will be given below of the drawings required for the description of the embodiments or the related art, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 illustrates a security authentication system diagram provided in some embodiments;
fig. 2 is a schematic diagram illustrating a first security authentication process provided by some embodiments;
FIG. 3 illustrates a second security authentication process provided by some embodiments;
FIG. 4 illustrates a third security authentication process diagram provided by some embodiments;
FIG. 5 illustrates a fourth security authentication process provided by some embodiments;
fig. 6 illustrates a fifth security authentication process diagram provided by some embodiments;
fig. 7 is a schematic diagram illustrating a sixth security authentication process provided by some embodiments;
fig. 8 illustrates a seventh security authentication process diagram provided by some embodiments;
fig. 9 illustrates an eighth security authentication process provided by some embodiments;
fig. 10 is a schematic diagram illustrating a ninth security authentication process provided by some embodiments;
fig. 11 shows a schematic diagram of a first security authentication device provided in some embodiments;
fig. 12 is a schematic diagram of a second security authentication device provided in some embodiments;
fig. 13 shows a schematic diagram of a third security authentication device provided in some embodiments;
fig. 14 shows a schematic diagram of a fourth security authentication device provided in some embodiments;
fig. 15 is a schematic structural diagram of an electronic device according to some embodiments.
Detailed Description
In order to improve timeliness and accuracy of security authentication of a terminal, the application provides a security authentication system, a method, a device, equipment and a medium.
To make the purpose and embodiments of the present application clearer, the following will clearly and completely describe the exemplary embodiments of the present application with reference to the attached drawings in the exemplary embodiments of the present application, and it is obvious that the described exemplary embodiments are only a part of the embodiments of the present application, and not all of the embodiments.
It should be noted that the brief descriptions of the terms in the present application are only for the convenience of understanding the embodiments described below, and are not intended to limit the embodiments of the present application. These terms should be understood in their ordinary and customary meaning unless otherwise indicated.
The terms "first," "second," "third," and the like in the description and claims of this application and in the foregoing drawings are used for distinguishing between similar or analogous objects or entities and are not necessarily intended to limit the order or sequence in which they are presented unless otherwise indicated. It is to be understood that the terms so used are interchangeable under appropriate circumstances.
The terms "comprises" and "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a product or apparatus that comprises a list of elements is not necessarily limited to all elements expressly listed, but may include other elements not expressly listed or inherent to such product or apparatus.
The term "module" refers to any known or later developed hardware, software, firmware, artificial intelligence, fuzzy logic, or combination of hardware and/or software code that is capable of performing the functionality associated with that element.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
The foregoing description, for purposes of explanation, has been presented in conjunction with specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the embodiments to the precise forms disclosed above. Many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles and the practical application, to thereby enable others skilled in the art to best utilize the embodiments and various embodiments with various modifications as are suited to the particular use contemplated.
Example 1:
fig. 1 shows a schematic diagram of a security authentication system provided in some embodiments, the system including: a terminal 11, an authentication server 12, and a plurality of other terminals 13 located in the same peer-to-peer network P2P network as the terminal 11;
the terminal 11 is configured to send a first authentication request to a target other terminal 13 in the P2P network when receiving an access request for any application installed in the terminal 11, where the first authentication request carries identification information of the terminal 11;
the other target terminal 13 is configured to search, according to the identification information, target environment information corresponding to the terminal 11 of the identification information from stored environment information; determining a safety score value of the terminal 11 according to whether the target environment information contains set risk environment information; and sends the safe score value to the terminal 11;
the terminal 11 is further configured to send a second authentication request carrying the security score value to the authentication server 12;
and the authentication server 12 is configured to perform security authentication on the environment information of the terminal 11 according to the security score value and a preset score threshold value.
In a possible embodiment, a user may initiate an access request to any application installed in a terminal 11 (such as a PC, a mobile terminal, etc.), and in order to perform secure authentication on the terminal in time and accurately, the terminal 11 may send an authentication request (referred to as a first authentication request for convenience of description) to all or some other terminals (referred to as target other terminals for convenience of description) in a plurality of other terminals 13 located in the same P2P network as the terminal 11 itself when receiving the access request. Optionally, the target other terminal 13 may be any terminal in the plurality of other terminals 13, and it can be understood that the target other terminal 13 is a terminal that can currently work normally without a fault. In order to facilitate the other terminals 13 to know which terminal needs to be securely authenticated, the first authentication request may carry identification information of the terminal 11. The identification information of the terminal 11 may be flexibly set according to the requirement, which is not specifically limited in this application.
In one possible implementation, each terminal (environment-aware terminal) located in the P2P network has installed therein a program that can collect the terminal's own environment information. For each terminal (environment-aware terminal) located in the same P2P network, each terminal may transmit its own environment information to each other terminal located in the same P2P network at a set frequency. Alternatively, each terminal may also transmit the current latest environment information to each other terminal located in the same P2P network when recognizing that its own environment information has changed. Each terminal stores environment information of other terminals located in the same P2P network. For example, the environment information of the terminal 11 may include vulnerability information of the terminal 11, installed program information, file information, access traffic information, and the like.
After the target other terminal 13 receives the first authentication request, according to the identification information of the terminal 11 carried in the first authentication request, the environment information (referred to as target environment information for convenience of description) corresponding to the terminal 11 of the identification information may be searched in the stored environment information, and the security score value of the terminal 11 may be determined according to whether the target environment information includes the set risk environment information.
In one possible implementation, the risk environment information may include vulnerability information, program information, file information, and access traffic information, among other risk types. When determining the security score value of the terminal 11 according to whether the set risk environment information is included in the target environment information, the target other terminal 13 may determine the security score value of the terminal 11 based on whether target risk environment sub-information of each risk type exists in the target environment information. For example, the security score value of the terminal 11 may be determined based on whether unrepaired vulnerability information exists in the target environment information, whether program information that installation is not allowed exists (installation), whether virus file information exists, whether traffic attack information exists, and the like.
Specifically, for information of a risk type, i.e., vulnerability information, if unrepaired vulnerability information exists in the target environment information, the set lowest sub-score value (e.g., 0, etc.) may be determined as the sub-score value (referred to as a first sub-score value for convenience of description) corresponding to the vulnerability information.
Or, if there is unrepaired vulnerability information in the target environment information, the target deduction value corresponding to each existing unrepaired vulnerability information may be determined based on the corresponding relationship between the stored vulnerability information and the deduction value, and then the difference between the set highest sub-deduction value (such as 100 points) and the target deduction value is determined as the first sub-deduction value corresponding to the vulnerability information. For example, if the unrepaired vulnerabilities included in the target environment information are vulnerability a and vulnerability B, respectively, where the target deduction value corresponding to the vulnerability a is 10 points, the target deduction value corresponding to the vulnerability B is 5 points, and the set highest sub-credit value is 100 points, then 85 points may be determined as the first sub-credit value corresponding to the vulnerability information.
And if the target environment information does not have the unrepaired vulnerability information, determining the set highest sub-score value as a first sub-score value corresponding to the vulnerability information.
For information of this risk type of program information, if there is program information that is not allowed to be installed (installed) in the target environment information, the set lowest sub-score value (e.g., 0, etc.) may be determined as a sub-score value (referred to as a second sub-score value for convenience of description) corresponding to the program information.
Alternatively, if there is program information that is not allowed to be installed in the target environment information, the target deduction value corresponding to the program information that is not allowed to be installed may be determined based on the correspondence between the saved program information and the deduction value, and then the difference between the set highest sub-deduction value (e.g., 100 points, etc.) and the target deduction value may be determined as the second sub-deduction value corresponding to the program information. The process of determining the second sub-score value corresponding to the program information is similar to the process of determining the first sub-score value corresponding to the vulnerability information, and is not repeated here.
And if the program information which is not allowed to be installed does not exist (is not installed) in the target environment information, the set highest sub-score value can be determined as a second sub-score value corresponding to the program information.
For the information of the risk type of the file information, if the virus file information exists in the target environment information, the set lowest sub-score value (for example, 0 point) may be determined as the sub-score value (for convenience of description, referred to as a third sub-score value) corresponding to the file information.
Or, if there is virus file information in the target environment information, the target deduction value corresponding to the existing virus file information may be determined based on the correspondence between the stored file information and the deduction value, and then the difference between the set highest sub-deduction value (e.g., 100 points, etc.) and the target deduction value may be determined as the third sub-deduction value corresponding to the file information. The process of determining the third sub-score value corresponding to the file information is similar to the process of determining the first sub-score value corresponding to the vulnerability information, and is not repeated here.
And if the target environment information does not contain the virus file information, determining the set highest sub-score value as a third sub-score value corresponding to the file information.
For information of access traffic information, which is a risk type, if there is traffic attack information in the target environment information, the set lowest sub-score value (e.g., 0, etc.) may be determined as a sub-score value (for convenience of description, referred to as a fourth sub-score value) corresponding to the access traffic information.
Or, if there is traffic attack information in the target environment information, it may also be possible to determine a target deduction value corresponding to the existing traffic attack information based on a correspondence between stored attack information (such as attack frequency, etc.) and the deduction value, and then determine a difference between a set highest sub-deduction value (such as 100 points, etc.) and the target deduction value as a fourth sub-deduction value corresponding to the access traffic information. The process of determining the fourth sub-score value corresponding to the access flow information is similar to the process of determining the first sub-score value corresponding to the vulnerability information, and is not repeated here.
And if the target environment information does not contain the traffic attack information, determining the set highest sub-score value as a fourth sub-score value corresponding to the access traffic information.
In a possible implementation manner, after the sub-score values (the first sub-score value, the second sub-score value, the third sub-score value, and the fourth sub-score value) corresponding to the target risk environment sub-information of each risk type are determined, the safety score value of the terminal 11 may be determined according to the sub-score value corresponding to the target risk environment sub-information of each risk type and the corresponding preset weight coefficient. For example, for each risk type, the product of the sub-score value corresponding to the target risk environment sub-information of the risk type and the corresponding preset weight coefficient may be determined, and then the sum of the product of the sub-score value corresponding to each risk type and the corresponding preset weight coefficient may be determined as the safety score value of the terminal 11. For example, if the weight coefficient corresponding to the risk type of the vulnerability information is represented by a first weight coefficient, the weight coefficient corresponding to the risk type of the program information is represented by a second weight coefficient, the weight coefficient corresponding to the risk type of the file information is represented by a third weight coefficient, and the weight coefficient corresponding to the risk type of the access traffic information is represented by a fourth weight coefficient, the security score value of the terminal 11 may be: first sub score value + first weight coefficient + second sub score value + second weight coefficient + third sub score value + third weight coefficient + fourth sub score value + fourth weight coefficient. Each weight coefficient may be flexibly set according to a requirement, and this is not specifically limited in this application.
After the target other terminal 13 determines the safety score value of the terminal 11, the determined safety score value may be transmitted to the terminal 11. After receiving the security score value sent by the target other terminal 13, the terminal 11 may send an authentication request (referred to as a second authentication request for convenience of description) carrying the security score value to the authentication server 12.
After receiving the second authentication request, the authentication server 12 may perform security authentication on the environment information of the terminal 11 according to the security score value carried in the second authentication request and a preset score threshold value. For example, if the number of the target other terminals 13 is multiple, the terminal 11 may send all the safety score values of the plurality of target other terminals 13 to the terminal 11 to the authentication server 12, the authentication server 12 may determine a minimum value or a maximum value or an average value or a sum value and the like of the safety score values of the plurality of target other terminals 13 to the terminal 11, and then determine whether the minimum value or the maximum value or the average value or the sum value and the like are greater than a corresponding preset score threshold value, if so, the environment information of the terminal 11 may be considered to be safe, and the safety authentication result may be safe; if the minimum value or the maximum value or the average value or the sum is not greater than the corresponding preset score threshold, the environment information of the terminal 11 may be considered to be unsafe, and the safety authentication result may be unsafe.
In a possible implementation manner, if the security authentication result of the authentication server 12 on the environment information of the terminal 11 is secure, the authentication server 12 may further search, according to the identity information of the user (such as a user name and a password, etc. input by the user when accessing the application) carried in the second authentication request and the identification information of the terminal 11, security identity information (referred to as target security identity information for convenience of description) corresponding to the terminal 11 of the identification information from the stored security identity information, and then perform security authentication on the identity information of the terminal 11 by determining whether the identity information of the user carried in the second authentication request is consistent with the target security identity information. For example, when the identity information of the user carried in the second authentication request is consistent with the target secure identity information, the identity information is considered to be secure, the secure authentication result of the identity information is secure, and the user may be allowed to access the application corresponding to the access request. When the identity information of the user carried in the second authentication request is inconsistent with the target safety identity information, the identity information is considered to be unsafe, the safety authentication result of the identity information is unsafe, and the user is not allowed to access the application corresponding to the access request.
For example, the identity information of the user carried in the second authentication request may be information such as a user name and a password input by the user when accessing the application, and when the information such as the user name and the password carried in the second authentication request is completely consistent with the information such as the user name and the password in the target secure identity information, the identity information is considered to be secure, and the user may be allowed to access the application corresponding to the foregoing access request. When any information of the user name, the password and the like carried in the second authentication request is inconsistent with any information of the user name, the password and the like in the target security identity information, the identity information is considered to be unsafe, and the user may not be allowed to access the application corresponding to the access request.
For ease of understanding, the security authentication process provided by the present application is described below with a specific embodiment. Fig. 2 shows a schematic diagram of a first security authentication process provided in some embodiments, and as shown in fig. 2, the process includes the following steps:
s201: when receiving an access request for any application installed in the terminal 11 itself, the terminal 11 sends a first authentication request to another target terminal 13 in the same P2P network as the terminal 11 itself, where the first authentication request carries identification information of the terminal 11 itself.
S202: the target other terminal 13 searches target environment information corresponding to the terminal 11 of the identification information in the stored environment information according to the identification information carried in the first authentication request; determining a safety score value of the terminal 11 according to whether the target environment information contains set risk environment information; and sends the safe score value to the terminal 11 corresponding to the identification information.
S203: the terminal 11 sends a second authentication request carrying a safe credit value to the authentication server 12.
S204: the authentication server 12 performs security authentication on the environment information of the terminal 11 according to the security score value and a preset score threshold value; if the security authentication result for the environment information of the terminal 11 is secure, S205 is performed.
S205: the authentication server 12 searches for target security identity information corresponding to the terminal 11 of the identity information according to the identity information of the user and the identity information of the terminal 11 carried in the second authentication request, and the stored security identity information; and performing security authentication on the identity information of the terminal 11 according to whether the identity information carried in the second authentication request is consistent with the target security identity information.
In a possible embodiment, in order to perform security authentication on a terminal timely and accurately, after the terminal 11 receives the security score values sent by the target other terminals 13, it may first determine whether each received security score value is higher than a set minimum score threshold, and if each received security score value is higher than the set minimum score threshold, a step of sending a second authentication request carrying the security score value to the authentication server 12 may be performed. If any one of the safety score values is not higher than the set lowest score threshold, the subsequent step of sending a second authentication request carrying the safety score value to the authentication server 12 may not be performed, the environmental information of the terminal 11 may be directly considered to be unsafe, and a preset prompt message or the like may be output to prompt a manager or a user or the like to check the terminal 11.
For ease of understanding, the security authentication process provided by the present application is described below with a specific embodiment. Fig. 3 is a schematic diagram illustrating a second security authentication process provided in some embodiments, and as shown in fig. 3, the process includes the following steps:
s301: when receiving an access request for any application installed in the terminal 11 itself, the terminal 11 sends a first authentication request to another target terminal 13 in the same P2P network as the terminal 11 itself, where the first authentication request carries identification information of the terminal 11 itself.
S302: the target other terminal 13 searches target environment information corresponding to the terminal 11 of the identification information in the stored environment information according to the identification information carried in the first authentication request; determining a safety score value of the terminal 11 according to whether the target environment information contains set risk environment information; and sends the safe score value to the terminal 11 corresponding to the identification information.
S303: the terminal 11 determines whether the received safety score value is higher than a set minimum score threshold value, and if not, proceeds to S304; if yes, S305 is performed.
S304: and outputting prompt information that the preset environment information is unsafe.
S305: the terminal 11 sends a second authentication request carrying a safe credit value to the authentication server 12.
S306: the authentication server 12 performs security authentication on the environment information of the terminal 11 according to the security score value and a preset score threshold value; if the security authentication result for the environment information of the terminal 11 is secure, S307 is performed.
S307: the authentication server 12 searches for target security identity information corresponding to the terminal 11 of the identity information according to the identity information of the user and the identity information of the terminal 11 carried in the second authentication request, and the stored security identity information; and performing security authentication on the identity information of the terminal 11 according to whether the identity information carried in the second authentication request is consistent with the target security identity information.
In the related art, when the environment information of a certain terminal (environment sensing terminal) has a risk (insecurity), the risk may be rapidly diffused (laterally drifted) to other terminals in the network through modes such as intranet scanning, and the like, so that the safety of the whole network is threatened. When one terminal in the P2P network has a risk, other terminals can quickly sense the risk, and the safety score value of the terminal with the risk can be set to be the lowest score value (the lowest score threshold value) and the like, so that the transverse drift of the risk is avoided, and the safety of the whole network is ensured to a certain extent.
For convenience of understanding, the security authentication process provided by the present application is described below with reference to a specific embodiment. Fig. 4 is a schematic diagram illustrating a third security authentication process provided by some embodiments, and as shown in fig. 4, the process includes:
the terminal 11 (environment-aware terminal) receives an access request for any application installed in the terminal 11 itself, and the terminal 11 sends a first authentication request to target other terminals (such as the target other terminal 131 and the target other terminal 132) located in the same P2P network as the terminal 11 itself, and requests the target other terminals (the target other terminal 131 and the target other terminal 132) to authenticate whether the environment information of the terminal 11 itself is safe. The first authentication request carries identification information of the terminal 11 itself.
The target other terminals (the target other terminal 131 and the target other terminal 132) search the stored environment information for the target environment information corresponding to the terminal 11 of the identification information according to the identification information carried in the first authentication request; determining a security score value (signature information) of the terminal 11 according to whether the target environment information includes the set risk environment information; and transmits the safe score value to the terminal 11.
The terminal 11 sends a second authentication request carrying the identity information of the user, the identification information of the terminal 11 and the security score value to the authentication server 12.
The authentication server 12 performs security authentication on the environment information of the terminal 11 according to the security score value and a preset score threshold value; if the security authentication result of the environment information of the terminal 11 is security, the authentication server 12 searches for target security identity information corresponding to the terminal 11 of the identification information from the stored security identity information according to the identity information of the user and the identification information of the terminal 11, which are carried in the second authentication request; and performing security authentication on the identity information of the terminal 11 (environment sensing terminal) according to whether the identity information carried in the second authentication request is consistent with the target security identity information.
Since the application can determine the safety score value of the terminal based on the environment information of the terminal stored in any other terminal (target other terminal) in the same P2P network as the terminal, and further can perform safety certification on the environment information of the terminal based on the safety score value, compared with the prior art that the terminal needs to send the environment information of the terminal to the environment sensing server across the network and perform safety certification on the environment information of the terminal based on one environment sensing server, on one hand, since the application can determine the safety score value of the terminal based on any other terminal, compared with the prior art that only one environment sensing server performs safety certification on the environment information of the terminal, the risk of single-point failure is reduced; on the other hand, because the stability and the real-time performance of the network communication based on P2P are superior to those of the cross-network communication, the timeliness and the accuracy of the security authentication of the terminal can be improved.
In addition, because the terminals (environment sensing terminals) in the related art need to transmit the environment information of the terminals to the environment sensing server across the network, the number of the environment information of the terminals also increases with the increasing number of the terminals (environment sensing terminals), and if the environment information of each terminal is required to be timely transmitted to the environment sensing server, the problem that the resources such as network bandwidth and the like need to be continuously subjected to horizontal capacity expansion exists. In the present application, because the environment information of the terminal is sent to other terminals in the same P2P network through the P2P network, in general, the P2P network is built in an intranet, and even if the number of terminals (environment-aware terminals) added to the same P2P network is increasing, it is usually not necessary to laterally expand the capacity of resources such as network bandwidth.
In addition, in the related art, the terminal (environment sensing terminal) sends the terminal environment information to the environment sensing server across the network, which generally cannot include the terminal access traffic information, but in the present application, the terminal environment information stored by another terminal located in the same P2P network as the terminal generally may include the terminal access traffic information, and in the present application, the other terminal may determine the security score of the terminal environment information more accurately based on the access traffic information, so that the accuracy of performing security authentication on the terminal environment information may be further improved.
In addition, in the related art, multiple devices such as a terminal, an environment sensing server, an authentication server and the like need to be linked in real time across a network to perform security authentication on the environment information of the terminal, the security authentication process is complex, and the requirements on the stability and the real-time performance of each device and the network are very high. In the application, the security authentication link of the environmental information of the terminal can be completed only on the basis of the terminal and the authentication server in the P2P network, the security authentication link of the environmental information does not need to be linked with the environment sensing server, the authentication process is simple, and the stability and the real-time performance of the authentication process are ensured.
In a possible implementation manner, the system provided by the embodiment of the present application may further include a context awareness server. When the terminal 11 needs to join a certain P2P network, a join request (referred to as a first join request for convenience of description) for joining the P2P network may be sent to the context aware server. Illustratively, the authentication information of the terminal 11 may be carried in the first join request. The authentication information of the terminal 11 may include information such as an operating system version and a network address of the terminal 11.
The context awareness server may receive the first join request sent by the terminal 11, and determine whether the authentication information carried in the first join request is the set compliance authentication information. Illustratively, when the operating system version of the terminal 11 is a set compliance version, the network address of the terminal 11 is a set compliance address, and the like, the authentication information carried in the first join request may be considered (determined) as the set compliance authentication information. On the other hand, when the os version of the terminal 11 is not the set compliance version, or the network address of the terminal 11 is not the set compliance address, etc., it may be considered (determined) that the authentication information carried in the first join request is not the set compliance authentication information.
In a possible implementation manner, when it is determined that the authentication information carried in the first join request is the set compliance authentication information, the P2P network (referred to as a target P2P network for convenience of description) to which the target network address belongs may be searched from the network addresses corresponding to the stored P2P networks according to the network addresses (referred to as target network addresses for convenience of description) in the authentication information, and then the network identification information of the target P2P network, the existing terminal identification information already joined in the target P2P network, and the join verification information are sent to the terminal 11. Meanwhile, the joining verification information may also be sent to an existing terminal in the joined target P2P network. The network identification information, the terminal identification information, and the authentication information may be flexibly set according to the requirement, which is not specifically limited in the present application. Illustratively, the encrypted random string and the like may be carried in the authentication information.
After receiving the network identification information sent by the context awareness server, the existing terminal identification information already joined in the target P2P network, and the joining verification information, the terminal 11 may send a joining request (referred to as a second joining request for convenience of description) to an existing terminal (referred to as a target existing terminal for convenience of description) corresponding to part or all of the existing terminal identification information (referred to as target existing terminal identification information for convenience of description) in the target P2P network corresponding to the network identification information. Optionally, the second join request may carry join authentication information received from the context awareness server.
The target existing terminal may receive the second join request sent by the terminal 11, and may verify whether to allow the terminal 11 to join the target P2P network after receiving the second join request. Specifically, when verifying whether to allow the terminal 11 to join the target P2P network, it may be determined whether the joining verification information carried in the second joining request is consistent with the joining verification information received by the target existing terminal from the context awareness server, and if so, the verification result of whether to allow the terminal 11 to join the target P2P network is: allowing the terminal 11 to join the target P2P network; if not, the verification result of whether the terminal 11 is allowed to join the target P2P network is: the terminal 11 is not allowed to join the target P2P network.
In one possible embodiment, if the verification result is that the terminal 11 is allowed to join the target P2P network, the target existing terminal may send join-allowed information to the terminal 11. The terminal 11 may join the target P2P network when receiving the join permission information sent by any target existing terminal.
For ease of understanding, the security authentication process provided by the present application is described below with a specific embodiment. Fig. 5 is a schematic diagram illustrating a fourth security authentication process provided in some embodiments, and as shown in fig. 5, the process includes the following steps:
s501: the terminal 11 sends a first join request for joining the P2P network to the context awareness server; the first join request carries authentication information of the terminal 11.
S502: the environment sensing server receives a first joining request sent by the terminal 11, judges whether the authentication information is set compliance authentication information, if so, searches a target P2P network to which the target network address belongs in a network address corresponding to a stored P2P network according to the target network address in the authentication information, and sends network identification information of the target P2P network, existing terminal identification information already joined in the target P2P network and joining verification information to the terminal 11; and sends join authentication information to existing terminals that have joined the target P2P network.
S503: the terminal 11 receives the network identification information of the target P2P network, the existing terminal identification information already joined in the target P2P network, and the joining verification information sent by the context awareness server, and sends a second joining request to the target existing terminal corresponding to the target existing terminal identification information in the target P2P network corresponding to the network identification information.
S504: and the target existing terminal verifies whether the terminal 11 is allowed to join the target P2P network or not according to whether the joining verification information carried in the second joining request is consistent with the joining verification information received from the environment sensing server, and if the verification result is that the terminal 11 is allowed to join the target P2P network, the joining permission information is sent to the terminal 11.
S505: if the terminal 11 receives the join permission information sent by any target existing terminal, the terminal joins the target P2P network.
S506: the terminal 11 transmits its own environment information to a plurality of other terminals 13 located in the same P2P network as the terminal 11.
S507: when receiving an access request for any application installed in the terminal 11 itself, the terminal 11 sends a first authentication request to another target terminal 13 in the same P2P network as the terminal 11 itself, where the first authentication request carries identification information of the terminal 11 itself.
S508: the target other terminal 13 searches target environment information corresponding to the terminal 11 of the identification information in the stored environment information according to the identification information carried in the first authentication request; determining a safety score value of the terminal 11 according to whether the target environment information contains set risk environment information; and sends the safe score value to the terminal 11 corresponding to the identification information.
S509: the terminal 11 determines whether the received safety score value is higher than a set minimum score threshold, and if not, proceeds to S510; if yes, S511 is performed.
S510: and outputting prompt information that the preset environment information is unsafe.
S511: the terminal 11 sends a second authentication request carrying a safe credit value to the authentication server 12.
S512: the authentication server 12 performs security authentication on the environment information of the terminal 11 according to the security score value and a preset score threshold value; if the security authentication result for the environment information of the terminal 11 is secure, S513 is performed.
S513: the authentication server 12 searches for target security identity information corresponding to the terminal 11 of the identity information according to the identity information of the user and the identity information of the terminal 11 carried in the second authentication request, and the stored security identity information; and performing security authentication on the identity information of the terminal 11 according to whether the identity information carried in the second authentication request is consistent with the target security identity information.
For convenience of understanding, the security authentication process provided by the present application is described below with reference to a specific embodiment. Fig. 6 shows a schematic diagram of a fifth security authentication process provided in some embodiments, and as shown in fig. 6, the process includes:
the terminal 11 (context-aware terminal) sends a first join request (online request) for joining the P2P network to the context-aware server; the first join request carries authentication information of the terminal 11.
The environment sensing server receives a first joining request sent by the terminal 11, judges whether the authentication information is set compliance authentication information, if so, searches a target P2P network to which the target network address belongs in a network address corresponding to a stored P2P network according to the target network address in the authentication information, and sends network identification information of the target P2P network, existing terminal identification information already joined in the target P2P network and joining verification information to the terminal 11; and transmits the joining verification information to existing terminals (e.g., the target other terminal 131 and the target other terminal 132) in the joined target P2P network.
The terminal 11 receives the network identification information of the target P2P network, the identification information of the existing terminals (such as the target other terminals 131 and the target other terminals 132) already joined in the target P2P network, and the joining verification information sent by the context awareness server, and sends a second joining request to the target existing terminals (such as the target other terminals 131 and the target other terminals 132) corresponding to the target existing terminal identification information in the target P2P network corresponding to the network identification information.
The target existing terminals (e.g., the target other terminal 131 and the target other terminal 132) verify whether the terminal 11 is allowed to join the target P2P network according to whether the join verification information carried in the second join request is consistent with the join verification information received from the environment sensing server, and send join permission information to the terminal 11 if the verification result indicates that the terminal 11 is allowed to join the target P2P network. The terminal 11 (environment-aware terminal) joins the target P2P network when receiving the join permission information sent by any target existing terminal. The terminal 11 (environment-aware terminal) transmits its own environment information to a plurality of other terminals (e.g., the target other terminal 131 and the target other terminal 132) located in the same P2P network as the terminal 11. Each terminal located in the same P2P network transmits its own environment information to every other terminal.
The terminal interacts with the environment sensing server once only when requesting to join the P2P network, and does not need to interact with the environment sensing server again when performing security authentication on environment information subsequently.
Example 2:
based on the same technical concept, the present application provides a security authentication method, which is applied to a terminal (referred to as a first terminal for convenience of description), and fig. 7 illustrates a sixth security authentication process schematic diagram provided in some embodiments, as shown in fig. 7, where the process includes:
s701: when receiving an access request for any application installed in a terminal, sending a first authentication request to a target other terminal in a plurality of other terminals located in the same peer-to-peer network P2P network as the terminal, wherein the first authentication request carries identification information of the terminal.
S702: receiving the safety score values sent by the other target terminals; the safety score value is that the target other terminal searches target environment information corresponding to the terminal of the identification information in stored environment information according to the identification information; and determining the safety score value of the terminal according to whether the target environment information contains set risk environment information.
S703: sending a second authentication request carrying the safe score value to an authentication server; and enabling the authentication server to perform security authentication on the environmental information of the terminal according to the security score value and a preset score threshold value.
In a possible implementation manner, after receiving the security score value sent by the target other terminal, before sending the second authentication request carrying the security score value to the authentication server, the method further includes:
and judging whether the received safety score value is higher than a set lowest score threshold value, if so, carrying out the subsequent step of sending a second authentication request carrying the safety score value to an authentication server.
In a possible implementation, before sending the first authentication request to the target other terminal among the other terminals located in the same peer-to-peer network P2P network as the terminal, the method further includes:
sending a first join request to a context aware server to join a P2P network; the first joining request carries authentication information of the terminal;
receiving network identification information of a target P2P network, existing terminal identification information which is added into the target P2P network and addition verification information which are sent by an environment perception server; the network identification information of the target P2P network, the existing terminal identification information added to the target P2P network, and the addition verification information are sent when the environment sensing server judges that the authentication information is set compliant authentication information, and according to the target network address in the authentication information, finds the target P2P network to which the target network address belongs from the network addresses corresponding to the stored P2P network;
sending a second join request to a target existing terminal corresponding to target existing terminal identification information in a target P2P network corresponding to the network identification information; and enabling the target existing terminal to verify whether the terminal is allowed to join the target P2P network or not according to whether the joining verification information carried in the second joining request is consistent with the joining verification information received from the environment sensing server or not.
In one possible embodiment, the method further comprises:
and if the information of allowing to join sent by any target existing terminal is received, joining the target P2P network.
In one possible embodiment, the method further comprises:
the terminal's own environment information is sent to each other terminal located in the same peer-to-peer network P2P network as the terminal.
Example 3:
based on the same technical concept, the present application provides a security authentication method, which is applied to a terminal (referred to as a second terminal for convenience of description), and fig. 8 illustrates a seventh security authentication process schematic diagram provided in some embodiments, as shown in fig. 8, where the process includes:
s801: receiving a first authentication request, where the first authentication request is sent by a first terminal in the same peer-to-peer network P2P network as the second terminal when receiving an access request for any application installed in the first terminal, and the first authentication request carries identification information of the first terminal.
S802: searching target environment information corresponding to the terminal of the identification information in the stored environment information according to the identification information; determining a safety score value of the first terminal according to whether the target environment information contains set risk environment information; sending the safe scoring value to the first terminal; enabling the first terminal to send a second authentication request carrying the safe credit value to an authentication server; and enabling the authentication server to perform security authentication on the environment information of the first terminal according to the security score value and a preset score threshold value.
In one possible embodiment, the method further comprises:
receiving a second join request, wherein the second join request is sent by the first terminal when receiving network identification information of a target P2P network, existing terminal identification information already joined in the target P2P network and join verification information sent by a context awareness server; the network identification information of the target P2P network, the existing terminal identification information already added to the target P2P network, and the addition verification information are sent when the environment sensing server receives a first addition request sent by the first terminal to join the P2P network, determines that the authentication information of the terminal carried in the first addition request is set compliance authentication information, and searches a target P2P network to which the target network address belongs in a network address corresponding to the stored P2P network according to the target network address in the authentication information;
and verifying whether the terminal is allowed to join the target P2P network or not according to whether the joining verification information carried in the second joining request is consistent with the joining verification information received from the environment sensing server or not.
In one possible embodiment, the method further comprises:
and if the verification result is that the first terminal is allowed to join the target P2P network, sending joining allowing information to the first terminal.
In a possible implementation manner, the determining a security score value of the first terminal according to whether the target environment information includes set risk environment information includes:
aiming at each risk type information contained in the risk environment information, judging whether target risk environment sub-information of the risk type exists in the target environment information or not; if not, determining the set highest sub-score value as a sub-score value corresponding to the target risk environment sub-information of the risk type; if the target environment information has the target risk environment sub-information of the risk type, determining the set lowest sub-score value as the sub-score value corresponding to the target risk environment sub-information of the risk type; or if the target environment information contains the target risk environment sub-information of the risk type, determining a target deduction value corresponding to the target risk environment sub-information of the risk type based on the stored corresponding relation between the risk environment sub-information of the risk type and the deduction value, and determining a sub-credit value corresponding to the target risk environment sub-information of the risk type based on the set highest sub-credit value and the target deduction value;
and determining the safety score value of the terminal according to the sub-score value corresponding to the target risk environment sub-information of each risk type and the corresponding preset weight coefficient.
Example 4:
based on the same technical concept, the present application provides a security authentication method, which is applied to a server (referred to as an authentication server for convenience of description), and fig. 9 illustrates an eighth security authentication process schematic diagram provided by some embodiments, as shown in fig. 9, where the process includes:
s901: receiving a second authentication request which is sent by the terminal and carries a safe score value; wherein the second authentication request is sent by the terminal when receiving the security score values sent by target other terminals of a plurality of other terminals located in the same peer-to-peer network P2P with the terminal; the safety score value is that when the terminal receives an access request for any application installed in the terminal, the terminal sends a first authentication request to the other target terminals, and the other target terminals search for target environment information corresponding to the terminal with the identification information in the stored environment information according to the identification information of the terminal carried in the first authentication request; and determining the safety score value of the terminal according to whether the target environment information contains set risk environment information.
S902: and performing safety certification on the environmental information of the terminal according to the safety score value and a preset score threshold value.
In one possible embodiment, the method further comprises:
if the security authentication result of the environmental information of the terminal is security, searching target security identity information corresponding to the terminal of the identity information according to the identity information of the user and the identity information of the terminal carried in the second authentication request and the stored security identity information; and performing security authentication on the identity information of the terminal according to whether the identity information is consistent with the target security identity information.
Example 5:
based on the same technical concept, the present application provides a security authentication method, which is applied to a server (referred to as a context-aware server for convenience of description), and fig. 10 illustrates a ninth security authentication process schematic diagram provided by some embodiments, as shown in fig. 10, where the process includes:
s1001: receiving a first joining request sent by a terminal and joining a peer-to-peer network P2P network; and the first joining request carries the authentication information of the terminal.
S1002: judging whether the authentication information is set compliance authentication information, if so, searching a target P2P network to which the target network address belongs in a network address corresponding to a stored P2P network according to the target network address in the authentication information, and sending network identification information of the target P2P network, existing terminal identification information added into the target P2P network and addition verification information to the terminal; sending the joining verification information to the existing terminal joined in the target P2P network; enabling the terminal to receive the network identification information, the existing terminal identification information and the joining verification information, and enabling the terminal to send a second joining request to a target existing terminal corresponding to target existing terminal identification information in a target P2P network corresponding to the network identification information; and enabling the target existing terminal to verify whether the terminal is allowed to join the target P2P network or not according to whether the joining verification information carried in the second joining request is consistent with the joining verification information received from the environment sensing server or not.
Example 6:
based on the same technical concept, the present application provides a security authentication device, which is applied to a first terminal, and fig. 11 shows a schematic diagram of a first security authentication device provided in some embodiments, as shown in fig. 11, the security authentication device includes:
a first sending module 111, configured to, when receiving an access request for any application installed in a terminal, send a first authentication request to a target other terminal among a plurality of other terminals located in the same peer-to-peer network P2P network as the terminal, where the first authentication request carries identification information of the terminal;
a first receiving module 112, configured to receive the security score value sent by the target other terminal; the safety score value is that the target other terminal searches target environment information corresponding to the terminal of the identification information in stored environment information according to the identification information; determining a safety score value of the terminal according to whether the target environment information contains set risk environment information;
a second sending module 113, configured to send a second authentication request carrying the safe credit value to an authentication server; and enabling the authentication server to perform security authentication on the environmental information of the terminal according to the security score value and a preset score threshold value.
In a possible implementation manner, the second sending module 113 is further configured to determine whether the received security score value is higher than a set lowest score threshold, and if so, perform the subsequent step of sending a second authentication request carrying the security score value to the authentication server.
In a possible implementation, the first sending module 111 is further configured to send a first join request to join the P2P network to the context awareness server; the first joining request carries authentication information of the terminal;
the first receiving module 112 is further configured to receive network identification information of the target P2P network, existing terminal identification information that has joined the target P2P network, and joining verification information sent by the context awareness server; the network identification information of the target P2P network, the existing terminal identification information added to the target P2P network, and the addition verification information are sent when the environment sensing server judges that the authentication information is set compliant authentication information, and according to the target network address in the authentication information, finds the target P2P network to which the target network address belongs from the network addresses corresponding to the stored P2P network;
the first sending module 111 is further configured to send a second join request to a target existing terminal corresponding to target existing terminal identification information in a target P2P network corresponding to the network identification information; and enabling the target existing terminal to verify whether the terminal is allowed to join the target P2P network or not according to whether the joining verification information carried in the second joining request is consistent with the joining verification information received from the environment sensing server or not.
In a possible implementation manner, the first receiving module 112 is further configured to join the target P2P network if receiving join permission information sent by any target existing terminal.
In a possible implementation, the first sending module 111 is further configured to send the terminal own environment information to each other terminal in the same peer-to-peer network P2P network as the terminal.
Example 7:
based on the same technical concept, the present application provides a security authentication device, which is applied to a second terminal, and fig. 12 shows a schematic diagram of a second security authentication device provided in some embodiments, as shown in fig. 12, the security authentication device includes:
a second receiving module 121, configured to receive a first authentication request, where the first authentication request is sent by a first terminal located in the same peer-to-peer network P2P network as the second terminal when receiving an access request for any application installed in the first terminal itself, and the first authentication request carries identification information of the first terminal;
a first determining module 122, configured to search, according to the identifier information, target environment information corresponding to a terminal of the identifier information in stored environment information; determining a safety score value of the first terminal according to whether the target environment information contains set risk environment information; sending the safe scoring value to the first terminal; enabling the first terminal to send a second authentication request carrying the safe credit value to an authentication server; and enabling the authentication server to perform security authentication on the environment information of the first terminal according to the security score value and a preset score threshold value.
In a possible implementation manner, the second receiving module 121 is further configured to receive a second join request, where the second join request is sent by the first terminal when the first terminal receives the network identification information of the target P2P network, the existing terminal identification information that has joined the target P2P network, and the join verification information, which are sent by the context awareness server; the network identification information of the target P2P network, the existing terminal identification information already added to the target P2P network, and the addition verification information are sent when the environment sensing server receives a first addition request sent by the first terminal to join the P2P network, determines that the authentication information of the terminal carried in the first addition request is set compliance authentication information, and searches a target P2P network to which the target network address belongs in a network address corresponding to the stored P2P network according to the target network address in the authentication information;
and verifying whether the terminal is allowed to join the target P2P network or not according to whether the joining verification information carried in the second joining request is consistent with the joining verification information received from the environment sensing server or not.
In a possible implementation manner, the first determining module 122 is further configured to send join permission information to the first terminal if the verification result is that the first terminal is permitted to join the target P2P network.
In a possible implementation manner, the first determining module 122 is specifically configured to determine, for each risk type included in the risk environment information, whether target risk environment sub-information of the risk type exists in the target environment information; if not, determining the set highest sub-score value as a sub-score value corresponding to the target risk environment sub-information of the risk type; if the target environment information has the target risk environment sub-information of the risk type, determining the set lowest sub-score value as the sub-score value corresponding to the target risk environment sub-information of the risk type; or if the target environment information contains the target risk environment sub-information of the risk type, determining a target deduction value corresponding to the target risk environment sub-information of the risk type based on the stored corresponding relation between the risk environment sub-information of the risk type and the deduction value, and determining a sub-credit value corresponding to the target risk environment sub-information of the risk type based on the set highest sub-credit value and the target deduction value;
and determining the safety score value of the terminal according to the sub-score value corresponding to the target risk environment sub-information of each risk type and the corresponding preset weight coefficient.
Example 8:
based on the same technical concept, the present application provides a security authentication device, which is applied to an authentication server, and fig. 13 shows a schematic diagram of a third security authentication device provided in some embodiments, as shown in fig. 13, the security authentication device includes:
a third receiving module 1301, configured to receive a second authentication request carrying a security score value sent by the terminal; wherein the second authentication request is sent by the terminal when receiving security score values sent by target other terminals of a plurality of other terminals located in the same peer-to-peer network P2P with the terminal; the safety score value is that when the terminal receives an access request for any application installed in the terminal, the terminal sends a first authentication request to the other target terminals, and the other target terminals search for target environment information corresponding to the terminal with the identification information in the stored environment information according to the identification information of the terminal carried in the first authentication request; determining a safety score value of the terminal according to whether the target environment information contains set risk environment information;
the authentication module 1302 is configured to perform security authentication on the environment information of the terminal according to the security score value and a preset score threshold.
In a possible implementation manner, the authentication module 1302 is further configured to, if the security authentication result of the environment information of the terminal is secure, search, according to the identity information of the user and the identification information of the terminal carried in the second authentication request and the stored security identity information, target security identity information corresponding to the terminal of the identification information; and performing security authentication on the identity information of the terminal according to whether the identity information is consistent with the target security identity information.
Example 9:
based on the same technical concept, the present application provides a security authentication device, which is applied to a context awareness server, and fig. 14 shows a schematic diagram of a fourth security authentication device provided in some embodiments, as shown in fig. 14, the security authentication device includes:
a fourth receiving module 141, configured to receive a first join request sent by the terminal to join the peer-to-peer network P2P; the first joining request carries authentication information of the terminal;
a join verification module 142, configured to determine whether the authentication information is set compliance authentication information, if so, search, according to a target network address in the authentication information, for a target P2P network to which the target network address belongs in a network address corresponding to a stored P2P network, and send network identification information of the target P2P network, existing terminal identification information that has been added to the target P2P network, and join verification information to the terminal; sending the joining verification information to the existing terminal which has joined the target P2P network; enabling the terminal to receive the network identification information, the existing terminal identification information and the joining verification information, and enabling the terminal to send a second joining request to a target existing terminal corresponding to target existing terminal identification information in a target P2P network corresponding to the network identification information; and enabling the target existing terminal to verify whether the terminal is allowed to join the target P2P network or not according to whether the joining verification information carried in the second joining request is consistent with the joining verification information received from the environment sensing server or not.
Example 10:
based on the same technical concept, the present application further provides an electronic device, and fig. 15 shows a schematic structural diagram of an electronic device provided in some embodiments, as shown in fig. 15, including: the system comprises a processor 151, a communication interface 152, a memory 153 and a communication bus 154, wherein the processor 151, the communication interface 152 and the memory 153 are communicated with each other through the communication bus 154;
the memory 153 stores therein a computer program which, when executed by the processor 151, causes the processor 151 to perform the steps of the security authentication method as described in any one of the above.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this is not intended to represent only one bus or type of bus.
The communication interface 152 is used for communication between the above-described electronic apparatus and other apparatuses.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a central processing unit, a Network Processor (NP), and the like; but may also be a Digital instruction processor (DSP), an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.
Example 11:
based on the same technical concept, embodiments of the present application provide a computer-readable storage medium, in which a computer program executable by an electronic device is stored, and when the program runs on the electronic device, the electronic device is caused to perform any of the steps of the security authentication method described above.
The computer readable storage medium may be any available medium or data storage device that can be accessed by a processor in an electronic device, including but not limited to magnetic memory such as floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc., optical memory such as CDs, DVDs, BDs, HVDs, etc., and semiconductor memory such as ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), Solid State Disks (SSDs), etc.
Based on the same technical concept, the present application provides a computer program product, comprising: computer program code for causing a computer to perform the steps of the security authentication method as described in any one of the above when said computer program code is run on a computer.
In the above embodiments, the implementation may be realized in whole or in part by software, hardware, firmware, or any combination thereof, and may be realized in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions which, when loaded and executed on a computer, cause a process or function according to an embodiment of the application to be performed, in whole or in part.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (12)

1. A security authentication system, the system comprising: the terminal, the authentication server and a plurality of other terminals which are positioned in the same peer-to-peer network P2P network with the terminal;
the terminal is used for sending a first authentication request to other target terminals in the P2P network when receiving an access request to any application installed in the terminal, wherein the first authentication request carries identification information of the terminal;
the other target terminals are used for searching target environment information corresponding to the terminal of the identification information in the stored environment information according to the identification information; determining a safety score value of the terminal according to whether the target environment information contains set risk environment information; and sending the safe scoring value to the terminal;
the terminal is further used for sending a second authentication request carrying the safe credit value to the authentication server;
and the authentication server is used for carrying out safety authentication on the environmental information of the terminal according to the safety score value and a preset score threshold value.
2. The system according to claim 1, wherein the terminal is further configured to determine whether the received security score value is higher than a set minimum score threshold, and if so, perform the step of sending a second authentication request carrying the security score value to the authentication server.
3. The system according to claim 1, wherein the authentication server is further configured to, if the security authentication result of the environment information of the terminal is secure, search for target security identity information corresponding to the terminal of the identity information according to the identity information of the user and the identity information of the terminal carried in the second authentication request, and the stored security identity information; and performing security authentication on the identity information of the terminal according to whether the identity information is consistent with the target security identity information.
4. The system according to claim 1, wherein the target other terminal is all or a part of the plurality of other terminals.
5. The system of claim 1, further comprising: an environment-aware server;
the terminal is further used for sending a first joining request for joining the P2P network to the environment sensing server; the first joining request carries authentication information of the terminal;
the environment sensing server is configured to receive the first join request sent by the terminal, determine whether the authentication information is set compliance authentication information, if so, search a target P2P network to which the target network address belongs in a network address corresponding to a P2P network according to the target network address in the authentication information, and send network identification information of the target P2P network, existing terminal identification information that has been joined to the target P2P network, and join verification information to the terminal; sending the joining verification information to the existing terminal which has joined the target P2P network;
the terminal is further configured to receive the network identification information, the existing terminal identification information, and join verification information, and send a second join request to a target existing terminal corresponding to target existing terminal identification information in a target P2P network corresponding to the network identification information;
the target existing terminal is configured to verify whether the terminal is allowed to join the target P2P network according to whether joining verification information carried in the second joining request is consistent with joining verification information received from the environmental awareness server.
6. The system according to claim 5, wherein said target existing terminal is further configured to send join-permitting information to said terminal if the verification result is that said terminal is permitted to join said target P2P network;
and the terminal is further configured to join the target P2P network if the join permission information sent by any target existing terminal is received.
7. The system according to any of claims 1-6, wherein said terminal is further configured to send its own environment information to said plurality of other terminals.
8. The system according to claim 1, wherein the target other terminal is specifically configured to determine, for each risk type of information included in the risk environment information, whether target risk environment sub-information of the risk type exists in the target environment information; if not, determining the set highest sub-score value as a sub-score value corresponding to the target risk environment sub-information of the risk type; if the target environment information has the target risk environment sub-information of the risk type, determining the set lowest sub-score value as the sub-score value corresponding to the target risk environment sub-information of the risk type; or if the target environment information contains the target risk environment sub-information of the risk type, determining a target deduction value corresponding to the target risk environment sub-information of the risk type based on the stored corresponding relation between the risk environment sub-information of the risk type and the deduction value, and determining a sub-credit value corresponding to the target risk environment sub-information of the risk type based on the set highest sub-credit value and the target deduction value;
and determining the safety score value of the terminal according to the sub-score value corresponding to the target risk environment sub-information of each risk type and the corresponding preset weight coefficient.
9. A security authentication method is applied to a first terminal, and comprises the following steps:
when receiving an access request for any application installed in a terminal, sending a first authentication request to a target other terminal in a plurality of other terminals in the same peer-to-peer network P2P network with the terminal, wherein the first authentication request carries identification information of the terminal;
receiving the safety score values sent by the other target terminals; the safety score value is that the target other terminal searches target environment information corresponding to the terminal of the identification information in stored environment information according to the identification information; determining a safety score value of the terminal according to whether the target environment information contains set risk environment information;
sending a second authentication request carrying the safe score value to an authentication server; and enabling the authentication server to perform security authentication on the environmental information of the terminal according to the security score value and a preset score threshold value.
10. A security authentication method, applied to a second terminal, the method comprising:
receiving a first authentication request, wherein the first authentication request is sent by a first terminal located in the same peer-to-peer network P2P network as the second terminal when receiving an access request for any application installed in the first terminal, and the first authentication request carries identification information of the first terminal;
according to the identification information, searching target environment information corresponding to the terminal of the identification information in stored environment information; determining a safety score value of the first terminal according to whether the target environment information contains set risk environment information; sending the safe scoring value to the first terminal; enabling the first terminal to send a second authentication request carrying the safe credit value to an authentication server; and enabling the authentication server to perform security authentication on the environment information of the first terminal according to the security score value and a preset score threshold value.
11. A secure authentication method is applied to an authentication server, and comprises the following steps:
receiving a second authentication request which is sent by the terminal and carries a safe score value; wherein the second authentication request is sent by the terminal when receiving security score values sent by target other terminals of a plurality of other terminals located in the same peer-to-peer network P2P with the terminal; the safety score value is that when the terminal receives an access request for any application installed in the terminal, the terminal sends a first authentication request to the other target terminals, and the other target terminals search for target environment information corresponding to the terminal with the identification information in the stored environment information according to the identification information of the terminal carried in the first authentication request; determining a safety score value of the terminal according to whether the target environment information contains set risk environment information;
and performing safety certification on the environmental information of the terminal according to the safety score value and a preset score threshold value.
12. A security authentication method, applied to a context-aware server, the method comprising:
receiving a first joining request sent by a terminal and joining a peer-to-peer network P2P network; the first joining request carries authentication information of the terminal;
judging whether the authentication information is set compliance authentication information, if so, searching a target P2P network to which the target network address belongs in a network address corresponding to a stored P2P network according to the target network address in the authentication information, and sending network identification information of the target P2P network, existing terminal identification information added into the target P2P network and addition verification information to the terminal; sending the joining verification information to the existing terminal joined in the target P2P network; enabling the terminal to receive the network identification information, the existing terminal identification information and the joining verification information, and enabling the terminal to send a second joining request to a target existing terminal corresponding to target existing terminal identification information in a target P2P network corresponding to the network identification information; and enabling the target existing terminal to verify whether the terminal is allowed to join the target P2P network or not according to whether the joining verification information carried in the second joining request is consistent with the joining verification information received from the environment sensing server or not.
CN202210307046.2A 2022-03-25 2022-03-25 Security authentication system and method Active CN114710340B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210307046.2A CN114710340B (en) 2022-03-25 2022-03-25 Security authentication system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210307046.2A CN114710340B (en) 2022-03-25 2022-03-25 Security authentication system and method

Publications (2)

Publication Number Publication Date
CN114710340A true CN114710340A (en) 2022-07-05
CN114710340B CN114710340B (en) 2023-05-23

Family

ID=82171604

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210307046.2A Active CN114710340B (en) 2022-03-25 2022-03-25 Security authentication system and method

Country Status (1)

Country Link
CN (1) CN114710340B (en)

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004259020A (en) * 2003-02-26 2004-09-16 Kyocera Communication Systems Co Ltd Authentication system, program, storage medium, and authentication method
CN106790198A (en) * 2016-12-30 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of method for evaluating information system risk and system
US20180191697A1 (en) * 2016-12-31 2018-07-05 Entefy Inc. Multi-party authentication in a zero-trust distributed system
CN108924120A (en) * 2018-06-28 2018-11-30 电子科技大学 A kind of dynamic accesses control method of multi-dimensional state perception
WO2019103707A1 (en) * 2017-11-27 2019-05-31 Sagiroglu Zahid A credibility evaluation system and method
CN110889710A (en) * 2019-12-04 2020-03-17 腾讯科技(深圳)有限公司 Device information management method, server, and storage medium
CN111131235A (en) * 2019-12-23 2020-05-08 杭州安恒信息技术股份有限公司 Safety maintenance method, device, equipment and storage medium of business system
CN111917714A (en) * 2020-06-18 2020-11-10 云南电网有限责任公司信息中心 Zero trust architecture system and use method thereof
CN111935165A (en) * 2020-08-14 2020-11-13 中国工商银行股份有限公司 Access control method, device, electronic device and medium
CN111953633A (en) * 2019-05-15 2020-11-17 北京奇安信科技有限公司 Access control method and access control device based on terminal environment
CN113312674A (en) * 2021-06-18 2021-08-27 北京泰立鑫科技有限公司 Access security method and system based on multi-factor environment perception digital certificate
JP2021125115A (en) * 2020-02-07 2021-08-30 グローリー株式会社 Identity verification/authentication system and identity verification/authentication method
CN113326516A (en) * 2021-04-22 2021-08-31 远光软件股份有限公司 Block chain consensus method, block chain system and computer equipment
CN114024704A (en) * 2020-10-28 2022-02-08 北京八分量信息科技有限公司 Certificate distribution method in zero trust architecture
CN114157472A (en) * 2021-11-29 2022-03-08 深信服科技股份有限公司 Network access control method, device, equipment and storage medium

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004259020A (en) * 2003-02-26 2004-09-16 Kyocera Communication Systems Co Ltd Authentication system, program, storage medium, and authentication method
CN106790198A (en) * 2016-12-30 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of method for evaluating information system risk and system
US20180191697A1 (en) * 2016-12-31 2018-07-05 Entefy Inc. Multi-party authentication in a zero-trust distributed system
WO2019103707A1 (en) * 2017-11-27 2019-05-31 Sagiroglu Zahid A credibility evaluation system and method
CN108924120A (en) * 2018-06-28 2018-11-30 电子科技大学 A kind of dynamic accesses control method of multi-dimensional state perception
CN111953633A (en) * 2019-05-15 2020-11-17 北京奇安信科技有限公司 Access control method and access control device based on terminal environment
CN110889710A (en) * 2019-12-04 2020-03-17 腾讯科技(深圳)有限公司 Device information management method, server, and storage medium
CN111131235A (en) * 2019-12-23 2020-05-08 杭州安恒信息技术股份有限公司 Safety maintenance method, device, equipment and storage medium of business system
JP2021125115A (en) * 2020-02-07 2021-08-30 グローリー株式会社 Identity verification/authentication system and identity verification/authentication method
CN111917714A (en) * 2020-06-18 2020-11-10 云南电网有限责任公司信息中心 Zero trust architecture system and use method thereof
CN111935165A (en) * 2020-08-14 2020-11-13 中国工商银行股份有限公司 Access control method, device, electronic device and medium
CN114024704A (en) * 2020-10-28 2022-02-08 北京八分量信息科技有限公司 Certificate distribution method in zero trust architecture
CN113326516A (en) * 2021-04-22 2021-08-31 远光软件股份有限公司 Block chain consensus method, block chain system and computer equipment
CN113312674A (en) * 2021-06-18 2021-08-27 北京泰立鑫科技有限公司 Access security method and system based on multi-factor environment perception digital certificate
CN114157472A (en) * 2021-11-29 2022-03-08 深信服科技股份有限公司 Network access control method, device, equipment and storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
王刚;张英涛;杨正权;: "基于零信任打造封闭访问空间", 信息安全与通信保密 *
钟翔;郭玮;马勇;王明;: "基于零信任安全架构的机场网络安全防护方案", 民航学报 *
陈汹;朱钰;封科;于同伟;: "基于区块链的电力系统安全稳定控制终端身份认证", 广西师范大学学报(自然科学版) *

Also Published As

Publication number Publication date
CN114710340B (en) 2023-05-23

Similar Documents

Publication Publication Date Title
CN111079104B (en) Authority control method, device, equipment and storage medium
US10248782B2 (en) Systems and methods for access control to web applications and identification of web browsers
US8949993B2 (en) Mobile risk assessment
US8220032B2 (en) Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith
US10419431B2 (en) Preventing cross-site request forgery using environment fingerprints of a client device
US10303532B1 (en) Application programming interface as a service
CN109167780B (en) Method, device, system and medium for controlling resource access
CN112491776B (en) Security authentication method and related equipment
CN115996122A (en) Access control method, device and system
CN111371817A (en) Equipment control system, method and device, electronic equipment and storage medium
CN102045310B (en) Industrial Internet intrusion detection as well as defense method and device
CN112261003A (en) Safety authentication method and system for industrial internet edge computing node
US9742769B2 (en) Method and system for determining trusted wireless access points
CN114745145B (en) Business data access method, device and equipment and computer storage medium
CN105812380A (en) Verification method and device
CN111597537B (en) Block chain network-based certificate issuing method, related equipment and medium
Alshomrani et al. PUFDCA: A Zero‐Trust‐Based IoT Device Continuous Authentication Protocol
KR102393913B1 (en) Apparatus and method for detecting abnormal behavior and system having the same
CN111314348A (en) Method and device for establishing trust degree model, trust evaluation and equipment authentication
CN114710340B (en) Security authentication system and method
CN114567678A (en) Resource calling method and device of cloud security service and electronic equipment
CN114978544A (en) Access authentication method, device, system, electronic equipment and medium
CN111953637B (en) Application service method and device
Chouhan et al. Software as a service: Analyzing security issues
CN110233816B (en) Industrial data asset authorization management method and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant