CN114726590A - Method for realizing login authentication without centralization in distributed system - Google Patents
Method for realizing login authentication without centralization in distributed system Download PDFInfo
- Publication number
- CN114726590A CN114726590A CN202210272137.7A CN202210272137A CN114726590A CN 114726590 A CN114726590 A CN 114726590A CN 202210272137 A CN202210272137 A CN 202210272137A CN 114726590 A CN114726590 A CN 114726590A
- Authority
- CN
- China
- Prior art keywords
- authority
- node
- token
- user
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000013475 authorization Methods 0.000 claims abstract description 70
- 101100203319 Schizosaccharomyces pombe (strain 972 / ATCC 24843) skh1 gene Proteins 0.000 claims description 10
- 230000004044 response Effects 0.000 claims description 4
- 238000012795 verification Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 3
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method for realizing login authentication without centralization in a distributed system, which comprises the following steps: s1, the client initiates a login authorization request to the login node, and the login node transmits the request to the service system; s2, the service system calculates the authority node and sends the basic information pre-authorization request to the authority node; s3, the authority node returns a basic information temporary authorization token to the service system; s4, the service system returns the basic information temporary authorization token to the login node; s5, the login node acquires the basic information authorization data from the authority node, and the authority node returns the basic information authorization data to the login node; s6, the login node returns basic information authorization data and an authorization Token to the client; s7, when the client calls the operation interface of the service system data, it transmits Token, the service system judges if the interface needs authentication, if it does not need authentication, it calls the interface to return data; the invention can reduce the loss caused by data exposure.
Description
Technical Field
The invention relates to the field of authority management, in particular to a method for realizing login authentication without centralization in a distributed system.
Background
At present, most distributed systems are developed with a dedicated authority center for controlling login and managing authority information of users in the system, and this way can achieve unified management and control of authority, but two problems follow:
firstly, when the right center is unavailable, all login authentication is invalid, and paralysis of the whole system is directly caused, most developers can use a cluster mode to realize high availability, but we know that a CAP theory exists in the actual development of a distributed system, when the cluster is used, consistency, availability and partition fault tolerance are difficult to meet, and a lot of resources are consumed for guaranteeing the three points as far as possible;
the security problem of the authority data is that all the authorities are stored together, when data leakage occurs, all the authority information of the user is not lost in a list to an external system, and if the authority information is stolen, the illegal operation of the user in the system can be simulated; the risk of data leakage is totally unacceptable with respect to the first point, so more software systems are now advocating centralisation.
Disclosure of Invention
The invention aims to at least solve the technical problems in the prior art, and particularly creatively provides a method for realizing login authentication in a decentralized manner in a distributed system.
In order to achieve the above object, the present invention provides a method for realizing login authentication without centralization in a distributed system, comprising the following steps:
s1, the client initiates a login authorization request to the login node, and the login node transmits the request to the service system;
s2, the service system acquires the authority node and sends a basic information pre-authorization request to the authority node;
s3, the authority node returns a basic information temporary authorization token to the service system;
s4, the service system returns the basic information temporary authorization token to the login node;
s5, the login node acquires the basic information authorization data from the authority node, and the authority node returns the basic information authorization data to the login node;
s6, the login node returns basic information authorization data and an authorization Token to the client;
s7, when the client calls the operation interface of the service system data, the user ID UK1 and Token are transmitted, the service system judges whether the interface needs authentication, if so, the next step is executed; if authentication is not needed, calling an interface to return data;
s8, when the interface needs authentication, the service system sends an authorization verification request to the authorization node according to Token and the authorization identification needed by the interface;
s9, the authority node checks the Token and the authority identification submitted by the service system by combining the user interface authority information stored by the node, and returns the check result;
and S10, the service system releases or intercepts the interface according to the authority check result returned by the authority node.
Further, the S1 includes:
when a client user needs to log in, user identity information and a logged-in service system identifier BK1 are transmitted to a login node, the login node verifies the user information to confirm whether the user information is legal user information, if the user information is illegal, the user information is directly marked as an illegal request, and login is refused; if the user information is legal user information, the user information is recorded as the identifier UK 1.
Further, the S2 includes:
the login node initiates a permission acquisition certificate generation request to the service node, transmits a user identifier UK1, the service node receives the request, initiates a permission information pre-inquiry request to the corresponding permission node, and transmits a user identifier UK1 and an inquiry type permission range SCOPE.
Further, the S3 includes:
after receiving the pre-query request, the authority node generates a pre-query request identifier RequestId1 for the pre-query request, generates a pair of temporary keys at the same time, and has a public key PK2, and returns the pre-query request identifier ReuqestId1 and a private key SK2 to the service node, and simultaneously caches the corresponding relation of the query type authority range SCOPE, the key pair, the authority pre-query user identifier UK1 and the RequestId 1.
Further, the S4 includes:
the service system receives a response, the private key SK2 is returned to the login node, and meanwhile, authority node information corresponding to the service system and a pre-query request identifier ReuqestId1 are also returned to the login node.
Further, the S5 includes:
the login node receives the private key SK2 and the corresponding authority node information, encrypts a user identifier UK1 by using the private key SK2 to generate a ciphertext ED1, transmits the ciphertext ED1 to initiate an authority information query request to the authority node, and transmits a pre-query request RequestId 1;
after receiving the request, the authority node decrypts the ciphertext ED1 by using the public key PK2 obtained by the authority pre-query request identifier RequestId1 to obtain the user identifier UK2 carried in the request, and simultaneously obtains the user identifier UK1 corresponding to the pre-query request stored by the node according to the transmitted RequestId1, judges whether the UK2 is consistent with the UK1, if not, identifies that the user identity information is tampered, marks the user identity information as an illegal request, and returns error information to the login node; if the UK2 is consistent with the UK1, the request is legal, the authority node queries user authority information stored in the node according to the user identifier UK1 and the query type authority range SCOPE, and simultaneously generates a basic information authorization Token Token, the validity period of the Token is time T1, and the authority node caches user information UK1 corresponding to the Token; the public key PK2 is used for encrypting the authority information and the basic information authorization Token Token to generate ciphertext data ED2, the ciphertext data ED2 is returned to the login node, and meanwhile, the pre-query request RequestId and the public key PK2 are invalidated.
Further, the S6 includes:
the login node receives the returned ciphertext data ED2, decrypts ED2 by using a held private key SK2, acquires authority information PD1 and a basic information authorization Token owned by the user, destroys the invalid private key SK2, and returns the user authority information and the basic information authorization Token to the client to complete user login and basic authority data acquisition.
Further, the S8 includes the following steps:
and the authorization private key SK1 held by the user is used for transmitting the UK1, the Token, the interface type authority range SCOPE2 and the authority identification PEK1 required by the interface to the corresponding authority node in an encrypted manner.
Further, the S9 includes the following steps:
the authority node uses the public key PK1 to decrypt, acquires the user identity UK1, Token, SCOPE2 and the authority identifier PEK1 which needs to be inquired, verifies whether the basic information authorization Token is legal or not,
if Token is illegal, returning an error to the service system; if Token is legal, carrying out authority data query according to the transmitted user identity UK1, interface type authority range SCOPE2 and authority PEK1, if corresponding data are queried, proving that the user has the authority, and returning the service system authentication result as pass; if the corresponding data is not inquired, the user is proved not to have the interface authority, and the authentication result of the service system is returned to be failed.
Further, the method of verifying comprises:
S-A, whether Token exists on the authority node or not, and if yes, executing the next step; if the authorization Token Token does not exist on the authority node, the basic information authorization Token Token is illegal;
S-B, whether the user identity UK2 corresponding to the Token is consistent with the UK1 or not is judged, and if the UK2 is consistent with the UK1, the Token authorized by the basic information is legal; if the UK2 is inconsistent with the UK1, the basic information authorization Token Token is illegal.
Further, the authority information includes basic authority information and interface authority information.
The basic authority information corresponds to a query type authority range SCOPE; the interface authority information corresponds to an interface type authority range SCOPE2, and the basic authority information refers to the acquisition authority of basic information such as a user account, a role, a mobile phone number, a name, a menu which can be displayed by the account and the like; the interface authority information refers to the calling execution authority of the program interface corresponding to the account, such as whether to inquire certain information, edit certain information, and delete certain information.
In summary, due to the adoption of the technical scheme, the node can be authenticated without depending on an authentication center, the authority information is encrypted and stored in the plurality of nodes based on the block chain technology, each node holds a part of data and can be accessed and used as required, and the loss caused by data exposure is reduced to a certain extent.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a diagram of the distributed system architecture of the present invention.
Fig. 2 is a schematic diagram of the implementation process of decentralized login authentication according to the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention and are not to be construed as limiting the present invention.
The method for realizing login authentication without centralization in a distributed system is realized based on the distributed system, and the architecture diagram of the distributed system is shown in fig. 1 and comprises the following steps:
the system comprises a client application module, a login service module, a business service module, a permission service module and a storage service module, wherein the service modules all comprise a plurality of nodes. The login service module is composed of a plurality of login nodes, the business service module is composed of a plurality of business nodes, the authority service module is composed of a plurality of authority nodes, and the storage service module is composed of a plurality of storage nodes.
The client application module is intended to represent various forms of programs that provide local services to clients, such as PCs, H5, applets, and other clients.
The method for realizing login authentication without centralization in a distributed system, as shown in fig. 2, includes the following steps:
s1, the client initiates a login authorization request to the login node, and the login node transmits the request to the service system;
s2, the service system calculates the authority node and sends the basic information pre-authorization request to the authority node;
s3, the authority node returns a basic information temporary authorization token to the service system;
s4, the service system returns the basic information temporary authorization token to the login node;
s5, the login node acquires the basic information authorization data from the authority node, and the authority node returns the basic information authorization data to the login node;
s6, the login node returns basic information authorization data and an authorization Token to the client;
s7, when the client calls the operation interface of the service system data, the user ID UK1 and Token are transmitted, the service system judges whether the interface needs authentication, if so, the next step is executed; if authentication is not needed, the interface is normally called to return data;
s8, when the interface needs authentication, the service system sends an authorization verification request to the authorization node according to Token and the authorization identification needed by the interface;
s9, the authority node checks the Token and the authority identification submitted by the service system by combining the user interface authority information stored by the node, and returns the check result;
and S10, the service system releases or intercepts the interface according to the authority check result returned by the authority node.
The login node in the scheme is a service for verifying the user identity information by the user in the distributed system, a plurality of nodes can exist, and each client system is communicated with different login services according to requirements;
the authority node in the scheme represents distributed system service for storing which interfaces, data access and operation authority the user has, a plurality of nodes can exist, and the number of the nodes can be dynamically expanded and contracted;
the scheme divides the authority types into basic information authority and interface type authority which respectively correspond to authority types SCOPE and SCOPE 2; the basic information authority, corresponding authority range SCOPE, and the identification service system acquire basic user information, such as account number, mobile phone number, menu capable of being displayed, and the like.
Firstly, each service system performs hash operation on authorization information of a client and a user by taking a client identity as an identifier and stores the authorization information in different authority nodes, wherein the authority nodes can be dynamically expanded and contracted and provide an authorization information operation interface; the authority node issues an access private Key SK1(Secret Key1) aiming at the business system, and the authority node holds a Public Key PK1(Public Key 1); wherein the service system can be regarded as a client of the authority node.
When a client user needs to log in, user identity information and a logged service system identifier BK1(Business Key1) are transmitted to a login node, the login node verifies the user information, whether the user information is legal or not is confirmed, if the user information is illegal, an illegal request is directly marked, and login is refused; if the User information is legal User information, recording the User information as an identifier UK1(User Key 1);
the login node initiates a request for generating a right acquisition certificate to the service node, transmits a user identifier UK1, the service node receives the request, initiates a right information pre-query request to the corresponding right node, transmits the user identifier UK1 and a query right range SCOPE (at this time, the SCOPE is suggested as a front-end button right range),
after receiving the pre-query request, the authority node generates a pre-query request identifier RequestId1 for the pre-query request, and simultaneously generates a pair of temporary keys, wherein the keys use asymmetric encryption, such as RSA; the self holds a public key PK2, returns a pre-query request identifier ReuqestId1 and a private key SK2 to the service node, and caches SCOPE, a key pair and the corresponding relation between a permission pre-query user identifier UK1 and RequestId 1; the permission node is cached by using a memory or an external cache, such as redis.
The service system obtains a response, the private key SK2 is returned to the login node, and meanwhile, authority node information corresponding to the service system and a pre-query request identifier ReuqestId1 are also returned to the login node;
the login node receives the private key SK2 and the corresponding authority node information, encrypts a user identifier UK1 by using the private key SK2 to generate a ciphertext ED1(Encrypt Data1), transmits the ciphertext ED1 to the authority node to initiate an authority information query request, and transmits a pre-query request RequestId 1;
after receiving the request, the authority node decrypts the ciphertext ED1 by using the public key PK2 obtained by the authority pre-query request identifier RequestId1 to obtain the user identifier UK2 carried in the request, and simultaneously obtains the user identifier UK1 corresponding to the pre-query request stored by the node according to the transmitted RequestId1, judges whether the UK2 is consistent with the UK1, if not, identifies that the user identity information is tampered, marks the user identity information as an illegal request, and returns error information to the login node; if the UK2 is consistent with the UK1, the request is legal, the authority node queries user authority information stored in the node according to the user identifier UK1 and the authority range SCOPE, and simultaneously generates a basic information authorization Token Token, the validity period of the Token is time T1, and the authority node caches user information UK1 corresponding to the Token; encrypting the authority information and the authorization Token by using a public key PK2 to generate ciphertext data ED2, returning the ciphertext data ED2 to the login node, and simultaneously invalidating a pre-query request RequestId and the public key PK 2; the authority information is authority data, namely an interface authority array owned by the account.
The login node receives returned ciphertext Data ED2, decrypts the ED2 by using a held pre-query request SK2(SK2 is generated in the pre-query request and used for decrypting returned Data), acquires authority information PD1(Permission Data1) owned by a user and an authorization Token Token which are authorization tokens Token generated by the authority node identified in the foregoing, destroys an invalid private key SK2, and returns the user authority information PD1 and the authorization Token Token to the client to complete user login and basic authority Data acquisition;
when a client needs to call a business service interface, transmitting a user identifier UK1 and an authorization Token;
the service system receives the UK1 and Token, and firstly judges whether the program interface of the service system needs authentication, the judging method is as follows: and the program permission interceptor/code judges in the program according to the requested interface address. If authentication is not needed, the client-side can successfully call the interface for interaction without directly releasing the authentication, namely, without verifying the interface authority; the client side not only interacts with the service system, but also interacts with the authority node; if the interface needs authentication, an authorization private Key SK1 held by the interface is used for encrypting and transmitting the UK1, the Token, the authority range SCOPE2 (the SCOPE identifies the interface type authority range) and the authority identification PEK1(Permission Key1) needed by the interface to a corresponding authority node; the authority identifier PEK1 is preset by the system program interceptor in the encoding stage, for example, the authority required for deleting some information is deletexxx.
The authority node uses the public key PK1 to decrypt, acquires the user identities UK1, Token, SCOPE2 and the authority identifier PEK1 which needs to be inquired, and verifies whether the basic information authorization Token is legal or not, wherein the verification method is that whether the following conditions are met or not:
1. whether Token exists on the authority node;
2. whether the user identity UK2 corresponding to Token is consistent with UK 1.
If the Token is an illegal Token, returning an error to the service system; if the token is a legal token, carrying out authority data query according to the transmitted user identity UK1, authority range SCOPE2 and authority PEK1, if the corresponding data is queried, proving that the user has the authority, and returning the service system authentication result as pass; if the corresponding data is not inquired, the user is proved not to have the interface authority, and the authentication result of the service system is returned to be failed. Where the rights data is stored by the rights node in a storage medium, such as a database, for the rights data owned by the user. And generating and storing the authority data by the service node and calling the authority node for storage.
And the service system receives the response and performs different service processing according to the authentication result. At this point, authentication is finished.
While embodiments of the invention have been shown and described, it will be understood by those of ordinary skill in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
Claims (10)
1. A method for realizing login authentication in decentralized mode in a distributed system is characterized by comprising the following steps:
s1, the client initiates a login authorization request to the login node, and the login node transmits the request to the service system;
s2, the service system acquires the authority node and sends a basic information pre-authorization request to the authority node;
s3, the authority node returns a basic information temporary authorization token to the service system;
s4, the service system returns a basic information temporary authorization token to the login node;
s5, the login node acquires the basic information authorization data from the authority node, and the authority node returns the basic information authorization data to the login node;
s6, the login node returns basic information authorization data and an authorization Token to the client;
s7, when the client calls the operation interface of the service system data, it transmits Token, the service system judges if the interface needs authentication, if it needs authentication, it executes the next step; if authentication is not needed, calling an interface to return data;
s8, when the interface needs authentication, the service system sends an authorization verification request to the authorization node according to Token and the authorization identification needed by the interface;
s9, the authority node checks the Token and the authority identification submitted by the service system by combining the user interface authority information stored by the node, and returns the check result;
and S10, the service system releases or intercepts the interface according to the authority check result returned by the authority node.
2. The method according to claim 1, wherein the S1 comprises:
when a client user needs to log in, user identity information and a logged-in service system identifier BK1 are transmitted to a login node, the login node verifies the user information to confirm whether the user information is legal user information, if the user information is illegal, the user information is directly marked as an illegal request, and login is refused; if the user information is legal, the user information is recorded as the identifier UK 1.
3. The method according to claim 1, wherein the S2 comprises:
the login node initiates a permission acquisition certificate generation request to the service node, transmits a user identifier UK1, the service node receives the request, initiates a permission information pre-inquiry request to the corresponding permission node, and transmits a user identifier UK1 and an inquiry type permission range SCOPE.
4. The method according to claim 1, wherein the S3 includes:
after receiving the pre-query request, the authority node generates a pre-query request identifier RequestId1 for the pre-query request, generates a pair of temporary keys, has a public key PK2, returns the pre-query request identifier ReuqestId1 and a private key SK2 to the service node, and caches the corresponding relation among a query type authority range SCOPE, a key pair, an authority pre-query user identifier UK1 and a RequestId 1.
5. The method according to claim 1, wherein the S4 includes:
the service system receives a response, returns the private key SK2 to the login node, and also returns authority node information corresponding to the service system and a pre-inquiry request identifier ReuqestId1 to the login node.
6. The method according to claim 1, wherein the S5 comprises:
the login node receives the private key SK2 and the corresponding authority node information, encrypts a user identifier UK1 by using the private key SK2 to generate a ciphertext ED1, transmits the ciphertext ED1 to initiate an authority information query request to the authority node, and transmits a pre-query request RequestId 1;
after receiving the request, the authority node decrypts the ciphertext ED1 by using the public key PK2 obtained by the authority pre-query request identifier RequestId1 to obtain the user identifier UK2 carried in the request, and simultaneously obtains the user identifier UK1 corresponding to the pre-query request stored by the node according to the transmitted RequestId1, judges whether the UK2 is consistent with the UK1, if not, identifies that the user identity information is tampered, marks the user identity information as an illegal request, and returns error information to the login node; if the UK2 is consistent with the UK1, the request is legal, the authority node inquires user authority information stored in the node according to the user identifier UK1 and the inquiry type authority range SCOPE, and meanwhile, a basic information authorization Token Token is generated, the validity period of the Token is time T1, and the authority node caches user information UK1 corresponding to the Token; the public key PK2 is used for encrypting the authority information and the basic information authorization Token Token to generate ciphertext data ED2, the ciphertext data ED2 is returned to the login node, and meanwhile, the pre-query request RequestId and the public key PK2 are invalidated.
7. The method according to claim 1, wherein the S6 comprises:
the login node receives the returned ciphertext data ED2, decrypts ED2 by using a held private key SK2, acquires authority information PD1 and a basic information authorization Token owned by the user, destroys the invalid private key SK2, and returns the user authority information and the basic information authorization Token to the client to complete user login and basic authority data acquisition.
8. The method according to claim 1, wherein said S8 comprises the following steps:
and the authorization private key SK1 held by the user is used for transmitting the UK1, the Token, the interface type authority range SCOPE2 and the authority identification PEK1 required by the interface to the corresponding authority node in an encrypted manner.
9. The method according to claim 1, wherein said S9 comprises the following steps:
the authority node uses the public key PK1 to decrypt, acquires the user identity UK1, Token, SCOPE2 and the authority identifier PEK1 which needs to be inquired, verifies whether the basic information authorization Token is legal or not,
if Token is illegal, returning an error to the service system; if Token is legal, carrying out authority data query according to the transmitted user identity UK1, interface type authority range SCOPE2 and authority PEK1, if corresponding data are queried, proving that the user has the authority, and returning the service system authentication result as pass; if the corresponding data is not inquired, the user is proved not to have the interface authority, and the authentication result of the service system is returned to be failed.
10. The method of claim 9, wherein the method of verifying comprises:
S-A, whether Token exists on the authority node or not, and if yes, executing the next step; if the authorization Token Token does not exist on the authority node, the basic information authorization Token Token is illegal;
S-B, whether the user identity UK2 corresponding to the Token is consistent with the UK1 or not is judged, and if the UK2 is consistent with the UK1, the Token authorized by the basic information is legal; if the UK2 is inconsistent with the UK1, the basic information authorization Token Token is illegal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210272137.7A CN114726590B (en) | 2022-03-18 | 2022-03-18 | Method for implementing login authentication by decentralization in distributed system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210272137.7A CN114726590B (en) | 2022-03-18 | 2022-03-18 | Method for implementing login authentication by decentralization in distributed system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114726590A true CN114726590A (en) | 2022-07-08 |
| CN114726590B CN114726590B (en) | 2024-05-17 |
Family
ID=82238334
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210272137.7A Active CN114726590B (en) | 2022-03-18 | 2022-03-18 | Method for implementing login authentication by decentralization in distributed system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114726590B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170293766A1 (en) * | 2014-09-17 | 2017-10-12 | Bundesdruckerei Gmbh | Distributed data storage by means of authorisation token |
| CN108449364A (en) * | 2018-05-08 | 2018-08-24 | 北京明朝万达科技股份有限公司 | A kind of distributed identity authentication method and cloud certification node |
| CN110602088A (en) * | 2019-09-11 | 2019-12-20 | 北京京东振世信息技术有限公司 | Block chain-based right management method, block chain-based right management device, block chain-based right management equipment and block chain-based right management medium |
| CN111163109A (en) * | 2020-02-04 | 2020-05-15 | 广州知弘科技有限公司 | Block chain center-removing type node anti-counterfeiting method |
| CN111224784A (en) * | 2019-11-27 | 2020-06-02 | 北京工业大学 | Role separation distributed authentication and authorization method based on hardware trusted root |
| WO2021169112A1 (en) * | 2020-02-28 | 2021-09-02 | 平安国际智慧城市科技股份有限公司 | Shared permission-based service data procesing method, apparatus and device, and medium |
-
2022
- 2022-03-18 CN CN202210272137.7A patent/CN114726590B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170293766A1 (en) * | 2014-09-17 | 2017-10-12 | Bundesdruckerei Gmbh | Distributed data storage by means of authorisation token |
| CN108449364A (en) * | 2018-05-08 | 2018-08-24 | 北京明朝万达科技股份有限公司 | A kind of distributed identity authentication method and cloud certification node |
| CN110602088A (en) * | 2019-09-11 | 2019-12-20 | 北京京东振世信息技术有限公司 | Block chain-based right management method, block chain-based right management device, block chain-based right management equipment and block chain-based right management medium |
| CN111224784A (en) * | 2019-11-27 | 2020-06-02 | 北京工业大学 | Role separation distributed authentication and authorization method based on hardware trusted root |
| CN111163109A (en) * | 2020-02-04 | 2020-05-15 | 广州知弘科技有限公司 | Block chain center-removing type node anti-counterfeiting method |
| WO2021169112A1 (en) * | 2020-02-28 | 2021-09-02 | 平安国际智慧城市科技股份有限公司 | Shared permission-based service data procesing method, apparatus and device, and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114726590B (en) | 2024-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110489996B (en) | Database data security management method and system | |
| US11882442B2 (en) | Handset identifier verification | |
| US20140112470A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
| US9608971B2 (en) | Method and apparatus for using a bootstrapping protocol to secure communication between a terminal and cooperating servers | |
| CN103314605A (en) | Method and apparatus for authenticating a communication device | |
| WO2022141574A1 (en) | Key provisioning method and related products | |
| CN113420319A (en) | Data privacy protection method and system based on block chain and permission contract | |
| CN109039734B (en) | Distributed access control model and access method | |
| US7958548B2 (en) | Method for provision of access | |
| CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
| CN1992714B (en) | Authority principal method based on trusted computing platform | |
| JP2024501326A (en) | Access control methods, devices, network equipment, terminals and blockchain nodes | |
| CN113392430B (en) | Digital resource management method and system based on intelligent contract authentication | |
| CN114826702A (en) | Database access password encryption method and device and computer equipment | |
| CN111131160B (en) | User, service and data authentication system | |
| KR100853448B1 (en) | Domain-Based Mobile Agent Authentication System and Method Thereof | |
| CN114338091B (en) | Data transmission method, device, electronic equipment and storage medium | |
| CN114726590B (en) | Method for implementing login authentication by decentralization in distributed system | |
| CN114866328A (en) | Block chain-based cross-domain access control method and system in edge computing environment | |
| CN108449358B (en) | Cloud-based low-delay secure computing method | |
| CN115664662B (en) | Key processing method and device | |
| WO2019160479A1 (en) | Registration of data at a sensor reader and request of data at the sensor reader | |
| US20230308266A1 (en) | Method and System for Onboarding an IOT Device | |
| CN115967584B (en) | Method and system for realizing zero trust gateway based on PKI and CPK hybrid authentication | |
| CN114117522B (en) | Internet of vehicles data sharing implementation method based on block chain and trusted execution environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |