CN115150831A - Processing method, device, server and medium for network access request - Google Patents
Processing method, device, server and medium for network access request Download PDFInfo
- Publication number
- CN115150831A CN115150831A CN202210689487.3A CN202210689487A CN115150831A CN 115150831 A CN115150831 A CN 115150831A CN 202210689487 A CN202210689487 A CN 202210689487A CN 115150831 A CN115150831 A CN 115150831A
- Authority
- CN
- China
- Prior art keywords
- account
- network access
- target account
- server
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
Abstract
One or more embodiments of the present application provide a method, an apparatus, a server, and a medium for processing a network access request. The network access certificate comprises the identity source identification of the target account, so that the identity source identification of the target account can be acquired from the network access certificate after the network access request of the target account is received and under the condition that the validity verification of the network access certificate carried by the network access request passes, the identity source identification of the target account is unique in a target application program, the account state of the target account can be acquired based on the identity source identification, the network access request is processed based on the acquired account state, and the network access control based on the account state can be realized.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of communications technologies, and in particular, to a method, an apparatus, a server, and a medium for processing a network access request.
Background
Most enterprise networks need to process massive network access requests every day, and manage access of various office terminals including personal computers, notebooks, mobile phones and the like. Network admission control is used as the first step of enterprise network security management and is an important link for constructing a more secure and stable enterprise network environment.
In the related art, when performing network admission control, an 802.1x protocol is mainly used to restrict access of unauthorized users to an enterprise network. The 802.1x protocol may authenticate users connected to the enterprise network and send network access credentials to the authenticated users so that subsequent users may gain access to the enterprise network via the network access credentials.
The validity period of the access certificate sent in the above process is generally several years, and even if the on-duty state of the user changes (for example, leave, freeze, adjust the post, etc.), as long as the access certificate held by the user is still within the validity period, the user can still access the enterprise network using the access certificate, which may bring great potential safety hazard to enterprise network management. Therefore, a method for processing a network access request is needed to implement network admission control of an enterprise network.
Disclosure of Invention
In view of this, one or more embodiments of the present disclosure provide a method, an apparatus, a server and a medium for processing a network access request
To achieve the above object, one or more embodiments of the present disclosure provide the following technical solutions:
according to a first aspect of one or more embodiments of the present specification, a method for processing a network access request is provided, where the method is applied to a server, and the method includes:
responding to a received network access request of a target account, and verifying the validity of a network access certificate carried by the network access request;
under the condition that the validity check of the network access certificate passes, acquiring an identity source identifier of a target account which has uniqueness in a target application program from the network access certificate;
acquiring an account state of a target account based on the identity source identification;
and processing the network access request based on the account number state.
In some embodiments, the identity source identifier is obtained by encrypting and calculating an account identifier of the target account and an organization identifier of an organization to which the target account belongs by setting a key;
acquiring the account state of the target account based on the identity source identifier, wherein the account state comprises the following steps:
decrypting the identity source identification by setting a private key to obtain an account identification of a target account and an organization identification of an organization to which the target account belongs;
based on the account identification, acquiring the account state of the target account from the corresponding data storage position of the mechanism identification in the server; wherein, the corresponding data storage positions of different mechanism identifications in the server are different.
In some embodiments, the processing of the network access request based on the account status includes any one of:
under the condition that the account status indicates that the target account is in a set state, responding to the network access request;
and refusing the network access request under the condition that the account status indicates that the target account is in a non-set state.
In some embodiments, in response to receiving a network access request of a target account, before checking validity of a network access certificate carried in the network access request, the method further includes:
receiving a login request of a target account, wherein the login request carries first account information;
checking the legality of the target account based on the first account information carried by the login request;
and allowing the target account to log in under the condition that the legality check of the target account passes.
In some embodiments, after allowing the target account to log in if the validity check of the target account passes, the method further includes:
under the condition that the target account is logged in for the first time, responding to a received certificate acquisition request of the target account, acquiring an identity source identifier based on second account information carried by the certificate acquisition request, and adding the identity source identifier to a network access certificate generated for the target account;
and sending the network access certificate to the terminal equipment corresponding to the target account.
In some embodiments, the second account information at least includes an account identifier of the target account and an institution identifier of an institution to which the target account belongs;
acquiring an identity source identifier based on second account information carried by the certificate acquisition request, including:
and based on the set key, carrying out encryption calculation on the account identification and the mechanism identification included in the second account information to obtain the identity source identification.
In some embodiments, before obtaining the identity source identifier based on the second account information carried in the certificate obtaining request and adding the identity source identifier to the network access certificate generated for the target account, the method further includes:
and verifying the second account information, and executing the steps of acquiring an identity source identifier based on the second account information carried by the certificate acquisition request and adding the identity source identifier to a network access certificate generated for the target account under the condition that the second account information is verified to be passed.
In some embodiments, the server includes a first server and at least one second server, where the first server is configured to provide a service for processing a network access request for the at least one second server, the second server is a background server corresponding to a target application used by an organization to which a target account belongs, and the second server is configured to store at least an identity source identifier and an account status of a registered account in the target application.
According to a second aspect of one or more embodiments of the present specification, there is provided an apparatus for processing a network entry request, which is applied to a server, the apparatus including:
the verification module is used for responding to the received network access request of the target account and verifying the validity of the network access certificate carried by the network access request;
the identification acquisition module is used for acquiring an identity source identification of a target account with uniqueness in a target application program from the network access certificate under the condition that the validity check of the network access certificate passes;
the state acquisition module is used for acquiring the account state of the target account based on the identity source identifier;
and the processing module is used for processing the network access request based on the account number state.
In some embodiments, the identity source identifier is obtained by encrypting and calculating an account identifier of the target account and an organization identifier of an organization to which the target account belongs by setting a key;
the state acquisition module is used for acquiring the account state of the target account based on the identity source identifier, and is used for:
decrypting the identity source identification by setting a private key to obtain an account identification of the target account and a mechanism identification of a mechanism to which the target account belongs;
based on the account identification, acquiring the account state of the target account from the corresponding data storage position of the mechanism identification in the server; wherein, the corresponding data storage positions of different mechanism identifications in the server are different.
In some embodiments, the processing module, when configured to process the network access request based on the account status, is configured to any one of:
under the condition that the account status indicates that the target account is in a set state, responding to the network access request;
and refusing the network access request under the condition that the account status indicates that the target account is in a non-set state.
In some embodiments, the apparatus further comprises:
the receiving module is used for receiving a login request of a target account, wherein the login request carries first account information;
the verification module is also used for verifying the legality of the target account number based on the first account number information carried by the login request;
and allowing the target account to log in under the condition that the legality check of the target account passes.
In some embodiments, the identifier obtaining module is further configured to, in response to receiving a certificate obtaining request of the target account when the target account is logged in for the first time, obtain the identity source identifier based on second account information carried in the certificate obtaining request;
the device also includes:
the adding module is used for adding the identity source identification into the network access certificate generated for the target account;
and the sending module is used for sending the network access certificate to the terminal equipment corresponding to the target account.
In some embodiments, the second account information at least includes an account identifier of the target account and an institution identifier of an institution to which the target account belongs;
the identifier obtaining module, when configured to obtain the identity source identifier based on the second account information carried in the certificate obtaining request, is configured to:
and based on the set key, carrying out encryption calculation on the account identification and the mechanism identification included in the second account information to obtain the identity source identification.
In some embodiments, the verification module is further configured to verify the second account information, and execute, when the second account information passes the verification, a step of obtaining an identity source identifier based on the second account information carried in the certificate obtaining request, and adding the identity source identifier to a network access certificate generated for the target account.
In some embodiments, the server includes a first server and at least one second server, where the first server is configured to provide a service for processing a network access request for the at least one second server, the second server is a background server corresponding to a target application used by an organization to which a target account belongs, and the second server is configured to store at least an identity source identifier and an account status of a registered account in the target application.
According to a third aspect of one or more embodiments of the present specification, there is provided a server including:
a processor;
a memory for storing processor-executable instructions;
the processor executes the executable instructions to implement the operations performed by the method for processing a network access request provided by any one of the embodiments of the first aspect and the first aspect.
According to a fourth aspect of one or more embodiments of the present specification, a computer-readable storage medium is provided, on which computer instructions are stored, and when the computer instructions are executed by a processor, the computer instructions implement the operations performed by the processing method for a network access request provided in any one of the first aspect and the first aspect.
According to a fifth aspect of one or more embodiments of the present specification, a computer program product is provided, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the operations performed by the processing method for a network access request provided in any one of the first aspect and the first aspect.
The network access certificate comprises the identity source identification of the target account, so that the identity source identification of the target account can be acquired from the network access certificate after the network access request of the target account is received and under the condition that the validity verification of the network access certificate carried by the network access request passes, the identity source identification of the target account is unique in a target application program, the account state of the target account can be acquired based on the identity source identification, the network access request is processed based on the acquired account state, and the network access control based on the account state can be realized.
Drawings
Fig. 1 is a schematic diagram of an implementation environment of a method for processing a network access request according to an exemplary embodiment.
Fig. 2 is a schematic diagram of an implementation environment of another processing method for a network access request according to an exemplary embodiment.
Fig. 3 is a flowchart illustrating a method for processing a network access request in accordance with an exemplary embodiment.
Fig. 4 is a flowchart illustrating a login process in an exemplary embodiment.
Fig. 5 is a flow chart of a login process provided by an exemplary embodiment.
Fig. 6 is a flow diagram illustrating an exemplary embodiment of issuing a network-entry certificate.
Fig. 7 is a flowchart illustrating a network-entry certificate issuance process in accordance with an exemplary embodiment.
Fig. 8 is a flowchart of a certificate issuance process provided by an exemplary embodiment.
Fig. 9 is a flow chart illustrating a network admission control process in accordance with an exemplary embodiment.
Fig. 10 is a flow chart illustrating a network admission control process in accordance with an exemplary embodiment.
Fig. 11 is a flowchart of a network admission control process provided by an example embodiment.
Fig. 12 is a flowchart illustrating a method for processing a network access request in accordance with an exemplary embodiment.
Fig. 13 is a block diagram of a device for processing a network entry request according to an exemplary embodiment.
Fig. 14 is a schematic block diagram of a server provided in an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of one or more embodiments of the specification, as detailed in the claims which follow.
It should be noted that: in other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described herein. In some other embodiments, the methods may include more or fewer steps than those described herein. Moreover, a single step described in this specification may be broken down into multiple steps for description in other embodiments; multiple steps described in this specification may be combined into a single step in other embodiments.
First, some technical terms referred to in the present application are described:
secure Access Service Edge (SASE): is a framework of software and hardware tools that can ensure secure access to cloud and network resources by applications, services, users, and machines, which are typically provided in the form of cloud services.
Public Key Infrastructure (PKI): one includes a collection of hardware, software, personnel, policies, and procedures to implement functions such as generation, management, storage, distribution, and revocation of keys and certificates based on a public key cryptosystem.
Online Certificate Status Protocol (OCSP): for verifying the validity of Secure Socket Layer (SSL) certificates to ensure that SSL certificates are not revoked.
Digital certificate: an electronic file uniquely identifying people and resources on the Internet (Internet), an SSL certificate is one type of digital certificate.
Extensible Authentication Protocol-Transport Layer Security Protocol (Extensible Authentication Protocol-Transport Layer Security, EAP-TLS): TLS is an authentication method in EAP framework, and mainly uses X509 digital certificate for network access authentication.
An identity source: and storing upstream core data of the account information. For example, the target application used in the office process is office software, such as various types of instant messaging applications, lightweight Directory Access Protocol (LDAP), active Directory (AD), and the like.
Identification of an identity source: the SASE system stores an encrypted character string consisting of an enterprise identifier and an account identifier in a network access certificate.
The application provides a processing method of a network access request, which is used for verifying the account state of an access network (such as an enterprise network), so that the network security can be improved. Referring to fig. 1, fig. 1 is a schematic diagram of an implementation environment of a processing method for a network access request according to an exemplary embodiment, and as shown in fig. 1, the implementation environment may include a terminal device 101, a network device 102, and a server 103.
The terminal device 101 may be a plurality of types of terminal devices, for example, the terminal device 101 may be a desktop computer, a notebook computer, a tablet computer, a smart phone, and the like, and the application does not limit the device type and the device number of the terminal device 101. The terminal device 101 may have an SASE client installed therein, so that a user can log in different types of office software through the SASE client, thereby implementing access to a network through a logged-in account.
The network device 102 may be an Access Controller (AC), and optionally, the network device 102 may also be other types of network devices, and it is only necessary to ensure that the network device 102 can implement network Access of the terminal device.
The server 103 may be a server, multiple servers, a server cluster, a cloud computing platform, and the like, and the application does not limit the device type and the device number of the server 103. The server 103 may include multiple containers (or processing areas) for providing different types of services to users, for example, the server 103 may include two containers, one container may be used for providing the network access request processing service, and the other container may store the identity source identification and account status of the registered account in different target applications through different data storage locations. Optionally, the server may also provide more types of services for the user, which is not limited in this application.
The container for providing the network access request processing service may include a plurality of functional modules, and different functional modules may provide different types of services for the user, such as a certificate issuing service, an authentication service, and a network admission service, so that the container may provide the more comprehensive network access request processing service for the user through the services provided by the plurality of functional modules.
It should be noted that the terminal device 101 may communicate with the network device 102 in a wired or wireless connection manner, and the network device 102 may communicate with the server 103 in a wireless connection manner, so that the network admission process may be controlled based on the interaction among the terminal device 101, the network device 102, and the server 103 by using the processing method of the network admission request provided in the present application.
Fig. 1 is only an exemplary implementation environment of the present application, and in a more possible implementation manner, the processing method of the network access request provided by the present application may also be applied to other types of implementation environments, for example, as shown in fig. 1, the server may include a first server and at least one second server, and referring to fig. 2, fig. 2 is a schematic diagram of an implementation environment of another processing method of a network access request provided by an exemplary embodiment, as shown in fig. 2, the implementation environment may include a terminal device 201, a network device 202, a first server 203, and a second server 204.
For the description of the terminal device 201 and the network device 202, reference may be made to the related contents in fig. 1, and details are not repeated here.
The first server 203 may be one server, multiple servers, a server cluster, a cloud computing platform, and the like, and the application does not limit the device type and the device number of the first server 203. The first server may be configured to provide the network access request processing service for at least one second server, and the first server may include a plurality of functional modules configured to provide different types of services for the user, such as a certificate issuing service, an authentication service, and a network admission service, so that the network access request processing service is provided through the services provided by the plurality of functional modules. Optionally, the first server may also provide more types of services for the user, which is not limited in this application.
The second server 204 may be one server, multiple servers, a server cluster, a cloud computing platform, and the like, and the application does not limit the device type and the device number of the second server 204. The second server 204 may be a background server corresponding to a target application used by the organization to which the target account belongs, and may correspond to different second servers according to different target applications to which the target account belongs (that is, office software to which the target account belongs), one target application may correspond to one second server, and different target applications may correspond to different second servers.
It should be noted that the terminal device 201 may communicate with the network device 202 through a wired or wireless connection manner, the network device 202 may communicate with the first server 203 through a wireless connection manner, and the first server 203 may communicate with the second server 204 through a wired or wireless connection manner, so that interaction among the terminal device 201, the network device 202, the first server 203, and the second server 204 may implement control over a network admission process through the processing method of a network access request provided in this application.
After the implementation environment of the present application is introduced, a detailed description is given below of a method for processing a network access request provided by the present application.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for processing a network access request according to an exemplary embodiment, where the method may be applied to a server, and as shown in fig. 3, the method may include the following steps:
And step 303, acquiring the account state of the target account based on the identity source identifier.
And step 304, processing the network access request based on the account number state.
The network access certificate comprises the identity source identification of the target account, so that the identity source identification of the target account can be acquired from the network access certificate after the network access request of the target account is received and under the condition that the validity verification of the network access certificate carried by the network access request passes, the identity source identification of the target account is unique in a target application program, the account state of the target account can be acquired based on the identity source identification, the network access request is processed based on the acquired account state, and the network access control based on the account state can be realized.
Having described the basic implementation of the present application, various alternative implementations of the present application are further described below.
In some embodiments, the target account may log in the target application (that is, the office software) through the SASE client in the terminal device, so that the SASE client initiates a network access request, so that the terminal device may send the network access request carrying the network access certificate to the server to implement network access. The server may respond to the received network access request of the target account by checking the validity of the network access certificate carried by the network access request through step 301.
In one possible implementation manner, before step 301, the server may implement login of the target account by the following processes:
step one, receiving a login request of a target account, wherein the login request carries first account information.
Optionally, the terminal device may display a login interface of the SASE client in the visual interface, the user may input the first account information in the login interface, and the terminal device acquires the first account information input by the user in response to an input operation of the user, so as to generate a login request based on the acquired first account information, and further send the generated login request to the server, so that the server may receive the login request carrying the first account information.
The first account information may include a target account and a password input by a user, and optionally, the first account information may further include other types of information.
Alternatively, when the terminal device sends the login request to the server, the login request may be sent to a network device (such as an access controller), and the network device sends the login request to the server, so that the server may receive the login request from the terminal device.
And secondly, checking the legality of the target account based on the first account information carried by the login request.
It should be noted that, first account information of a plurality of accounts may be stored in advance in the server, and based on this, after receiving the login request, the server may query the stored first account information to determine whether there is first account information that is consistent with the first account information carried in the login request in the stored first account information, so as to implement verification of the validity of the target account.
Taking the example that the first account information includes a target account and a password, the server may register a plurality of accounts in advance and store passwords of the plurality of accounts, after receiving the login request, the server may first query whether a target account exists in the registered accounts, and when a target account exists in the registered accounts, the server checks the password carried by the login request based on the stored password of the target account to check the validity of the target account.
And step three, allowing the target account to log in under the condition that the legality of the target account passes the verification.
In a possible implementation manner, when the first account information carried by the login request is consistent with any stored first account information, it can be determined that the validity check of the target account passes, so that the target account can be allowed to login.
Still taking the example that the first account information includes the target account and the password, when the target account exists in the registered accounts and the password of the stored target account is consistent with the password carried by the login request, it can be determined that the validity check of the target account passes, and thus the target account can be allowed to login.
In a more possible implementation manner, the target account is rejected from logging in when the validity check of the target account fails.
It should be noted that the validity check of the target account is failed, that is, the first account information carried by the login request is inconsistent with the stored first account information. Taking the example that the first account information includes the target account and the password, the validity check of the target account is failed, that is, the target account in the first account information carried by the login request is inconsistent with the stored multiple accounts, and/or the password in the first account information carried by the login request is inconsistent with the stored password of the target account.
By checking the legality of the target account, and allowing the target account to log in under the condition that the legality of the target account passes the checking, the network security can be ensured, and an illegal account is prevented from logging in the network.
For ease of understanding, the following describes a process for implementing login through interaction between a terminal device and a server, and referring to fig. 4, fig. 4 is a flowchart illustrating a login process according to an exemplary embodiment, which may include the following steps:
step 401, the terminal device responds to a login operation of a target account to generate a login request, wherein the login request carries first account information of the target account.
Step 402, the terminal device sends a login request to the server.
In step 403, the server receives a login request of the target account.
And step 404, the server checks the legality of the target account number based on the first account number information carried by the login request.
And 405, allowing the target account to log in by the server under the condition that the validity check of the target account passes, and returning the identity source identification of the target account to the terminal equipment.
It should be noted that the server may include a plurality of functional modules therein for providing different types of services, for example, the server may provide an authentication service and an information storage service for a user, so that the authentication service is used to check the validity of an account in a login process, and the information storage service is used to store an identity source identifier and an account state of a registered account in different target application programs. Referring to fig. 5, fig. 5 is a flowchart of a login process provided in an exemplary embodiment, and as shown in fig. 5, after a terminal device sends a login request to a server, the server may implement verification of account validity through an authentication service, and further return an identity source identifier of a target account to the terminal device.
The processes shown in fig. 4 and fig. 5 are only flow illustrations of a login process, and specific implementation manners of each step may refer to each embodiment, which is not described herein again.
It should be noted that, when the terminal device logs in a target account, the terminal device may implement network access through the logged-in target account.
In some embodiments, if the target account logs in on the terminal device for the first time, the target account may apply for issuing a network access certificate to the server through the terminal device, and then apply for network access based on the issued network access certificate. If the target account is not logged in for the first time on the terminal device, the target account can directly apply for network access based on the issued network access certificate.
The following describes the processing procedure in two cases of whether the target account is first logged in.
1. The target account is logged on the terminal equipment for the first time
If the target account logs in the terminal device for the first time, the terminal device may generate a certificate acquisition request based on second account information of the target account, so as to send the certificate acquisition request to the server, and the server may respond to the received certificate acquisition request of the target account, acquire an identity source identifier based on the second account information carried by the certificate acquisition request, add the identity source identifier to a network access certificate generated for the target account, and then send the network access certificate to the terminal device corresponding to the target account.
Optionally, the second account information may include an account identifier of the target account and an organization identifier of an organization to which the target account belongs (for example, an enterprise identifier of an enterprise to which the target account belongs), or the second account information may further include other types of information, and specific content included in the second account information is not limited in this application.
The acquisition process of the account id of the target account may be: the terminal equipment can respond to the input operation of the user, acquire the account input by the user and serve as the account identification of the target account; or, the user may input an account name of the user on a visual interface of the terminal device, and the terminal device may acquire the account name input by the user in response to an input operation of the user, so as to send the acquired account name to the server, so that the server may acquire the account identifier of the target account based on the received account name.
The acquisition process of the institution identification of the institution to which the target account belongs may be as follows: the user can input the mechanism identification of the mechanism (such as an enterprise, an organization and the like) to which the user belongs on a visual interface of the terminal equipment, and the terminal equipment can respond to the input operation of the user and acquire the mechanism identification input by the user to be used as the mechanism identification of the mechanism to which the target account belongs; or, the user may input the organization name of the organization to which the user belongs on a visual interface of the terminal device, and the terminal device may acquire the organization name input by the user in response to the input operation of the user, so as to send the acquired organization name to the server, so that the server may acquire the organization identifier of the organization to which the target account belongs based on the received organization name.
Taking the example that the second account information includes the account identifier of the target account and the institution identifier of the institution to which the target account belongs, when the server generates the network access certificate for the target account based on the second account information carried by the certificate acquisition request, the server may perform encryption calculation on the account identifier and the institution identifier included in the second account information based on the set key to obtain the identity source identifier.
In a possible implementation manner, the account id and the institution id included in the second account information may be encrypted and calculated by a hash encryption algorithm based on the set key, so as to obtain the identity source id. Optionally, other encryption algorithms may also be used to implement the encryption calculation process, and the application does not limit which encryption algorithm is specifically used.
The set key may be a key obtained by performing encryption calculation based on organization information (such as an organization identifier), and optionally, the set key may also be obtained by adopting other manners, and the specific obtaining manner of the set key is not limited in the present application.
The process of generating a network access certificate for a target account can be seen in fig. 6, where fig. 6 is a flowchart illustrating an exemplary embodiment of signing and issuing a network access certificate, after acquiring an account id and a mechanism id, a server first calculates a set key based on the mechanism id, and then performs encryption calculation on the mechanism id and the account id based on the set key, so that a result of the encryption calculation is used as an identity source id of the target account, and then the acquired identity source id is added to the network access certificate, so as to obtain the network access certificate generated specifically for the target account.
The identity source identification of the target account is added to the network access certificate, so that the network access certificate not only comprises the basic information of the target account, but also comprises the identity source identification of the target account, and the identity source identification can be used in the subsequent account state verification process.
After the network access certificate is generated through the process, the generated network access certificate can be returned to the terminal device corresponding to the target account, and the terminal device can store the received network access certificate so that the target account can access the network subsequently based on the network access certificate.
For convenience of understanding, the following describes a process for issuing a network-access certificate through interaction between a terminal device and a server, and referring to fig. 7, fig. 7 is a flowchart illustrating a network-access certificate issuing process according to an exemplary embodiment, where the process may include the following steps:
step 701, the terminal device generates a certificate acquisition request based on the second account information of the target account, where the certificate acquisition request carries the second account information.
Step 702, the terminal device sends a certificate acquisition request to the server.
Step 703, the server acquires an identity source identifier based on the second account information carried in the certificate acquisition request, and adds the identity source identifier to the network access certificate generated for the target account.
Step 704, the server returns the network access certificate to the terminal device.
It should be noted that the server may include a plurality of functional modules therein for providing different types of services, for example, the server may provide a certificate issuing service for a user, so as to implement the issuing process of the network-access certificate through the certificate issuing service. Referring to fig. 8, fig. 8 is a flowchart of a certificate issuing process according to an exemplary embodiment, as shown in fig. 8, after a terminal device sends a certificate acquisition request carrying second account information to a server, the server may verify the second account information through a certificate issuing service, and then, when the second account information is verified, generate a network access certificate based on the second account information, and then return the network access certificate to the terminal device.
Fig. 7 and fig. 8 are only flow illustrations of a process of issuing a network access certificate, and specific implementation manners of each step may refer to each embodiment described above, which is not described herein again.
In more possible implementation manners, before generating a network access certificate for a target account based on second account information carried by the certificate acquisition request, the second account information may be verified, and when the second account information passes verification, the network access certificate may be generated for the target account based on the second account information carried by the certificate acquisition request.
For example, whether the second account information meets the set format may be checked, and in the case that the second account information meets the set format, it may be determined that the second account information passes the check. Taking the second account information including the account identifier and the mechanism identifier as an example, it can be verified whether the account identifier and the mechanism identifier satisfy the set format, so as to verify the second account information.
The second account information is verified, and the network access certificate is generated based on the second account information under the condition that the second account information is verified, so that the network security can be improved.
2. The target account is not logged in for the first time on the terminal equipment
It should be noted that, since the network access certificate is already generated for the target account when the target account logs in for the first time, when the target account logs in again, the network access can be directly realized based on the stored network access certificate without applying for signing and issuing the network access certificate again.
Optionally, the network access certificate involved in the foregoing process may be a digital certificate, for example, the network access certificate may be an X509 digital certificate, or the network access certificate may also be of another type, and the application does not limit the specific type of the network access certificate.
The following describes a procedure for implementing network access based on network access credentials.
It should be noted that the target account may trigger the network access request through the terminal device, so as to send the network access request to the server, and optionally, the terminal device may send the network access request to a network device (such as an access controller), and the network device may send the network access request to the server, so that the server may receive the network access request from the terminal device, and then perform processing based on a network access certificate carried by the network access request.
In some embodiments, for step 301, when the validity of the network access certificate carried in the network access request is verified in response to the network access request of the target account, it may be checked whether the network access certificate is within the validity period, or it may be determined whether the signature of the network access certificate meets the signature format of the issuing authority according to the signature format of the authority that issued the network access certificate, so as to implement checking of the validity of the network access certificate.
By taking the example that whether the network access certificate is in the validity period or not is checked to check the validity of the network access certificate, the validity check of the network access certificate can be determined to be passed under the condition that the network access certificate is in the validity period. For another example, in the case that the validity of the network-accessing certificate is verified by determining whether the signature of the network-accessing certificate satisfies the signature format of the issuing authority according to the signature format of the authority that issued the network-accessing certificate, the validity of the network-accessing certificate can be determined to pass the verification in the case that the signature of the network-accessing certificate satisfies the signature format of the issuing authority, so that the id of the target account can be obtained from the network-accessing certificate in step 302.
When the server implements the above process, the server may be implemented by using a container (or a processing area) for providing a processing service for a network access request in the server, and after acquiring the identity source identifier of the target account, the server may acquire the account status based on the acquired identity source identifier by using a container (or a processing area) for providing a storage service for the identity source identifier and the account status of the registered account in different target applications. Since the id is obtained by encryption calculation, for step 303, when acquiring the account status of the target account based on the id, the method may include the following steps:
3031, decrypting the identity source identification by setting a private key to obtain the account identification of the target account and the mechanism identification of the mechanism to which the target account belongs.
Step 3032, based on the account id, obtaining the account status of the target account from the corresponding data storage location of the mechanism id in the server.
The corresponding data storage positions of different mechanism identifications in the server can be different, so that the data storage positions for storing the account identifications and the account states of the target account can be determined firstly based on the mechanism identifications, and then the account states of the target account are obtained from the determined data storage positions based on the account identifications.
After the account state of the target account is acquired, network access control can be realized based on the acquired account state. In some embodiments, for step 304, when processing the network access request based on the account status, any of the following cases may be included:
in a possible implementation manner, when the account status indicates that the target account is in the set status, the network access request is responded, that is, the network access request of the target account is accepted, and the target account is allowed to access the network, so that the target account can acquire data from the network.
In another possible implementation manner, the network access request is rejected under the condition that the account status indicates that the target account is in a non-set status.
The set state may be an on-duty state, and the non-set state may include an off-duty state, a shift state, and the like.
As shown in fig. 9, fig. 9 is a flowchart of a network admission control process shown in an exemplary embodiment, after receiving a network access request, a server may first check validity of the network access certificate, and may directly reject the network access request if the network access certificate is determined to be invalid. The server may continue to process the network access request only when the network access certificate is valid, that is, the server may extract the identity source identifier of the target account from the network access certificate, and calculate the set key using the organization identifier, so that the identity source identifier may be decrypted based on the set key to obtain the organization identifier and the account identifier, thereby determining a corresponding data storage location in the server according to the organization identifier, so that the account status may be queried in the corresponding data storage location according to the account identifier, and then determining a method for processing the network access request according to the account status, that is, when the account status is the set status, the network access request is accepted, and when the account status is the unset status, the network access request is rejected.
For convenience of understanding, the following describes a process for issuing a network-entry certificate through interaction between a terminal device and a server, and referring to fig. 10, fig. 10 is a flowchart illustrating a network admission control process according to an exemplary embodiment, where the process may include the following steps:
step 1001, the terminal device sends a network access request to the server, and the network access request carries a network access certificate.
Step 1002, the server verifies the validity of the network access certificate carried by the network access request in response to receiving the network access request of the target account.
Step 1003, the server acquires an identity source identifier of the target account, which has uniqueness in the target application program, from the network access certificate under the condition that the validity check of the network access certificate passes.
Step 1004, the server acquires the account status of the target account based on the identity source identifier.
Step 1005, the server processes the network access request based on the account number state.
It should be noted that the server may include a plurality of functional modules therein for providing different types of services, for example, the server may provide a network admission service for a user, so as to implement control of network admission through the network admission service. Referring to fig. 11, fig. 11 is a flowchart of a network admission control process according to an exemplary embodiment, as shown in fig. 11, a terminal device may send a network access request to a server, the server checks validity of a certificate through a network admission service after receiving the network access request, and if the check is passed, queries an account status of a target account according to an identity source identifier of the target account, and determines a network access authentication result according to the queried account status, so as to approve or reject network access of the target account according to the network access authentication result.
Fig. 10 and fig. 11 are only flow illustrations of a network admission control process, and specific implementation manners of each step may refer to each of the above embodiments, which is not described herein again.
It should be noted that the network admission service may include a dynamic verification module, so that the network admission service dynamic verification process shown in fig. 11 may be implemented by the dynamic verification module.
By the above embodiments, even if the network access certificate is valid, the effect that the network cannot be accessed when the account status is not the set status can be achieved. Meanwhile, if the target account is restored to the set state, correspondingly, the account state of the identity source identifier of the target account in the target application program can be restored to the set state, and then the network can be accessed continuously subsequently without re-signing the network access certificate.
In addition, the scheme provided by the application can realize the real-time verification of the account state of the target account according to the identity source identification when the target account is authenticated in a network without using a multi-factor authentication mode, and cannot influence the use process of the user, so that the user experience cannot be reduced. Moreover, the scheme provided by the application does not need to build a complex PKI infrastructure, and the network admission service does not need to interface with the OCSP service (because the scheme provided by the application does not need to check whether the certificate is revoked), thereby reducing the complexity of the system.
In a more possible implementation manner, the server may include a first server and at least one second server, where the first server may be configured to provide a network access request processing service for the at least one second server, the second server may be a background server corresponding to a target application used by an organization to which a target account belongs, and the second server is configured to at least store an identity source identifier and an account state of a registered account in the target application.
In this case, the processing method of the network access request provided by the present application may refer to fig. 12, and fig. 12 is a flowchart illustrating a processing method of a network access request according to an exemplary embodiment, where the method may be applied to a first server, as shown in fig. 12, and the method may include the following steps:
Step 1203, acquiring the account status of the target account from the second server based on the identity source identifier.
And 1204, processing the network access request based on the account number state.
By adopting the first server and the second server to realize different functions, data between the first server and the second server cannot be mixed, so that the data security can be improved.
Based on the embodiment shown in fig. 12, the process of logging in the target account and verifying the validity of the network access certificate and the related content may be executed by the first server, and for the description of the above content, reference may be made to the above embodiment, and details are not described here.
Under the condition that the validity check of the network access certificate passes, the first server may determine, according to the mechanism identifier to which the target account belongs, a target application program used by the mechanism to which the target account belongs, and further acquire the account state of the target account from a background server (that is, a second server) of the target application program, so that a subsequent process is executed based on the acquired account state, and reference may be made to the above-described embodiment for acquiring the account state and the subsequent process, which is not described herein again.
Corresponding to the embodiments of the method, the present specification also provides embodiments of the apparatus and the server applied thereto.
Referring to fig. 13, fig. 13 is a block diagram of an apparatus for processing a network entry request according to an exemplary embodiment, where the apparatus includes:
the verification module 1301 is configured to, in response to receiving a network access request of a target account, verify validity of a network access certificate carried in the network access request;
an identifier obtaining module 1302, configured to obtain, from the network access certificate, an identity source identifier that a target account has uniqueness in a target application program when validity of the network access certificate passes verification;
a state obtaining module 1303, configured to obtain an account state of the target account based on the identity source identifier;
the processing module 1304 is configured to process the network access request based on the account status.
In some embodiments, the identity source identifier is obtained by encrypting and calculating an account identifier of the target account and an organization identifier of an organization to which the target account belongs by setting a key;
the status obtaining module 1303, when configured to obtain the account status of the target account based on the identity source identifier, is configured to:
decrypting the identity source identification by setting a private key to obtain an account identification of the target account and a mechanism identification of a mechanism to which the target account belongs;
based on the account identification, acquiring the account state of the target account from the corresponding data storage position of the mechanism identification in the server; wherein, the corresponding data storage positions of different mechanism identifications in the server are different.
In some embodiments, the processing module 1304, when configured to process the network entry request based on the account status, is configured to any one of:
under the condition that the account status indicates that the target account is in a set state, responding to the network access request;
and refusing the network access request under the condition that the account status indicates that the target account is in a non-set state.
In some embodiments, the apparatus further comprises:
the receiving module is used for receiving a login request of a target account, wherein the login request carries first account information;
the checking module 1301 is further configured to check the validity of the target account based on the first account information carried in the login request;
and allowing the target account to log in under the condition that the legality check of the target account passes.
In some embodiments, the identifier obtaining module 1302 is further configured to, in response to receiving a certificate obtaining request of the target account when the target account is logged in for the first time, obtain the identity source identifier based on second account information carried in the certificate obtaining request;
the device also includes:
the adding module is used for adding the identity source identification into the network access certificate generated for the target account;
and the sending module is used for sending the network access certificate to the terminal equipment corresponding to the target account.
In some embodiments, the second account information includes at least an account id of the target account and an institution id of an institution to which the target account belongs;
the identifier obtaining module 1302, when configured to obtain the identity source identifier based on the second account information carried in the certificate obtaining request, is configured to:
and based on the set key, carrying out encryption calculation on the account identification and the mechanism identification included in the second account information to obtain the identity source identification.
In some embodiments, the verification module 1301 is further configured to verify the second account information, and execute, when the second account information passes verification, a step of obtaining an identity source identifier based on the second account information carried in the certificate obtaining request, and adding the identity source identifier to the network access certificate generated for the target account.
In some embodiments, the server includes a first server and at least one second server, where the first server is configured to provide a service for processing a network access request for the at least one second server, the second server is a background server corresponding to a target application used by an organization to which a target account belongs, and the second server is configured to store at least an identity source identifier and an account status of a registered account in the target application.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
The present application further provides a server, and referring to fig. 14, fig. 14 is a schematic structural diagram of a server provided in an exemplary embodiment. Referring to FIG. 14, at the hardware level, the server includes a processor 1402, an internal bus 1404, a network interface 1406, a memory 1408, and a non-volatile storage 1410, although hardware required for other functions may also be included. One or more embodiments of the present description can be implemented in software, such as by processor 1402 reading corresponding computer programs from non-volatile storage 1410 into memory 1408 and then running. Of course, besides the software implementation, the one or more embodiments in this specification do not exclude other implementations, such as logic devices or combination of software and hardware, and so on, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
The present application further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the processing method of the network access request provided in any embodiment of the present application.
The apparatuses or modules illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The Memory may include volatile Memory in a computer-readable medium, random Access Memory (RAM), and/or nonvolatile Memory such as Read-Only Memory (ROM) or flash Memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase-change Random Access Memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash Memory or other Memory technology, compact Disc Read Only Memory (CD-ROM), digital Versatile Disc (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum Memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission media that can be used to store information that can be accessed. As defined herein, computer readable Media does not include Transitory computer readable Media such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments herein. The word "if" as used herein may be interpreted as "at" \8230; "or" when 8230; \8230; "or" in response to a determination ", depending on the context.
The above description is only for the purpose of illustrating the preferred embodiments of the one or more embodiments of the present disclosure, and is not intended to limit the scope of the one or more embodiments of the present disclosure, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the one or more embodiments of the present disclosure should be included in the scope of the one or more embodiments of the present disclosure.
Claims (11)
1. A processing method of a network access request is applied to a server, and the method comprises the following steps:
responding to a received network access request of a target account, and verifying the validity of a network access certificate carried by the network access request;
under the condition that the validity check of the network access certificate passes, acquiring an identity source identifier of the target account, which has uniqueness in a target application program, from the network access certificate;
acquiring the account state of the target account based on the identity source identifier;
and processing the network access request based on the account number state.
2. The method according to claim 1, wherein the identity source identifier is obtained by encrypting an account identifier of the target account and an organization identifier of an organization to which the target account belongs by setting a key;
the obtaining of the account status of the target account based on the identity source identifier includes:
decrypting the identity source identification by setting a private key to obtain an account identification of the target account and a mechanism identification of a mechanism to which the target account belongs;
based on the account identification, acquiring the account state of the target account from the position of the mechanism identification in a corresponding data storage position in the server; wherein the corresponding data storage locations of different organization identifications in the server are different.
3. The method according to claim 1, wherein the processing the network access request based on the account status includes any one of:
responding to the network access request under the condition that the account status indicates that the target account is in a set state;
and rejecting the network access request under the condition that the account status indicates that the target account is in a non-set status.
4. The method according to claim 1, wherein before checking validity of a network access certificate carried by a network access request in response to receiving the network access request of a target account, the method further comprises:
receiving a login request of the target account, wherein the login request carries first account information;
checking the legality of the target account based on the first account information carried by the login request;
and allowing the target account to log in under the condition that the legality check of the target account passes.
5. The method according to claim 4, wherein after allowing the target account number to log in if the validity of the target account number is verified, the method further comprises:
under the condition that the target account is logged in for the first time, responding to a received certificate acquisition request of the target account, acquiring the identity source identification based on second account information carried by the certificate acquisition request, and adding the identity source identification to a network access certificate generated for the target account;
and sending the network access certificate to the terminal equipment corresponding to the target account.
6. The method according to claim 5, wherein the second account information at least comprises an account id of the target account and an institution id of an institution to which the target account belongs;
the acquiring the identity source identifier based on the second account information carried by the certificate acquisition request includes:
and based on a set key, carrying out encryption calculation on the account identification and the mechanism identification included in the second account information to obtain the identity source identification.
7. The method according to claim 5, wherein before the obtaining the identity source identifier based on the second account information carried in the certificate obtaining request and adding the identity source identifier to the network access certificate generated for the target account, the method further includes:
and verifying the second account information, and executing the steps of acquiring the identity source identifier based on the second account information carried by the certificate acquisition request and adding the identity source identifier to the network access certificate generated for the target account when the second account information passes the verification.
8. The method according to claim 1, wherein the servers include a first server and at least one second server, the first server is configured to provide a service for processing a network access request for the at least one second server, the second server is a backend server corresponding to a target application used by an organization to which the target account belongs, and the second server is configured to store at least an identity source identifier and an account status of a registered account in the target application.
9. An apparatus for processing a network access request, wherein the apparatus is applied to a server, and the apparatus comprises:
the verification module is used for responding to a received network access request of a target account and verifying the validity of a network access certificate carried by the network access request;
the identification acquisition module is used for acquiring an identity source identification of the target account with uniqueness in the target application program from the network access certificate under the condition that the validity check of the network access certificate passes;
the state acquisition module is used for acquiring the account state of the target account based on the identity source identifier;
and the processing module is used for processing the network access request based on the account number state.
10. A server, comprising:
a processor;
a memory for storing processor-executable instructions;
the processor executes the executable instructions to realize the processing method of the network access request according to any one of claims 1 to 8.
11. A computer-readable storage medium having stored thereon computer instructions, which when executed by a processor, implement a method of processing a network entry request according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210689487.3A CN115150831A (en) | 2022-06-16 | 2022-06-16 | Processing method, device, server and medium for network access request |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210689487.3A CN115150831A (en) | 2022-06-16 | 2022-06-16 | Processing method, device, server and medium for network access request |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115150831A true CN115150831A (en) | 2022-10-04 |
Family
ID=83407573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210689487.3A Pending CN115150831A (en) | 2022-06-16 | 2022-06-16 | Processing method, device, server and medium for network access request |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115150831A (en) |
-
2022
- 2022-06-16 CN CN202210689487.3A patent/CN115150831A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2021206913B2 (en) | Systems and methods for distributed data sharing with asynchronous third-party attestation | |
| US11223614B2 (en) | Single sign on with multiple authentication factors | |
| Lim et al. | Blockchain technology the identity management and authentication service disruptor: a survey | |
| US11606352B2 (en) | Time-based one time password (TOTP) for network authentication | |
| US11770261B2 (en) | Digital credentials for user device authentication | |
| US10523441B2 (en) | Authentication of access request of a device and protecting confidential information | |
| US20170244676A1 (en) | Method and system for authentication | |
| US7802092B1 (en) | Method and system for automatic secure delivery of appliance updates | |
| JP2023502346A (en) | Quantum secure networking | |
| US20220394026A1 (en) | Network identity protection method and device, and electronic equipment and storage medium | |
| CN112688773A (en) | Token generation and verification method and device | |
| CN114666168B (en) | Decentralized identity certificate verification method and device, and electronic equipment | |
| JP2023535013A (en) | Quantum secure payment system | |
| CN113472790A (en) | Information transmission method based on HTTPS (hypertext transfer protocol secure protocol), client and server | |
| CN113271207A (en) | Escrow key using method and system based on mobile electronic signature, computer equipment and storage medium | |
| Kim et al. | Can we create a cross-domain federated identity for the industrial Internet of Things without Google? | |
| CN116112242B (en) | Unified safety authentication method and system for power regulation and control system | |
| KR102118556B1 (en) | Method for providing private blockchain based privacy information management service | |
| Binu et al. | A mobile based remote user authentication scheme without verifier table for cloud based services | |
| CN115242471A (en) | Information transmission method and device, electronic equipment and computer readable storage medium | |
| CN115150831A (en) | Processing method, device, server and medium for network access request | |
| WO2024011863A1 (en) | Communication method and apparatus, sim card, electronic device, and terminal device | |
| US20240143730A1 (en) | Multi-factor authentication using blockchain | |
| CA3217688A1 (en) | Multi-factor authentication using blockchain | |
| CN114238916A (en) | Communication method, communication apparatus, computer device, and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |