CN116633674A - Single-packet authentication method and related device - Google Patents
Single-packet authentication method and related device Download PDFInfo
- Publication number
- CN116633674A CN116633674A CN202310786295.9A CN202310786295A CN116633674A CN 116633674 A CN116633674 A CN 116633674A CN 202310786295 A CN202310786295 A CN 202310786295A CN 116633674 A CN116633674 A CN 116633674A
- Authority
- CN
- China
- Prior art keywords
- authentication
- zero
- trust
- authentication request
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000013475 authorization Methods 0.000 claims abstract description 120
- 238000012795 verification Methods 0.000 claims abstract description 46
- 238000004590 computer program Methods 0.000 claims description 25
- 230000008569 process Effects 0.000 abstract description 16
- 230000005540 biological transmission Effects 0.000 abstract description 8
- 230000006870 function Effects 0.000 description 8
- 230000006854 communication Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The embodiment of the application provides a single-packet authentication method and a related device, which are used for setting at least two authentication factors in a single-packet authorization authentication request, so that the security of the single-packet authorization authentication process is further improved on the premise of single-packet transmission information. The method of the embodiment of the application comprises the following steps: receiving a single-package authorization authentication request sent by a zero-trust client, wherein the single-package authorization authentication request comprises at least two types of authentication factors; carrying out validity check and authentication factor check on the single-packet authorization authentication request; and if the validity check and the verification of the authentication factors are passed, sending a service end port and/or business service to the zero trust service end.
Description
Technical Field
The present application relates to the field of network communications technologies, and in particular, to a method and an apparatus for single packet authentication.
Background
Software defined boundary (SDP), also known as "black cloud", is a new computer security method that evolved from what was done by the disk under the Global Information Grid (GIG) network initiative around 2007, was later adopted by the cloud security alliance (cloudsecurity) and used by alliance members.
SDP requires that endpoints be authenticated and authorized before network access to the protected servers is obtained. An encrypted connection is then created in real-time between the requesting system and the application infrastructure. SDP hides the user's data and infrastructure, etc., key IT assets in the user's own black cloud, making them invisible to the outside. To gain access to hidden assets, however, a trusted connection between the endpoint and the server needs to be established through SPA (single packet authorization).
The SPA single-packet authorization in the prior art adopts single-factor to execute single-packet authorization authentication, and the single-packet authorization authentication scheme for single-factor authentication has the following main technical defects:
if the zero trust server only performs the verification of the SPA knock key on the zero trust client, the user B can complete single package authorization through the SPA knock key of the user A, so that the access right of the zero trust server is obtained, and the security of single factor authentication is reduced.
Disclosure of Invention
The embodiment of the application provides a single-packet authentication method and a related device, which are used for setting at least two authentication factors in a single-packet authorization authentication request, so that the security of the single-packet authorization authentication process is further improved on the premise of single-packet transmission information.
The first aspect of the embodiment of the application provides a single-packet authentication method, which is applied to a zero-trust server, wherein the zero-trust server enables single-packet authorization authentication, and the method comprises the following steps:
receiving a single-package authorization authentication request sent by a zero-trust client, wherein the single-package authorization authentication request comprises at least two types of authentication factors;
carrying out validity check and authentication factor check on the single-packet authorization authentication request;
and if the validity check and the verification of the authentication factors are passed, sending a service end port and/or business service to the zero trust service end.
Preferably, the at least two authentication factors include:
at least two different kinds of authentication factors among authentication information of secret knowledge, physical medium authentication information and entity characteristic authentication information.
Preferably, the secret knowledge authentication information includes: the key identifier and key, user name and login password or safe question and answer;
the physical medium authentication information includes: certificate, UKEY or hardware OTP;
the entity characteristic authentication information comprises: a fingerprint, a face image or an iris image.
Preferably, if the at least two types of authentication factors include: the single-package authorization authentication request comprises the knock key identification and the hardware OTP dynamic password encrypted by the knock key;
checking the authentication factor of the single-packet authorization authentication request comprises the following steps:
determining a knock key corresponding to the knock key identifier according to the knock key identifier;
decrypting the encrypted hardware OTP dynamic password by using the knock key;
checking whether the hardware OTP password in the single-packet authorization authentication request is consistent with the hardware OTP password of the zero trust server;
if the authentication factors are consistent, checking the authentication request of the single-packet authorization;
if the authentication factors are inconsistent, the authentication factors of the single-packet authorization authentication request are not checked to pass.
Preferably, the method further comprises:
receiving a user identity authentication request sent by the zero trust client through the server port;
checking the user identity according to the user identity authentication request;
and if the verification is passed, establishing the application layer connection with the zero trust client.
Preferably, the receiving the single-packet authorization authentication request sent by the zero-trust client according to the zero-trust access address includes:
and receiving a single-packet authorization authentication request sent by the zero-trust client according to the zero-trust access address through a UDP protocol.
Preferably, the verifying validity of the single-packet authorization authentication request includes:
and performing replay check and counterfeit check and equipment identification code check on the single-packet authorization authentication request.
A second aspect of the present application provides a zero-trust server, where the zero-trust server enables single-packet authorization authentication, and the zero-trust client includes:
a receiving unit, configured to receive a single-packet authorization authentication request sent by a zero-trust client, where the single-packet authorization authentication request includes at least two types of authentication factors;
the verification unit is used for verifying the validity verification and the authentication factor of the single-packet authorization authentication request;
and the sending unit is used for sending a service end port and/or business service to the zero trust service end if the validity check and the verification of the authentication factors are passed.
Preferably, the at least two authentication factors include:
at least two different kinds of authentication factors among authentication information of secret knowledge, physical medium authentication information and entity characteristic authentication information.
Preferably, the secret knowledge authentication information includes: the key identifier and key, user name and login password or safe question and answer;
the physical medium authentication information includes: certificate, UKEY or hardware OTP;
the entity characteristic authentication information comprises: a fingerprint, a face image or an iris image.
Preferably, if the at least two types of authentication factors include: the single-package authorization authentication request comprises the knock key identification and the hardware OTP dynamic password encrypted by the knock key;
the verification unit is specifically used for:
determining a knock key corresponding to the knock key identifier according to the knock key identifier;
decrypting the encrypted hardware OTP dynamic password by using the knock key;
checking whether the hardware OTP password in the single-packet authorization authentication request is consistent with the hardware OTP password of the zero trust server;
if the authentication factors are consistent, checking the authentication request of the single-packet authorization;
if the authentication factors are inconsistent, the authentication factors of the single-packet authorization authentication request are not checked to pass.
Preferably, the receiving unit is further configured to:
receiving a user identity authentication request sent by the zero trust client through the server port;
the verification unit is further configured to:
checking the user identity according to the user identity authentication request;
and if the verification is passed, establishing the application layer connection with the zero trust client.
Preferably, the receiving unit is specifically configured to:
and receiving a single-packet authorization authentication request sent by the zero-trust client according to the zero-trust access address through a UDP protocol.
Preferably, the verification unit is specifically configured to:
and performing replay check and counterfeit check and equipment identification code check on the single-packet authorization authentication request.
A third aspect of the embodiments of the present application provides a computer apparatus, comprising a processor for implementing the method for single-packet authentication provided in the first aspect of the embodiments of the present application when executing a computer program stored on a memory.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium having stored thereon a computer program for implementing the method for single-packet authentication provided in the first aspect of the embodiments of the present application when the computer program is executed by a processor.
From the above technical solutions, the embodiment of the present application has the following advantages:
in the embodiment of the application, the authentication request of single-packet authorization between the zero-trust client and the zero-trust server comprises at least two types of authentication factors, so that the reliability of the authentication process is further improved on the basis of single-packet data transmission compared with the authentication of single factors in the prior art.
Drawings
FIG. 1 is a schematic diagram of an embodiment of a method for single packet authentication in an embodiment of the present application;
FIG. 2 is a refinement of step 102 of the embodiment of FIG. 1 according to the present application;
FIG. 3 is a schematic diagram of an embodiment of a zero trust server according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides a single-packet authentication method and a related device, which are used for setting at least two authentication factors in a single-packet authorization authentication request, so that the security of the single-packet authorization authentication process is further improved on the premise of single-packet transmission information.
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
The terms first, second, third, fourth and the like in the description and in the claims and in the above drawings are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of understanding, the following terms in the embodiments of the present application will be described first:
1. zero trust: the application relates to a security concept of 'never trust, always verify', and develops a security framework of 'identity-centric, continuous trust evaluation and dynamic access control', wherein the main stream technology realizes three types of SDP software definition boundary, IAM unified identity management and MSG micro isolation, and the 'zero trust' concept in the scheme of the application is especially used for SDP software definition boundary type products.
2. SDP software defines boundaries: before accessing the hidden assets, a trust connection needs to be established through SPA single package authorization, and access control to the user is realized by adopting a minimum authorization policy. Consists of three components: an SDP control center and a proxy gateway (hereinafter referred to as a "server"), an SDP connection initiator (hereinafter referred to as a "client").
3. SPA single packet authorization: the client initiates an authentication request to the server through a single data packet carrying authentication information, and the TCP connection cannot be established or can only be established before the authentication is passed, so that the service provided by the server cannot be accessed, and the connection with the service related to the server is allowed to be established after the authentication is passed.
4. SPA knock key: authentication information in SPA single packet authorization process.
5. Identity authentication: typically means that the confirmation of the identity of the user is accomplished in some way or ways. The concept of identity authentication in the scheme of the application refers to the service end authentication service which is allowed to be accessed only after the authentication is performed through SPA single package authorization, namely the SPA single package authorization does not belong to the identity authentication service pointed by the scheme of the application.
Next, a description will be given of a single packet authentication method according to an embodiment of the present application, referring to fig. 1, and one embodiment of the single packet authentication method according to an embodiment of the present application includes:
101. receiving a single-package authorization authentication request sent by a zero-trust client, wherein the single-package authorization authentication request comprises at least two types of authentication factors;
the embodiment of the application is applied to the SPA single-packet authorization scene, wherein the zero-trust server in the embodiment of the application enables single-packet authorization authentication, namely before the zero-trust client and the zero-trust server establish the connection of an application layer, the zero-trust server is required to carry out single-packet authorization authentication on the zero-trust client, and only after the single-packet authorization authentication passes, the zero-trust client and the zero-trust server can be allowed to establish service connection (namely, the connection of the application layer).
Compared with the prior art, when the zero-trust client sends a single-package authorization authentication request to the zero-trust server, the zero-trust server only executes verification of the knock key on the zero-trust client, and after the knock verification is passed, the zero-trust server sends a server port and/or business service to the zero-trust client, so that the problem of data leakage is caused by accessing the zero-trust server by using the knock key of A after intercepting the knock key of the user A by the user B.
In the embodiment of the application, in order to further improve the reliability of single-packet authorization authentication, when the zero-trust client in the embodiment of the application sends the single-packet authorization authentication request to the zero-trust server, the single-packet authorization authentication request comprises at least two types of authentication factors, so that the reliability of the authentication process is improved compared with the single-factor authentication in the prior art.
Specifically, at least two types of authentication factors in the embodiment of the present application include:
two authentication factors of different kinds in secret knowledge authentication information, physical medium authentication information and entity characteristic authentication information.
The authentication information of the secret knowledge comprises a knock key identification, a knock key, a user name, a login password or a security question and answer; the physical medium authentication information includes: certificate, UKEY or hardware OTP; the entity characteristic authentication information includes: a fingerprint, a face image or an iris image.
Therefore, at least two different types of authentication factors in the single-packet authorization authentication request in the embodiment of the application can be 1 authentication factor of secret knowledge and 1 authentication factor of physical media (a key identifier, a key identifier and a certificate), or 1 authentication factor of secret knowledge and 1 authentication factor of physical characteristics (such as a key identifier, a key identifier and a fingerprint), or 1 authentication factor of physical media and 1 authentication factor of physical characteristics (such as a certificate and a fingerprint).
Because the single-packet authentication request sent by the zero-trust client to the zero-trust server contains at least 2 types of authentication factors, compared with the single authentication factors in the prior art, the embodiment of the application improves the reliability and the security of the authentication process on the premise of ensuring single-packet information transmission.
102. Verifying the validity verification and the authentication factors of the single-packet authorization authentication request;
after the zero trust server obtains the decrypted single packet authorization authentication request, verifying the validity and authentication factors of the single packet authorization authentication request, if the verification is passed, executing step 103, and if the verification is not passed, the zero trust client does not respond.
103. And if the validity check and the verification of the authentication factors are passed, sending a service end port and/or business service to the zero trust service end.
And if the verification of the validity verification and the authentication factor of the zero-trust client is passed by the zero-trust server, the zero-trust server sends a server port and/or business service to the zero-trust client.
Furthermore, in order to ensure single-packet data transmission, the zero-trust client and the zero-trust server adopt UDP protocol for communication in the embodiment of the application, thereby ensuring that only single packet is used without packet return in the data transmission process, and further ensuring the reliability of the communication process between the zero-trust client and the zero-trust server.
In the embodiment of the application, at least two types of authentication factors are set in the single-packet authorization authentication request between the zero-trust client and the zero-trust server, so that the reliability of the authentication process is further improved compared with the authentication of the single factor in the prior art.
Based on the embodiment described in fig. 1, in the process of executing the validity verification on the single-packet authorization request in step 102, the validity verification includes, but is not limited to, replay verification, falsification verification, and device identification verification, where the replay verification is used to verify whether the single-packet authorization request is a single-packet authorization request received between the zero-trust servers, so as to prevent the user B from intercepting the knock key of the user a to send a data request to the zero-trust server, and falsification verification is used to verify whether the single-packet authorization request is tampered, and the device identification verification is used to verify whether the device identification exists in the zero-trust server to identify the validity of the device identification.
Further, based on the embodiment described in fig. 1, after the single-packet authorization authentication request is completed between the zero-trust client and the zero-trust server, in order to further improve the reliability of the communication process between the zero-trust client and the zero-trust server, the embodiment of the application may further perform identity authentication on the zero-trust client, so after the zero-trust server sends a server port and/or service to the zero-trust client, the zero-trust server receives the identity authentication request sent by the zero-trust client, and verifies the identity of the zero-trust client according to the identity authentication request, and if the verification passes, an application layer connection between the zero-trust client and the zero-trust server is established.
The authentication can be mobile phone authentication code authentication, mailbox authentication code authentication or two-dimensional code authentication, etc., and the form of authentication is not particularly limited, but it is to be noted that, because bidirectional communication is required between the zero trust server and the zero trust client in the authentication process, the zero trust client and the zero trust server adopt a TCP protocol for communication in the authentication process.
Based on the embodiment described in fig. 1, if at least two types of authentication factors in the single-packet authorization authentication request in step 101 are the knock key identifier and the knock key, and the hardware OTP dynamic password, the corresponding single-packet authorization authentication request includes the knock key identifier and the hardware OTP dynamic password encrypted by the knock key, and step 102 is described in detail below, please refer to fig. 2, and fig. 2 is a detailed step of step 102:
201. determining a knock key corresponding to the knock key identifier according to the knock key identifier;
specifically, after receiving the single packet authorization authentication request sent by the zero trust client, the zero trust server first obtains the knock key identifier (plaintext transmission) in the single packet authorization authentication request, then determines the knock key corresponding to the knock key identifier in the zero trust server or the database according to the knock key identifier, and executes step 202 by using the knock key.
202. Decrypting the encrypted hardware OTP dynamic password by using the knock key;
after the zero trust server acquires the door-knocking key corresponding to the door-knocking key identification, the encrypted hardware OTP dynamic password is decrypted according to the door-knocking key to obtain the plain text hardware OTP dynamic password.
203. Checking whether the hardware OTP password in the single-packet authorization authentication request is consistent with the hardware OTP password of the zero trust server;
after the zero trust server obtains the hardware OTP dynamic password of the plaintext, the zero trust server matches the obtained hardware OTP dynamic password with the hardware OTP password pre-generated by the zero trust server and checks whether the obtained hardware OTP dynamic password is consistent with the hardware OTP password pre-generated by the zero trust server, if so, the step 204 is executed, and if not, the step 205 is executed.
204. If the authentication factors are consistent, checking the authentication request of the single-packet authorization;
if the obtained hardware OTP dynamic password is consistent with the hardware OTP password pre-generated by the zero-trust server, the zero-trust server checks the authentication factor of the single-package authorization authentication request of the zero-trust client.
205. If the authentication factors are inconsistent, the authentication factors of the single-packet authorization authentication request are not checked to pass.
If the obtained hardware OTP dynamic password is inconsistent with the hardware OTP password pre-generated by the zero-trust server, the zero-trust server does not pass the verification of the authentication factors of the single-package authorization authentication request of the zero-trust client.
In the embodiment of the application, the process of checking the single-package authorization authentication request containing at least two authentication factors by the zero trust client is described in detail, thereby improving the reliability of the process of checking the single-package authorization authentication request.
The method for single-packet authentication in the embodiment of the present application is described in detail above, and the following describes a zero-trust server in the embodiment of the present application, please refer to fig. 3, and one embodiment of the zero-trust server in the embodiment of the present application includes:
a receiving unit 301, configured to receive a single packet authorization authentication request sent by a zero trust client, where the single packet authorization authentication request includes at least two types of authentication factors;
a verification unit 302, configured to perform validity verification and authentication factor verification on the single packet authorization authentication request;
and a sending unit 303, configured to send a service port and/or a service to the zero trust server if the validity check and the verification of the authentication factor are both passed.
Preferably, the at least two authentication factors include:
at least two different kinds of authentication factors among authentication information of secret knowledge, physical medium authentication information and entity characteristic authentication information.
Preferably, the secret knowledge authentication information includes: the key identifier and key, user name and login password or safe question and answer;
the physical medium authentication information includes: certificate, UKEY or hardware OTP;
the entity characteristic authentication information comprises: a fingerprint, a face image or an iris image.
Preferably, if the at least two types of authentication factors include: the single-package authorization authentication request comprises the knock key identification and the hardware OTP dynamic password encrypted by the knock key;
the verification unit 302 is specifically configured to:
determining a knock key corresponding to the knock key identifier according to the knock key identifier;
decrypting the encrypted hardware OTP dynamic password by using the knock key;
checking whether the hardware OTP password in the single-packet authorization authentication request is consistent with the hardware OTP password of the zero trust server;
if the authentication factors are consistent, checking the authentication request of the single-packet authorization;
if the authentication factors are inconsistent, the authentication factors of the single-packet authorization authentication request are not checked to pass.
Preferably, the receiving unit 301 is further configured to:
receiving a user identity authentication request sent by the zero trust client through the server port;
the verification unit 302 is further configured to:
checking the user identity according to the user identity authentication request;
and if the verification is passed, establishing the application layer connection with the zero trust client.
Preferably, the receiving unit 301 is specifically configured to:
and receiving a single-packet authorization authentication request sent by the zero-trust client according to the zero-trust access address through a UDP protocol.
Preferably, the verification unit 302 is specifically configured to:
and performing replay check and counterfeit check and equipment identification code check on the single-packet authorization authentication request.
In the embodiment of the present application, the single packet authorization authentication request received by the receiving unit 301 includes at least two types of authentication factors, so that the reliability of the authentication process is further improved compared with the authentication of the single factor in the prior art.
The zero trust server in the embodiment of the present application is described above from the point of view of the modularized functional entity, and the computer device in the embodiment of the present application is described below from the point of view of hardware processing:
the computer device is used for realizing the function of the zero trust server, and one embodiment of the computer device comprises:
a processor and a memory;
the memory is used for storing a computer program, and the processor is used for executing the computer program stored in the memory, and the following steps can be realized:
receiving a single-package authorization authentication request sent by a zero-trust client, wherein the single-package authorization authentication request comprises at least two types of authentication factors;
carrying out validity check and authentication factor check on the single-packet authorization authentication request;
and if the validity check and the verification of the authentication factors are passed, sending a service end port and/or business service to the zero trust service end.
In some embodiments of the application, the at least two authentication factors include:
at least two different kinds of authentication factors among authentication information of secret knowledge, physical medium authentication information and entity characteristic authentication information.
In some embodiments of the application, the secret knowledge authentication information comprises: the key identifier and key, user name and login password or safe question and answer;
the physical medium authentication information includes: certificate, UKEY or hardware OTP;
the entity characteristic authentication information comprises: a fingerprint, a face image or an iris image.
In some embodiments of the present application, if the at least two types of authentication factors include: the single-package authorization authentication request comprises the knock key identification and the hardware OTP dynamic password encrypted by the knock key;
in some embodiments of the application, a processor may implement the steps of:
determining a knock key corresponding to the knock key identifier according to the knock key identifier;
decrypting the encrypted hardware OTP dynamic password by using the knock key;
checking whether the hardware OTP password in the single-packet authorization authentication request is consistent with the hardware OTP password of the zero trust server;
if the authentication factors are consistent, checking the authentication request of the single-packet authorization;
if the authentication factors are inconsistent, the authentication factors of the single-packet authorization authentication request are not checked to pass.
In some embodiments of the application, a processor may implement the steps of:
receiving a user identity authentication request sent by the zero trust client through the server port;
checking the user identity according to the user identity authentication request;
and if the verification is passed, establishing the application layer connection with the zero trust client.
In some embodiments of the application, a processor may implement the steps of:
and receiving a single-packet authorization authentication request sent by the zero-trust client according to the zero-trust access address through a UDP protocol.
In some embodiments of the application, a processor may implement the steps of:
and performing replay check and counterfeit check and equipment identification code check on the single-packet authorization authentication request.
It will be appreciated that when the processor in the above-described computer apparatus executes the computer program, the functions of each unit in the corresponding embodiments of the apparatus may also be implemented, which is not described herein. The computer program may be divided into one or more modules/units, which are stored in the memory and executed by the processor to accomplish the present application, for example. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions for describing the execution of the computer program in the zero trust server. For example, the computer program may be split into units in the zero trust server, which may implement the specific functions as described in the corresponding gateway device.
The computer device can be a desktop computer, a notebook computer, a palm computer, a cloud server and other computing equipment. The computer device may include, but is not limited to, a processor, a memory. It will be appreciated by those skilled in the art that the processor, memory, etc. are merely examples of computer apparatus and are not limiting of computer apparatus, and may include more or fewer components, or may combine certain components, or different components, e.g., the computer apparatus may also include input and output devices, network access devices, buses, etc.
The processor may be a central processing unit (CentralProcessingUnit, CPU), but may also be other general purpose processors, digital signal processors (DigitalSignalProcessor, DSP), application specific integrated circuits (ApplicationSpecificIntegratedCircuit, ASIC), off-the-shelf programmable gate arrays (Field-ProgrammableGateArray, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like that is a control center of the computer device, connecting various parts of the overall computer device using various interfaces and lines.
The memory may be used to store the computer program and/or modules, and the processor may implement various functions of the computer device by running or executing the computer program and/or modules stored in the memory, and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the terminal, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart memory card (SmartMediaCard, SMC), secure Digital (SD) card, flash card (FlashCard), at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
The present application also provides a computer readable storage medium for implementing the functions of the zero trust server, on which a computer program is stored, which when executed by a processor, can be used to perform the steps of:
receiving a single-package authorization authentication request sent by a zero-trust client, wherein the single-package authorization authentication request comprises at least two types of authentication factors;
carrying out validity check and authentication factor check on the single-packet authorization authentication request;
and if the validity check and the verification of the authentication factors are passed, sending a service end port and/or business service to the zero trust service end.
In some embodiments of the application, the at least two authentication factors include:
at least two different kinds of authentication factors among authentication information of secret knowledge, physical medium authentication information and entity characteristic authentication information.
In some embodiments of the application, the secret knowledge authentication information comprises: the key identifier and key, user name and login password or safe question and answer;
the physical medium authentication information includes: certificate, UKEY or hardware OTP;
the entity characteristic authentication information comprises: a fingerprint, a face image or an iris image.
In some embodiments of the present application, if the at least two types of authentication factors include: the single-package authorization authentication request comprises the knock key identification and the hardware OTP dynamic password encrypted by the knock key;
in some embodiments of the present application, the computer program stored in the computer readable storage medium, when executed by a processor, can implement the following steps:
determining a knock key corresponding to the knock key identifier according to the knock key identifier;
decrypting the encrypted hardware OTP dynamic password by using the knock key;
checking whether the hardware OTP password in the single-packet authorization authentication request is consistent with the hardware OTP password of the zero trust server;
if the authentication factors are consistent, checking the authentication request of the single-packet authorization;
if the authentication factors are inconsistent, the authentication factors of the single-packet authorization authentication request are not checked to pass.
In some embodiments of the present application, the computer program stored in the computer readable storage medium, when executed by a processor, can implement the following steps:
receiving a user identity authentication request sent by the zero trust client through the server port;
checking the user identity according to the user identity authentication request;
and if the verification is passed, establishing the application layer connection with the zero trust client.
In some embodiments of the present application, the computer program stored in the computer readable storage medium, when executed by a processor, can implement the following steps:
and receiving a single-packet authorization authentication request sent by the zero-trust client according to the zero-trust access address through a UDP protocol.
In some embodiments of the present application, the computer program stored in the computer readable storage medium, when executed by a processor, can implement the following steps:
and performing replay check and counterfeit check and equipment identification code check on the single-packet authorization authentication request.
It will be appreciated that the integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a corresponding one of the computer readable storage media. Based on such understanding, the present application may implement all or part of the above-described respective embodiment methods, or may be implemented by a computer program for instructing relevant hardware, where the computer program may be stored in a computer readable storage medium, and the computer program may implement the steps of each of the above-described method embodiments when being executed by a processor. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer memory, a Read-only memory (ROM), a random access memory (RAM, random AccessMemory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the computer readable medium contains content that can be appropriately scaled according to the requirements of jurisdictions in which such content is subject to legislation and patent practice, such as in certain jurisdictions in which such content is subject to legislation and patent practice, the computer readable medium does not include electrical carrier signals and telecommunication signals.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. A method for single-packet authentication, which is applied to a zero-trust server, wherein the zero-trust server enables single-packet authorization authentication, the method comprising:
receiving a single-package authorization authentication request sent by a zero-trust client, wherein the single-package authorization authentication request comprises at least two types of authentication factors;
carrying out validity check and authentication factor check on the single-packet authorization authentication request;
and if the validity check and the verification of the authentication factors are passed, sending a service end port and/or business service to the zero trust service end.
2. The method of claim 1, wherein the at least two authentication factors comprise:
at least two different kinds of authentication factors among authentication information of secret knowledge, physical medium authentication information and entity characteristic authentication information.
3. The method of claim 2, wherein the secret knowledge authentication information comprises: the key identifier and key, user name and login password or safe question and answer;
the physical medium authentication information includes: certificate, UKEY or hardware OTP;
the entity characteristic authentication information comprises: a fingerprint, a face image or an iris image.
4. A method according to claim 3, wherein if the at least two types of authentication factors include: the single-package authorization authentication request comprises the knock key identification and the hardware OTP dynamic password encrypted by the knock key;
checking the authentication factor of the single-packet authorization authentication request comprises the following steps:
determining a knock key corresponding to the knock key identifier according to the knock key identifier;
decrypting the encrypted hardware OTP dynamic password by using the knock key;
if the decryption is successful, checking whether the hardware OTP password in the single-packet authorization authentication request is consistent with the hardware OTP password of the zero trust server;
if the authentication factors are consistent, checking the authentication request of the single-packet authorization;
if the authentication factors are inconsistent, the authentication factors of the single-packet authorization authentication request are not checked to pass.
5. The method according to claim 1, wherein the method further comprises:
receiving a user identity authentication request sent by the zero trust client through the server port;
checking the user identity according to the user identity authentication request;
and if the verification is passed, establishing the application layer connection with the zero trust client.
6. The method of claim 1, wherein receiving the single-packet authorization authentication request sent by the zero-trust client according to the zero-trust access address comprises:
and receiving a single-packet authorization authentication request sent by the zero-trust client according to the zero-trust access address through a UDP protocol.
7. The method of any of claims 1 to 6, wherein verifying the validity of the single-packet authorization authentication request comprises:
and performing replay check and counterfeit check and equipment identification code check on the single-packet authorization authentication request.
8. A zero-trust server, wherein the zero-trust server enables single-package authorization authentication, the zero-trust client comprising:
a receiving unit, configured to receive a single-packet authorization authentication request sent by a zero-trust client, where the single-packet authorization authentication request includes at least two types of authentication factors;
the verification unit is used for verifying the validity verification and the authentication factor of the single-packet authorization authentication request;
and the sending unit is used for sending a service end port and/or business service to the zero trust service end if the validity check and the verification of the authentication factors are passed.
9. A computer device comprising a processor, characterized in that the processor, when executing a computer program stored on a memory, is adapted to implement the method of one-package authentication as claimed in any one of claims 1 to 7.
10. A computer readable storage medium having stored thereon a computer program, which, when executed by a processor, is adapted to carry out the method of one-package authentication according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310786295.9A CN116633674A (en) | 2023-06-29 | 2023-06-29 | Single-packet authentication method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310786295.9A CN116633674A (en) | 2023-06-29 | 2023-06-29 | Single-packet authentication method and related device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116633674A true CN116633674A (en) | 2023-08-22 |
Family
ID=87638306
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310786295.9A Pending CN116633674A (en) | 2023-06-29 | 2023-06-29 | Single-packet authentication method and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116633674A (en) |
-
2023
- 2023-06-29 CN CN202310786295.9A patent/CN116633674A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108965230B (en) | Secure communication method, system and terminal equipment | |
| CN109309565B (en) | Security authentication method and device | |
| CN108390851B (en) | Safe remote control system and method for industrial equipment | |
| CN108684041B (en) | System and method for login authentication | |
| CN109274652B (en) | Identity information verification system, method and device and computer storage medium | |
| EP2954448B1 (en) | Provisioning sensitive data into third party network-enabled devices | |
| CN110299996B (en) | Authentication method, equipment and system | |
| US20140026196A1 (en) | Anti-cloning system and method | |
| US10257171B2 (en) | Server public key pinning by URL | |
| US11483155B2 (en) | Access control using proof-of-possession token | |
| CN109660534B (en) | Multi-merchant-based security authentication method and device, electronic equipment and storage medium | |
| US20210320790A1 (en) | Terminal registration system and terminal registration method | |
| CN111800378A (en) | Login authentication method, device, system and storage medium | |
| CN115277168B (en) | Method, device and system for accessing server | |
| CN110519304A (en) | HTTPS mutual authentication method based on TEE | |
| CN110138558B (en) | Transmission method and device of session key and computer-readable storage medium | |
| CN110807210B (en) | Information processing method, platform, system and computer storage medium | |
| CN112560102A (en) | Resource sharing method, resource accessing method, resource sharing equipment and computer readable storage medium | |
| CN112448958A (en) | Domain policy issuing method and device, electronic equipment and storage medium | |
| CN108900595B (en) | Method, device and equipment for accessing data of cloud storage server and computing medium | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| CN112738005A (en) | Access processing method, device, system, first authentication server and storage medium | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment | |
| CN116633674A (en) | Single-packet authentication method and related device | |
| CN113556365B (en) | Authentication result data transmission system, method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |