CN116647413B

CN116647413B - Application login method, device, computer equipment and storage medium

Info

Publication number: CN116647413B
Application number: CN202310921431.0A
Authority: CN
Inventors: 杨悦; 谢坚; 曾明; 刘先金; 曾强
Original assignee: Shenzhen Zhuyun Technology Co ltd
Current assignee: Shenzhen Zhuyun Technology Co ltd
Priority date: 2023-07-26
Filing date: 2023-07-26
Publication date: 2023-10-13
Anticipated expiration: 2043-07-26
Also published as: CN116647413A

Abstract

The present application relates to an application login method, an apparatus, a computer device, a storage medium and a computer program product. The method comprises the following steps: the method comprises the steps that a secure client receives a parameter to be verified sent by a target application, the parameter to be verified comprises signature information and a first public key, the signature information is generated and sent after the target application responds to a first starting operation by using a first private key to carry out signature processing on a random code, and the first private key and the first public key are a pair of keys stored in an application certificate of the target application; and under the condition that the signature information is verified by the security client side by adopting the first public key, generating a security bill based on the random code, returning the security bill to the target application, so that the target application sends the security bill and the random code to the IDP service, and after the security bill is verified by the IDP service based on the random code, acquiring a login credential sent by the IDP service, and executing login operation. By adopting the method, the automatic login of the application system can be realized.

Description

Application login method, device, computer equipment and storage medium

Technical Field

The present application relates to the field of computer technology, and in particular, to an application login method, an application login device, a computer device, a storage medium, and a computer program product.

Background

With the development of information technology, people gradually move to informatization and digitalization for daily work management, and desktop C/S (Client-Server) application systems are widely used.

In order to ensure the security of data, most of the C/S application systems need to input account numbers and passwords by users in the process of using terminal equipment daily by the users, and the users are allowed to normally use after the authentication is passed. Therefore, in the face of numerous application systems, a user not only needs to memorize a large number of account numbers and password combinations, but also has the problems of complicated process, more time consumption and inconvenient use of the C/S application system due to the fact that the login credentials are input.

Disclosure of Invention

In view of the foregoing, it is desirable to provide an application login method, apparatus, computer device, computer readable storage medium, and computer program product that can automatically login to a C/S application system.

In a first aspect, the present application provides an application login method, the method comprising:

the method comprises the steps that a secure client receives a parameter to be verified sent by a target application, wherein the parameter to be verified comprises signature information and a first public key, the signature information is generated and sent after the target application responds to a first starting operation and signs a random code by using a first private key, and the first private key and the first public key are a pair of keys stored in an application certificate of the target application;

And under the condition that the signature information is verified by the first public key, the security client generates a security bill based on the random code, and returns the security bill to the target application, so that the target application sends the security bill and the random code to IDP service, and after the IDP service verifies the security bill based on the random code, the login credential sent by the IDP service is obtained, and login operation is executed.

In one embodiment, the secure client generates a secure ticket based on the random code, including:

the security client encrypts the random code by adopting a second public key to generate the security bill;

after receiving the security bill, the IDP service decrypts the security bill by adopting a second private key, and when the random code sent by the target application and the random code obtained by decryption are verified to be consistent, the security bill is confirmed to pass verification;

the second public key and the second private key are keys stored in the IDP service in advance, and the second public key is sent to the secure client by the IDP service in the login process of the secure client.

In one embodiment, the method further comprises:

the security client receives a token sent by the IDP service in response to the authentication passing result;

the secure client encrypts the random code by using a second public key to generate the secure ticket, and the secure ticket comprises:

the security client encrypts the random code and the token by adopting the second public key to generate the security bill;

and after receiving the security bill, the IDP service decrypts the security bill by adopting the second private key, and when the random code sent by the target application is verified to be consistent with the random code obtained by decryption and the token obtained by decryption is valid, the security bill is determined to pass the verification.

In one embodiment, the method further comprises:

the secure client responds to the second starting operation to generate key data and a message authentication code;

the security client encrypts the random code and the message authentication code by adopting the second public key to generate the security bill;

the target application responds to the first starting operation, requests to obtain the key data from the secure client, and sends the key data and the secure ticket to the IDP service;

After receiving the security ticket, the IDP service decrypts the security ticket by adopting the second private key; under the condition that the random code sent by the target application is verified to be consistent with the decrypted random code, a first message digest is generated by adopting the decrypted message authentication code and the received key data; determining that the security ticket is validated when the first message digest is validated to be consistent with the stored second message digest;

the second message digest is data which is generated by the secure client according to the key data and the message authentication code and is sent to the IDP service along with the security ticket through the target application.

In one embodiment, the method further comprises:

and after the IDP service verifies that the security bill passes, encrypting the user information by adopting key data obtained by decryption to generate the login certificate.

In one embodiment, the method further comprises:

the security client receives the login credentials sent by the target application;

the security client decrypts the login credential by adopting the key data to obtain the user information;

And the secure client sends the user information to the target application so that the target application executes login operation according to the user information.

In one embodiment, the key data comprises at least one of a symmetric key and an asymmetric key, the asymmetric key comprising a third public key and a third private key;

the secure client decrypts the login credential using the key data to obtain the user information, including:

under the condition that the key data is the symmetric key, the security client decrypts the login credential by adopting the symmetric key to obtain the user information;

under the condition that the key data is the asymmetric key, the secure client decrypts the login credential by adopting the third private key to obtain the user information, wherein the login credential is generated by encrypting the user information by adopting the third public key;

and under the condition that the key data comprises the asymmetric key and the symmetric key, the security client adopts the third private key to perform primary decryption processing on the login credential, adopts the symmetric key to perform secondary decryption processing on the login credential after primary decryption to obtain the user information, wherein the login credential is generated by encrypting the user information by sequentially adopting the symmetric key and the third public key.

In one embodiment, the method further comprises:

the IDP service carries out hash operation on the user information to obtain a first hash digest, and the first hash digest is sent to the target application together with the login credentials;

and the target application carries out hash operation on the user information sent by the secure client to obtain a second hash abstract, and when the first hash abstract and the second hash abstract are consistent, login operation is executed.

In a second aspect, the present application provides an application login device, the device comprising:

the receiving module is used for receiving parameters to be verified, which are sent by a target application, wherein the parameters to be verified comprise signature information and a first public key, the signature information is generated and sent after the target application responds to a first starting operation and uses a first private key to sign a random code, and the first private key and the first public key are a pair of keys stored in an application certificate of the target application;

and the bill generation module is used for generating a security bill based on the random code under the condition that the signature information passes by adopting the first public key to verify, returning the security bill to the target application so that the target application can send the security bill and the random code to IDP service, and after the IDP service passes the security bill based on the random code, acquiring login credentials sent by the IDP service and executing login operation.

In a third aspect, the present application provides an application login system, the system comprising:

the target application is used for responding to the first starting operation, signing the random code by using a first private key to generate signature information, and generating parameters to be verified according to the signature information and a first public key, wherein the first private key and the first public key are a pair of keys stored in an application certificate of the target application;

the secure client is used for receiving parameters to be verified sent by the target application, generating a secure bill based on the random code under the condition that the signature information passes by adopting the first public key, and returning the secure bill to the target application;

and the IDP service is used for receiving the security bill and the random code sent by the target application, and sending a login credential to the target application after the security bill is verified based on the random code, so that the target application executes login operation.

In a fourth aspect, the present application provides a computer device comprising a memory storing a computer program and a processor implementing the steps of the method according to any one of the embodiments of the first aspect when the computer program is executed by the processor.

In a fifth aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the method according to any of the embodiments of the first aspect.

In a sixth aspect, embodiments of the present application provide a computer program product comprising a computer program which, when executed by a processor, implements the steps of the method according to any of the embodiments of the first aspect.

The application login method, the device, the computer equipment, the storage medium and the computer program product are characterized in that after responding to the first starting operation, the target application uses the first private key to sign the random code to generate signature information, sends parameters to be verified, including the signature information and the first public key, to the secure client, so that the secure client verifies the signature information, and returns a secure bill under the condition that verification passes. The target application sends the security bill to the IDP service for verification, when the IDP service passes the security bill verification, a login certificate is returned, so that the target application automatically executes login operation, a series of encryption algorithms and verification processes are carried out among the security client, the target application and the IDP service through fusion of the login process and the security algorithm, a traditional login mode of combining an account number and a password is replaced, authenticity, confidentiality and integrity of an application system login process are guaranteed, automatic login of the application system is realized, and therefore smoothness of daily use is improved.

Drawings

FIG. 1 is a schematic diagram of a login interface according to the prior art;

FIG. 2 is an application environment diagram of an application login method in one embodiment;

FIG. 3 is a flow diagram of an application login method in one embodiment;

FIG. 4 is a schematic diagram of a login interface of a secure client in one embodiment;

FIG. 5 is a diagram of an interface for successful login of a secure client in one embodiment;

FIG. 6 is a diagram of an interface for secure client login failure in one embodiment;

FIG. 7 is a flowchart of another embodiment of a login method;

FIG. 8 is a block diagram of an application login device in one embodiment;

fig. 9 is an internal structural diagram of a computer device in one embodiment.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

Abbreviations and key terms appearing in the examples of the present application are explained below:

C/S: client/Server, i.e., client/Server architecture, is a classical architecture of an application system, and is typically composed of a Server system and multiple clients. The server is mainly responsible for centralized data storage and provides a communication interface, the client provides a man-machine interaction interface, a user operates the client to connect with the server, and the client is used for performing operations such as adding, deleting, modifying and searching on the data stored in the server.

ERP: enterprise Resource Planning, enterprise resource planning.

OA: office Automation, office automation, is a new office mode formed by applying modern technologies such as computer, communication and the like to a traditional office mode.

UI: user Interface, user Interface.

IDP: identity Provider, the identity provider is responsible for uniformly storing user account numbers and passwords and providing uniform identity verification standards and interfaces for the third-party application system.

Secure client: software installed in an operating system that includes a special security procedure that provides an automated login process for C/S applications and ensures the data security, integrity and authenticity of the login process.

SDK: software Development Kit, a collection of software development tools, provides special capabilities for third party applications.

Token: an identity token is a legal proof obtained by a user through an identity verification process.

MD5: message-Digest Algorithm 5, message Digest Algorithm 5.

SHA1: secure Hash Algorithm 1, secure hash algorithm.

HMAC: hash-based Message Authentication Code, key dependent Hash operation message authentication code.

The prior art is described in more detail below:

In the prior art, people need to frequently log in various desktop C/S application systems (hereinafter referred to as C/S applications) in the process of using a computer (such as a financial system, an attendance system, an ERP system, an OA system, an instant messaging system, etc.). The login process of the user for the C/S application is generally based on a combination of an account number and a password, referring to fig. 1, that is, a login account number and a login password are input in a login interface of the C/S application, and then a login button is clicked to complete the login process. Along with the increasing number of enterprise application systems, the number of account numbers and password combinations which a user needs to memorize is also increased, and extra burden is added to heavy work originally. For example, in recent years, with the enhancement of security awareness of enterprise information, it has been generally required that passwords must contain combinations of case letters, numbers, and special symbols, and that passwords for respective application systems cannot be the same.

For the above problems, there are currently mainly the following solutions:

1. the account numbers and passwords of the various C/S applications are recorded in a computer hard disk (such as a text file) or on paper. This is very dangerous because once the file recording the password is lost, all C/S applications will be exposed to risk.

2. And using a third party automatic login plug-in, and installing plug-in software in an operating system to intercept keyboard and mouse operations of a user so as to realize an automatic login process of the C/S application. The method comprises the steps of firstly carrying out deep research and debugging on a login window of a C/S application, then defining a login rule for the C/S application, writing an automatic login script, and realizing interception and control of login behaviors. The method has poor stability, complex configuration and is not suitable for use. For example, when the C/S application window position changes, the computer screen resolution changes, the version changes, etc., may cause the pre-written auto-login script to fail. In addition, the C/S application facing the five-flower eight doors is difficult to adapt to the actual situation of each computer and difficult to acquire the accurate position of the current active window only by automatically logging in script codes, and the development languages, programming frames and UI interfaces used by each C/S application are completely different, so that the popularization and applicability are not realized.

In order to solve the above-mentioned problems, an embodiment of the present application provides an application login method, which can be applied to an application login system shown in fig. 2, where the application login system includes a terminal 210 and a server 220. The terminal 210 communicates with the server 220 through a network. The terminal 210 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, etc. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. Server 220 may be implemented as a stand-alone server or as a cluster of servers.

In the embodiment of the application, a secure client, a target application and an IDP service are installed in an application login system. The target application comprises an application client and an application server which are operated in cooperation with each other. The secure client is installed in the operating system of the terminal 210 and may be operated in response to the start-up of the terminal 210. Application clients may be deployed in the terminal 210 to provide programs of local services to users. The IDP service is deployed in the server 220 to transmit data generated during login, such as a random code, key data, login credentials, etc.

In the embodiment of the application, the target application is an application which is not successfully logged in, so the interaction between the target application and the security client and the IDP service can be completed through the interaction between the application client of the target application and the security client and the IDP service.

In the embodiment of the present application, the server 220 may be correspondingly configured with a data storage system, for storing data to be processed. The data storage system may be integrated in a server or may be placed on a cloud or other network server.

In one embodiment, as shown in fig. 3, an application login method is provided, and the application login method is applied to the application login system in fig. 2 for illustration, and includes the following steps:

In step S310, the secure client receives a parameter to be verified sent by the target application, where the parameter to be verified includes signature information and a first public key, and the signature information is generated and sent after the target application responds to the first starting operation and uses the first private key to sign the random code.

Wherein, at least one C/S application is installed in the terminal, and the target application can be any C/S application installed in the terminal. It will be appreciated that the target application requires a small amount of modification work, such as invoking an SDK or interface provided by the secure client to effect data transfer with the secure client and the IDP service. After the transformation is completed, the user does not need to use the login interface of the target application to execute login operation, but uniformly uses the login window interface provided by the security client, so that the user can realize automatic login of a plurality of C/S applications by only memorizing the login information of a group of security clients.

The first private key and the first public key are a pair of keys in an application certificate of the target application, and may be asymmetric keys. An application certificate is a certificate that the IDP service issues in advance for the target application, which is an identification of the target application, and an application program holding the application certificate is regarded as a trusted application program.

The parameters to be verified are parameters which need to be verified by the secure client, and the parameters comprise signature information and a first public key. The first public key may be carried in an application certificate and sent to the secure client, or may be sent separately to the secure client.

The first starting operation is used for indicating to start the target application, and the target application is converted from the closed state to the open state, and the first starting operation can be realized through a single click operation, a double click operation and the like.

Specifically, after the target application detects a first starting operation triggered by a user, a disposable random code is generated, an application certificate which is issued by the IDP service for the target application in advance is read, a first private key is obtained from the application certificate, the random code is signed by the first private key, and signature information is generated. In one embodiment, the target application invokes a ticket replacement interface of the secure client to transmit to the secure client a parameter to be verified comprising the signature information, the application certificate (the first private key has been deleted), and the random code, such that the secure client receives the parameter to be verified. In another embodiment, the target application invokes a ticket replacement interface of the secure client, and transmits a parameter to be verified, including the signature information, the first public key, and the random code, to the secure client, so that the secure client receives the parameter to be verified.

It can be understood that the secure client in this embodiment is an application that passes authentication and logs in successfully.

Step S320, the security client generates a security bill based on the random code under the condition that the signature information is verified by the first public key, returns the security bill to the target application, so that the target application sends the security bill and the random code to the IDP service, and after the IDP service verifies the security bill based on the random code, acquires login credentials sent by the IDP service, and executes login operation.

The login credentials include user information required to login to the target application, such as a login account and a login password.

Specifically, the secure client obtains the first public key from the parameter to be verified after receiving the parameter to be verified through the ticket replacement interface. And verifying the signature information by adopting the first public key, if the verification is successful, generating a security bill based on the random code, and returning the security bill to the target application through the bill replacement interface. If the verification fails, a prompt message of login failure can be returned to the target application. After receiving the security bill, the target application calls a bill verification interface of the IDP service and transmits the random code and the security bill to the IDP service. The IDP service decrypts the security ticket to obtain the random code. Comparing the random code obtained by decryption with the random code sent by the target application, and if the random code is consistent with the random code, sending a login credential to the target application so that the target application executes login operation based on the login credential; if the login information is inconsistent, a prompt message of login failure can be returned to the target application so as to prompt the user that the target application fails to automatically login.

In one embodiment, the secure client may encrypt the random code using a pre-deployed encryption algorithm to obtain the secure ticket. The encryption algorithm may employ any one of a symmetric encryption algorithm, an asymmetric encryption algorithm, a linear hash algorithm, and the like. It will be appreciated that IDP services have the ability to decrypt security tickets.

In the application login method, after responding to the first starting operation, the target application uses the first private key to carry out signature processing on the random code to generate signature information, sends parameters to be verified, including the signature information and the first public key, to the secure client, enables the secure client to verify the signature information, and returns the secure bill under the condition that verification passes. The target application sends the security bill to the IDP service for verification, when the IDP service passes the security bill verification, a login certificate is returned, so that the target application automatically executes login operation, a series of encryption algorithms and verification processes are carried out among the security client, the target application and the IDP service through fusion of the login process and the security algorithm, a traditional login mode of combining an account number and a password is replaced, authenticity, confidentiality and integrity of an application system login process are guaranteed, automatic login of the application system is realized, and therefore smoothness of daily use is improved.

In one embodiment, in step S320, the security client generates a security ticket based on the random code, including: and the security client encrypts the random code by adopting the second public key to generate a security bill. In this embodiment, after receiving the security ticket, the IDP service decrypts the security ticket with the second private key, and determines that the security ticket passes the verification when the random code sent by the verification target application and the random code obtained by the decryption are identical.

The second public key and the second private key are keys stored in the IDP service in advance, and in the login process of the secure client, the secure client can call a public key acquisition interface of the IDP service to acquire the second public key of the IDP service. The second public key and the second private key may employ asymmetric keys that are different key data than the first public key and the first private key.

Specifically, after the signature information is verified by the secure client, the random code is encrypted by adopting a second public key which is obtained from the IDP service in advance, so that a secure bill is obtained. And transmitting the security bill to the target application through the bill replacement interface, so that the target application calls the bill verification interface of the IDP service after receiving the security bill, and transmits the random code and the security bill to the IDP service. The IDP service decrypts the security bill by using the second private key of the IDP service to obtain a random code, compares the random code obtained by decryption with the random code sent by the target application, and if the random code is consistent with the random code sent by the target application, sends a login credential to the target application so that the target application executes login operation based on the login credential; if the login information is inconsistent, a prompt message of login failure can be returned to the target application.

In the embodiment, the random code is encrypted by adopting the key data of the IDP service to generate the security bill, so that the IDP service can conveniently verify the security bill, and the authenticity and accuracy of the data in the login process are ensured.

In one embodiment, a login mode of the secure client is described.

Specifically, when the secure client detects the second start-up operation, a login interface may be displayed. And acquiring a login account and a login password through the login interface. Fig. 4 illustrates a schematic diagram of a login interface for a secure client. And the secure client sends the acquired login account number and login password to the IDP service so as to enable the IDP service to perform identity verification, and if the verification is passed, the secure client returns a token. If the verification fails, a login failure notification may be returned to the secure client. The second starting operation is used for indicating to start the secure client, and the secure client is converted from the closed state to the open state, and the secure client can be realized through a single click operation, a double click operation and the like.

In one embodiment, the secure client may boot with the computer and automatically boot with the operating system. After each start, a login interface is displayed, so that a user inputs a login account number and a login password through the login interface for verification, and the safety of the safe client is ensured. Of course, the terminal can store the login account and the login password after the first login of the secure client is successful, and automatically log in the secure client in the subsequent use process, so as to further improve the convenience of application login.

In one embodiment, referring to fig. 5, if the authentication passes, the secure client displays a login success interface, and displays information such as a network name, a login account number, a name, and a login time on the login success interface. Referring to fig. 6, if authentication fails, the secure client displays a login failure interface, and displays information such as cause analysis on the login failure interface so as to inform the user of the cause of the login failure, corrective action, and the like.

In this embodiment, after the secure client verifies the signature information, the second public key obtained in advance from the IDP service is used to encrypt the random code and the token, so as to obtain the secure ticket. And transmitting the security bill to the target application through the bill replacement interface, so that the target application calls the bill verification interface of the IDP service after receiving the security bill, and transmits the random code and the security bill to the IDP service. The IDP service uses the second private key to decrypt the security bill to obtain the random code and the token. The IDP service verifies whether the decrypted random code matches the random code sent by the target application and verifies whether the token is valid (e.g., expired, revoked, present, etc.). If the verification random codes are consistent and the token is valid, determining that the security ticket passes verification, and sending the login credentials to the target application so that the target application executes login operation based on the login credentials; if the verification random codes are inconsistent and/or the token is invalid, a prompt message of login failure can be returned to the target application.

In this embodiment, the secure client is used as an entry for automatic login, and by adding a token to the secure ticket, it is verified whether the token is valid, so that the login reliability of the secure client can be ensured, and further the reliability of automatic login of the target application is improved.

In one embodiment, the key data and the message authentication code are automatically generated after the secure client detects the second initiation operation. Wherein the key data may include at least one of a symmetric key and an asymmetric key. The message authentication code may be implemented based on a linear hashing algorithm and may be any one of MD5, SHA1, HMAC.

In this embodiment, after detecting the first startup operation, the target application may call the key acquisition interface of the secure client to acquire and store the key data.

In this embodiment, the secure client may perform message authentication on the key data using the message authentication code, and generate and cache a second message digest according to the message authentication code and the key data.

In this embodiment, after the signature information sent by the target application passes verification, the secure client encrypts the random code and the message authentication code by using a second public key obtained in advance from the IDP service, so as to obtain the secure ticket. And transmitting the security bill and the second message digest to the target application through the bill replacement interface, so that the target application calls a bill verification interface of the IDP service after receiving the security bill and the second message digest, and transmitting the random code, the pre-acquired key data, the security bill and the second message digest to the IDP service. The IDP service uses the second private key to decrypt the security bill to obtain the random code and the message authentication code. The IDP service verifies whether the decrypted random code is consistent with the random code sent by the target application. And under the condition of consistent comparison, carrying out message authentication on the received key data by adopting the decrypted message authentication code to obtain a first message digest. Comparing the first message digest with the second message digest, if the first message digest and the second message digest are consistent, determining that the security ticket passes verification, and sending a login credential to the target application so that the target application executes login operation based on the login credential; if the login information is inconsistent, a prompt message of login failure can be returned to the target application.

In this embodiment, the message authentication code is used to perform message authentication on the key data created by the secure client, so that illegal tampering of the key data can be avoided, and security of the login process is ensured.

In one embodiment, the IDP service may encrypt the user information with the key data after verifying that the security ticket passes, generating the login credentials. The user information may include, among other things, information indicative of the user identity of the target application (e.g., user name, email address, etc.) and a corresponding password.

In one embodiment, the target application may be an application with the ability to decrypt login credentials. After receiving the encrypted login credentials, the target application may decrypt the login credentials to obtain user information and perform a login operation using the user information.

In another embodiment, after receiving the encrypted login credentials, the target application may send the login credentials to the secure client, decrypt the login credentials by using the stored key data by the secure client to obtain user information, and send the user information to the target application, so that the target application performs a login operation according to the user information.

In this embodiment, the encryption processing is performed on the user information of the target application by using the key data, so that the integrity of the user information can be ensured, and the success rate of automatic login can be improved.

In one embodiment, the key data created by the secure client during the login process includes at least one of a symmetric key and an asymmetric key, the asymmetric key including a third public key and a third private key. The first public key and the first private key, the second public key and the second private key, and the third public key and the third private key are respectively key data which are different from each other in pairs. Wherein:

and under the condition that the key data is a symmetric key, the secure client adopts the symmetric key to decrypt the login credentials to obtain the user information.

In the case that the key data is an asymmetric key, the secure client may transmit the third public key to the target application through the key acquisition interface. In this case, the key data transmitted to the IDP service by the target application through the ticket authentication interface is the third public key. And the IDP service adopts the received third public key to encrypt the user information, and a login credential is obtained. After the secure client obtains the login credentials, the secure client can decrypt the login credentials by using the third private key to obtain user information.

In the case that the asymmetric key and the symmetric key are included in the key data, in one embodiment, the secure client may transmit the third public key and the symmetric key to the target application through the key acquisition interface. In this case, the key data transmitted to the IDP service by the target application through the ticket authentication interface is the third public key and the symmetric key. In another embodiment, the secure client may transmit the third public key to the target application through the key acquisition interface, and the symmetric key is carried in the secure ticket. In this case, the key data transmitted to the IDP service by the target application through the ticket authentication interface is the third public key, and the symmetric key is obtained by decrypting the security ticket.

And the IDP service sequentially adopts the obtained symmetric key and the third public key to encrypt the user information, so as to obtain the login credential. After the secure client obtains the login credentials, the secure client can use the third private key to perform primary decryption processing on the login credentials, and use the symmetric key to perform secondary decryption processing on the login credentials after primary decryption to obtain user information.

In one embodiment, after the IDP service verifies the security ticket, the IDP service may further perform a hash operation on the user information to obtain a first hash digest, and send the first hash digest to the target application along with the login credential.

After the target application obtains the user information, hash operation is also carried out on the user information to obtain a second hash abstract, and the first hash abstract and the second hash abstract are compared. If the two are consistent, the login operation is executed to successfully log in, and the automatic login process is completed; if the two are inconsistent, the login fails.

In this embodiment, by performing hash operation on the user information by the IDP service and the target application, respectively, after the hash digest is verified, the login operation is performed, so that whether the user information is tampered can be detected, thereby ensuring the use security of the target application.

Fig. 7 illustrates a specific application login method, which may be implemented in the following steps S702 to S742.

In step S702, the terminal is automatically started along with the operating system, so that the secure client detects the second starting operation.

In step S704, the secure client creates an asymmetric key including a third public key R3 and a third private key P3.

In step S706, the secure client creates a symmetric key K1, for example: z% C F-JaNdRgUkXp.

In step S708, the secure client creates a message authentication code HMAC key H1, for example: @ NcRfUjX.

In step S710, the secure client invokes the key obtaining interface of the IDP service to obtain the second public key R2 of the IDP service.

Step S712, the secure client displays a login interface, prompting the user to input a login account and a login password.

In step S714, the secure client obtains the login account and the login password in the login interface in response to the trigger operation of the login button, and sends the login account and the login password to the IDP service.

In step S716, the IDP service performs authentication, and returns the Token after the authentication is passed, so that the secure client caches the Token.

In step S718, the target application detects the first start operation. The target application is a C/S application.

In step S720, the target application generates a one-time random code RC.

For example: the one-time random code RC may be 05b3c897-701d-4fc6-9258-ece99b543c26.

In step S722, the target application reads the application certificate, and extracts the first public key R1 and the first private key P1 from the application certificate.

In step S724, the target application signs the random code RC using the first private key P1, and obtains signature information S1.

In one example, the signature information may be:

FX+jr0dXG9xZhIn181gu2CHH/9md7ju/HfxjSowsCzhz28PUFCtAb1bgGm81scliyju2uGsUh9u+iRzh/h0XCv1/Ybg16k/5+epiFixWM+g5hyf9FwEr0nicUs6HC2dxSCgOmlaGniaydPekPiNU60Dhi/R38Mfak51mczjlhn0PWA9N1Z50mAoLkd03L71Z/sIL1Do2cZrN6CaVouZWrBdODMWEYIxE+Ndc1XMwlgkHzK+eWPMSgYzmyj0cxdukalZaB80N9aBffAiug4hhwmeyFKEt8CR5YNFkSfSLhk7xqrw6Nv7BVDIyfUACQzLVYRBaA5g0g==

in step S726, the target application invokes the key obtaining interface of the secure client to obtain the third public key R3 created by the secure client. Meanwhile, the secure client calculates the HMAC values of the message authentication code H1 and the third public key R3 by using the HMAC algorithm, and obtains and caches the second message digest M2. The HMAC algorithm formula is as follows:

HMAC = HASH ( H1 + R3)

in step S728, the target application invokes the ticket replacement interface of the secure client to transmit the random code RC, the signature information S1, and the application certificate (without the first private key P1) to the secure client.

Step S730, after receiving the request, the secure client executes the following steps to generate a secure ticket, and returns the secure ticket T1 and the second message digest M2 to the target application:

(1) Verifying whether the application certificate is valid, e.g., verifying whether the application certificate is complete, within a validity period, etc. If the verification is successful, the first public key R1 is extracted from the application certificate. If the verification fails, the target application login fails.

(2) The signature information S1 is verified using the first public key R1. If the verification is successful, executing the step (3), and if the verification is failed, the login of the target application is failed.

(3) The security ticket T1 is generated using a combination of the second public key R2 to encrypt the Token, the random code RC, the system time D1, the symmetric key K1, and the message authentication code H1. The generation algorithm of the security ticket T1 is as follows:

T1 = R2( Token + RC + D1 + K1 + H1 )

Continuing with the above example, security ticket T1 may be:

j23n4byX82GMx9EUjM9SoI7NxjmiThg7wuRQ8vjmhtBVuz+euoM0XrDHnmSFTo/gqI3DfovLcXA/CE4KliwVKsoWxbXtKcV+F2s/PT8DIEuF0sJ18QD0mewwwg+clVxBGpt9b9w5X+imh1fxglUdZGHAYgATxgUCxBD1w4hzhj0=

further, the security client can also call IDP service to verify the Token, and after the verification is successful, the security ticket T1 is generated; if the authentication fails, a new Token may be obtained from the IDP service.

In step S732, the target application invokes the ticket authentication interface of the IDP service, and sends the security ticket T1, the random code RC, the third public key R3, and the second message digest M2 to the IDP service.

Step S734, after the IDP service receives the request, the following verification is performed:

(1) Decrypting the security ticket T1 using the second private key P2 (and the second public key R2 are a pair of asymmetric keys), obtaining the Token, the random code RC, the system time D1, the symmetric key K1, and the message authentication code H1;

(2) Verifying whether the decrypted random code RC is consistent with the random code RC transmitted through the interface parameters, and if so, continuing the step (3);

(3) It is verified whether the difference between the system time D1 and the current time is within a certain range (e.g., ±5 minutes) to prevent replay attacks. If the difference between the system time D1 and the current time is within a specific range, continuing the step (4);

(4) Verifying whether the Token is valid, and if so, continuing (5);

(5) The HMAC values of the message authentication code H1 and the third public key R3 are recalculated using the HMAC algorithm and are noted as the first message digest M1. And comparing the first message digest M1 with the second message digest M2, and if the first message digest M1 and the second message digest M2 are consistent, determining that the security bill passes verification.

It can be understood that if any one of the steps (1) - (5) is verified to be failed, the login of the target application fails.

(6) After the security ticket T1 is successfully verified, the user information U1 is encrypted by using the symmetric key K1 and is marked as EU1; then, EU1 is encrypted using the third public key R3, denoted EU2, as login credentials.

(7) And simultaneously, carrying out hash operation on the user information U1 to obtain a first hash digest C1. The login credentials EU2 and the first hash digest C1 are returned to the target application.

In step S736, the target application invokes the user information decryption interface of the secure client to transmit the login credentials EU2 to the secure client.

Step S738, after receiving the request, the secure client decrypts the login credential EU2 by using the third private key P3 to obtain EU1; then, the EU1 is decrypted using the symmetric key K1 to obtain the plaintext user information U1, and the user information U1 is returned to the target application.

In step S740, the target application re-performs the hash operation on the user information U1 to obtain a second hash digest C2. Comparing the first hash digest C1 with the second hash digest C2, and if they are consistent, continuing to step S742; if the data are inconsistent, the data are considered to be illegally tampered, and the login fails.

In step S742, the target application creates a user session according to the user information U1, and completes the automatic login process.

In this embodiment, a series of special combinations of encryption algorithm, HASH algorithm, signature algorithm and verification flow replace the conventional C/S application login mode of account number and password combination, so as to ensure the authenticity, confidentiality and integrity of the C/S application login process, and realize the automated login of the C/S application.

It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides an application login device for realizing the above related application login method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiment of one or more application login devices provided below may refer to the limitation of the application login method described above, and will not be repeated here.

In one embodiment, as shown in fig. 8, there is provided an application login apparatus 800 including: a receiving module 802 and a ticket generating module 804, wherein:

the receiving module 802 is configured to receive a parameter to be verified sent by a target application, where the parameter to be verified includes signature information and a first public key, the signature information is generated and sent after the target application responds to a first start operation by performing signature processing on a random code using a first private key, and the first private key and the first public key are a pair of keys stored in an application certificate of the target application;

the ticket generating module 804 is configured to generate a security ticket based on the random code when the signature information is verified by using the first public key, and return the security ticket to the target application, so that the target application sends the security ticket and the random code to the IDP service, and after the IDP service verifies the security ticket based on the random code, obtain a login credential sent by the IDP service, and perform a login operation.

In one embodiment, the ticket generating module 804 is configured to encrypt the random code with a second public key, generate a security ticket, so that after receiving the security ticket, the IDP service decrypts the security ticket with a second private key, and when the random code sent by the verification target application and the random code obtained by decryption are consistent, determines that the security ticket passes verification; the second public key and the second private key are keys stored in the IDP service in advance, and the second public key is sent to the secure client by the IDP service in the login process of the secure client.

In one embodiment, receiving module 802 is further configured to receive a token sent by the IDP service in response to a result of passing the authentication; in this embodiment, the ticket generating module 804 is further configured to encrypt the random code and the token with a second public key, and generate a security ticket, so that the DP service decrypts the security ticket with the second private key after receiving the security ticket, and determines that the security ticket passes the verification when the random code sent by the verification target application and the random code obtained by decryption are consistent and the token obtained by decryption is valid.

In one embodiment, the apparatus 800 further comprises a key creation module for generating key data and a message authentication code in response to a second initiation operation; in this embodiment, the ticket generating module 804 is further configured to encrypt the random code and the message authentication code with the second public key to generate a security ticket.

In this embodiment, the target application is configured to request, in response to a first start operation, key data from the secure client, and send the key data and the security ticket to the IDP service together;

the IDP service is used for decrypting the security bill by adopting a second private key after receiving the security bill; under the condition that the random codes sent by the target application and the decrypted random codes are consistent, generating a first message digest by adopting the decrypted message authentication codes and the received key data; when the first message digest is verified to be consistent with the stored second message digest, determining that the security ticket passes verification;

In one embodiment, the IDP service is configured to encrypt user information using key data after the authentication security ticket passes to generate login credentials.

In one embodiment, the receiving module 802 is further configured to receive login credentials sent by the target application. The apparatus 800 further comprises: the decryption module is used for decrypting the login credentials by adopting the key data to obtain user information; and the sending module is used for sending the user information to the target application so that the target application can execute login operation according to the user information.

In one embodiment, the key data comprises at least one of a symmetric key and an asymmetric key, the asymmetric key comprising a third public key and a third private key; the decryption module is used for decrypting the login credentials by adopting the symmetric key to obtain user information when the key data is the symmetric key; under the condition that the key data is an asymmetric key, the security client adopts a third private key to decrypt the login credential to obtain user information, wherein the login credential is generated by encrypting the user information by adopting a third public key; under the condition that the key data comprises an asymmetric key and a symmetric key, the security client adopts a third private key to perform primary decryption processing on the login credentials, adopts the symmetric key to perform secondary decryption processing on the login credentials after primary decryption to obtain user information, and the login credentials are generated by encrypting the user information by sequentially adopting the symmetric key and the third public key.

In one embodiment, the IDP service is configured to perform a hash operation on the user information to obtain a first hash digest, and send the first hash digest to the target application along with the login credentials;

the target application is used for carrying out hash operation on the user information sent by the secure client to obtain a second hash abstract, and when the first hash abstract is determined to be consistent with the second hash abstract, login operation is carried out.

The modules in the application login device may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a terminal or a server. Taking the terminal as an example, the internal structure of the terminal can be shown in fig. 9. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program, when executed by a processor, implements an application login method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.

It will be appreciated by persons skilled in the art that the architecture shown in fig. 9 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.

In an embodiment, a computer device is provided, comprising a memory and a processor, the memory storing a computer program, the processor implementing the steps of any of the embodiments described above when the computer program is executed.

In one embodiment, a computer readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, implements the steps of any of the embodiments described above.

In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of any of the embodiments described above.

The user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as Static Random access memory (Static Random access memory AccessMemory, SRAM) or dynamic Random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims

1. An application login method, the method comprising:

The security client generates a security ticket based on the random code under the condition that the signature information passes by adopting the first public key to verify, returns the security ticket to the target application so that the target application sends the security ticket and the random code to IDP service, and after the IDP service passes the security ticket verification based on the random code, acquires login credentials sent by the IDP service and executes login operation;

the secure client generates a secure ticket based on the random code, comprising:

wherein the second public key and the second private key are keys pre-stored in the IDP service, the second public key being sent by the IDP service to the secure client during a login procedure of the secure client;

the method further comprises the steps of:

2. The method according to claim 1, wherein the method further comprises:

and after the IDP service verifies that the security bill passes, the key data is adopted to encrypt the user information, and the login certificate is generated.

3. The method according to claim 2, wherein the method further comprises:

4. A method according to claim 3, wherein the key data comprises at least one of a symmetric key and an asymmetric key, the asymmetric key comprising a third public key and a third private key;

5. A method according to claim 3, characterized in that the method further comprises:

6. An application login device, the device comprising:

the ticket generation module is used for generating a security ticket based on the random code under the condition that the signature information passes through by adopting the first public key, returning the security ticket to the target application so that the target application can send the security ticket and the random code to IDP service, and after the IDP service passes through the security ticket based on the random code, acquiring login credentials sent by the IDP service and executing login operation;

the bill generation module is also used for encrypting the random code by adopting a second public key to generate the security bill, so that the IDP service decrypts the security bill by adopting a second private key after receiving the security bill, and when the random code sent by the verification target application and the random code obtained by decryption are consistent, the security bill is confirmed to pass the verification; wherein the second public key and the second private key are keys pre-stored in the IDP service, the second public key being sent by the IDP service to the secure client during a login procedure of the secure client;

The application login device further comprises a key creation module for responding to the second starting operation and generating key data and a message authentication code; the bill generation module is further used for encrypting the random code and the message authentication code by adopting the second public key to generate the security bill; the target application is used for responding to the first starting operation, requesting to obtain the key data from the secure client, and sending the key data and the secure ticket to the IDP service; the IDP service is used for decrypting the security bill by adopting the second private key after receiving the security bill; under the condition that the random code sent by the target application is verified to be consistent with the decrypted random code, a first message digest is generated by adopting the decrypted message authentication code and the received key data; determining that the security ticket is validated when the first message digest is validated to be consistent with the stored second message digest;

7. An application login system, the system comprising:

an IDP service, configured to receive the security ticket and the random code sent by the target application, and send a login credential to the target application after the security ticket is verified based on the random code, so that the target application performs a login operation;

the secure client is further configured to: encrypting the random code by adopting a second public key to generate the security bill;

the IDP service is also configured to: after the security bill is received, decrypting the security bill by adopting a second private key, and determining that the security bill passes the verification when the random code sent by the target application and the random code obtained by the decryption are verified to be consistent; wherein the second public key and the second private key are keys pre-stored in the IDP service, the second public key being sent by the IDP service to the secure client during a login procedure of the secure client;

The secure client is further configured to: generating key data and a message authentication code in response to the second initiation operation; the secure client encrypts the random code by using a second public key to generate the secure ticket, and the secure ticket comprises: the security client encrypts the random code and the message authentication code by adopting the second public key to generate the security bill;

the target application is also for: responding to the first starting operation, requesting to obtain the key data from the secure client, and sending the key data and the secure ticket to the IDP service;

the IDP service is also configured to: after receiving the security ticket, decrypting the security ticket by adopting the second private key; under the condition that the random code sent by the target application is verified to be consistent with the decrypted random code, a first message digest is generated by adopting the decrypted message authentication code and the received key data; determining that the security ticket is validated when the first message digest is validated to be consistent with the stored second message digest;

8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 5 when the computer program is executed.

9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 5.