CN116886352A - Authentication and authorization method and system for digital intelligent products - Google Patents
Authentication and authorization method and system for digital intelligent products Download PDFInfo
- Publication number
- CN116886352A CN116886352A CN202310798236.3A CN202310798236A CN116886352A CN 116886352 A CN116886352 A CN 116886352A CN 202310798236 A CN202310798236 A CN 202310798236A CN 116886352 A CN116886352 A CN 116886352A
- Authority
- CN
- China
- Prior art keywords
- login
- client
- authentication
- authorization
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 99
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000012795 verification Methods 0.000 claims abstract description 24
- 150000003839 salts Chemical class 0.000 claims description 41
- 230000008569 process Effects 0.000 claims description 18
- 238000012545 processing Methods 0.000 claims description 18
- 238000010586 diagram Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000032683 aging Effects 0.000 description 2
- 238000005336 cracking Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Power Engineering (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a digital intelligent product authentication and authorization method and a digital intelligent product authentication and authorization system, relates to the technical field of authentication and authorization, and aims to solve the problem that the prior art is poor in security protection of login rights and service call rights. The technical key points of the invention include: the client sends a login request, wherein the login request carries encrypted login parameters; the server checks whether the client is authorized or not, and queries a corresponding key stored in a database according to the encrypted login parameter input by the client, and verifies the login parameter to determine whether the client has login rights in the validity period; after the client login request passes the verification, the server side performs authentication and authorization on the request among the services for the operation request of the client. The invention improves the security of the user privacy information and ensures the security of the request call between services.
Description
Technical Field
The invention relates to the technical field of authentication and authorization, in particular to a digital intelligent product authentication and authorization method and a digital intelligent product authentication and authorization system.
Background
With the development of internet applications, application systems are increasingly deployed on servers in different regions, and the geographic locations to which the systems belong are independent, but are connected together by using a network. With the continuous expansion of the scale, the pressure is increased for the manager. The common application system login and authentication method is that each system usually has an independent authentication module and authority data, so that when the systems are too many, each system needs to be authenticated by a corresponding system, the authentication mode causes frequent login operation, the use of users is inconvenient, and the multi-system login efficiency is low. Meanwhile, personnel information cannot be communicated due to data isomerism, user information changes, and synchronous maintenance of multiple systems is needed, so that maintenance cost is greatly increased.
Trust is a very important dimension of security. In the micro-service architecture, when a micro-service receives a message, it needs to find out whether the message is a spoofed message, and then the authentication problem of the micro-service is involved; in addition, a micro-service may require data interaction with a third party service, which involves authorization issues for user resources. Because communication between micro services is very frequent, inter-service authentication mechanisms are also a popular direction of industry research.
In software systems based on micro-service architecture, interactions between services are very frequent, thereby introducing more security risks. If only the security of data communication is considered, but the correctness of service call in the system is not considered, when the service is deployed to the server, any user can copy and use the service infinitely, so that the core product of the company is utilized infinitely, and resources are leaked.
Disclosure of Invention
Accordingly, the present invention is directed to a method and system for authenticating and authorizing a digital product in an effort to solve or at least alleviate at least one of the above-identified problems.
According to an aspect of the present invention, there is provided a digital intelligent product authentication and authorization method, the method comprising the steps of:
the client sends a login request, wherein the login request carries encrypted login parameters;
the server checks whether the client is authorized or not, and queries a corresponding key stored in a database according to the encrypted login parameter input by the client, and verifies the login parameter to determine whether the client has login rights in the validity period;
after the client login request passes verification, the server side performs authentication and authorization on the operation request of the client, wherein the operation request carries a target service name, a target function name, a corresponding identity token and an access token, the identity token represents the identity information of the client, and the access token contains the maximum access authority of the call request and a certificate for verification.
Further, the encrypted login parameters comprise the MAC address and the authorization code of the client server; the authorization code is obtained by the following steps: encrypting the enterprise basic information parameter package to obtain an encrypted character string; and splicing the encrypted character string and the enterprise identifier, and performing MD5 encryption to obtain an authorization code.
Further, the encrypted login parameters comprise an encrypted user account and a password; the encryption mode is as follows: encrypting the user password by adopting a random number and salt adding mode; the process of processing the user password by adding the salt to the random number comprises the following steps: generating a random number character string with a fixed length, namely a salt value; splicing the user password and the random number character string into a new character string through a first combination rule; processing the new String1 by using a hash function to obtain a first ciphertext 1; and splicing the salt value and the ciphertext Cipher1 through a second combination rule to obtain a new ciphertext string, and storing the new ciphertext string and the corresponding account into a user account table in a database.
Further, when the corresponding encrypted login parameter is the encrypted user account and the password, the process of verifying the login parameter by the server side includes: when a user inputs an account number and a password to carry out login verification, firstly taking out a ciphertext string corresponding to the account number from a database, and reversely splitting according to a second combination rule to obtain ciphertext and a salt value; the user password and the salt value form a new String2 according to a first combination rule; processing the String2 by using the same hash function to obtain a ciphertext 2; comparing the ciphertext Cipher1 with the ciphertext Cipher2, and if the ciphertext Cipher1 and the ciphertext Cipher2 are the same, verifying that the user login is successful.
Further, the process of authentication and authorization of the server side for the request between the services comprises the following steps: decrypting and verifying the correctness of the access token by using the public key; after verifying that the access token is correct, searching corresponding authorities in the authority database according to the target service name and the target function name, if the authority value obtained by inquiry is not greater than the maximum access authority in the access token, inquiring the IP address of the target service according to the target service name, sending a new request to the target address so as to call the function of the corresponding service, and sending the identity token and the access token together; otherwise, illegal access is indicated.
According to another aspect of the present invention, there is provided a digital intelligent product authentication and authorization system, the system including a client and a server, the server including an authentication module and an authentication and authorization center;
the client is used for sending a login request, wherein the login request carries encrypted login parameters;
the authentication module is used for checking whether the client is authorized or not, inquiring a corresponding key stored in a database according to the encrypted login parameter input by the client, and verifying the login parameter to determine whether the client has login rights in the validity period or not;
the authentication and authorization center is used for carrying out authentication and authorization on the request among the services for the operation request of the client after the login request of the client passes the verification, wherein the operation request carries a target service name, a target function name, a corresponding identity token and an access token, the identity token represents the identity information of the client, and the access token contains the maximum access authority of the call request and a certificate for verification.
Further, the encrypted login parameters comprise the MAC address and the authorization code of the client server; the authorization code is obtained by the following steps: encrypting the enterprise basic information parameter package to obtain an encrypted character string; and splicing the encrypted character string and the enterprise identifier, and performing MD5 encryption to obtain an authorization code.
Further, the encrypted login parameters comprise an encrypted user account and a password; the encryption mode is as follows: encrypting the user password by adopting a random number and salt adding mode; the process of processing the user password by adding the salt to the random number comprises the following steps: generating a random number character string with a fixed length, namely a salt value; splicing the user password and the random number character string into a new character string through a first combination rule; processing the new String1 by using a hash function to obtain a first ciphertext 1; and splicing the salt value and the ciphertext Cipher1 through a second combination rule to obtain a new ciphertext string, and storing the new ciphertext string and the corresponding account into a user account table in a database.
Further, when the corresponding encrypted login parameter is the encrypted user account and the password, the process of verifying the login parameter by the server side includes: when a user inputs an account number and a password to carry out login verification, firstly taking out a ciphertext string corresponding to the account number from a database, and reversely splitting according to a second combination rule to obtain ciphertext and a salt value; the user password and the salt value form a new String2 according to a first combination rule; processing the String2 by using the same hash function to obtain a ciphertext 2; comparing the ciphertext Cipher1 with the ciphertext Cipher2, and if the ciphertext Cipher1 and the ciphertext Cipher2 are the same, verifying that the user login is successful.
Further, the authentication and authorization center performs authentication and authorization on the request between the services, and the authentication and authorization process comprises the following steps: decrypting and verifying the correctness of the access token by using the public key; after verifying that the access token is correct, searching corresponding authorities in the authority database according to the target service name and the target function name, if the authority value obtained by inquiry is not greater than the maximum access authority in the access token, inquiring the IP address of the target service according to the target service name, sending a new request to the target address so as to call the function of the corresponding service, and sending the identity token and the access token together; otherwise, illegal access is indicated.
The beneficial technical effects of the invention are as follows:
the invention provides a digital intelligent product authentication and authorization method and a system, wherein the authentication and authorization process comprises the following steps: the client sends a login request, and an authentication module acquires the MAC address and the authorization code of the client server, encrypts the login request and sends the encrypted login request to an authentication center to request authentication information; the authentication module queries the database and returns the appointed content after receiving the request; the authentication module judges whether the authorization is authorized according to the returned content, if the authorization is not authorized, the MAC address is popped up, and meanwhile, the contact manager is prompted to enter an authorized operation; if the authorization is completed, further checking whether the authorization code is expired, and if so, prompting an administrator to re-authorize; if the login page is not expired, the user can perform the system login operation. Furthermore, the user password is encrypted by adding the salt to the random number, so that the security of the user password can be improved, and the difficulty of violently cracking the password by an attacker is greatly increased due to the two different character string splicing rules, so that the security of the user privacy information is improved. Further, the call between services is not realized by designating a specific IP address, but the specific address is queried through the service name, and then the request call is forwarded; the concepts of the identity token and the access token are introduced simultaneously and are used for verifying the identity and the authority of the requester, so that the security of the request call between services is ensured.
Drawings
The above, as well as additional purposes, features, and advantages of exemplary embodiments of the present invention will become readily apparent from the following detailed description when read in conjunction with the accompanying drawings. Several embodiments of the present invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
FIG. 1 is a flow chart of a method for authenticating and authorizing a digital intelligent product according to an embodiment of the present invention;
FIG. 2 is a sequence diagram of an authentication and authorization method for a digital intelligent product according to another embodiment of the present invention;
FIG. 3 is a schematic diagram of an authentication procedure in an embodiment of the present invention;
FIG. 4 is a schematic diagram of an authorization process in an embodiment of the invention;
fig. 5 is a schematic structural diagram of the authentication and authorization system for intelligent products according to the embodiment of the invention.
Detailed Description
The principles and spirit of the present invention will be described below with reference to several exemplary embodiments. It should be understood that these embodiments are presented merely to enable those skilled in the art to better understand and practice the invention and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Those skilled in the art will appreciate that embodiments of the invention may be implemented as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the following forms, namely: complete hardware, complete software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software. In this document, it should be understood that any number of elements in the drawings is for illustration and not limitation, and that any naming is used only for distinction and not for any limitation.
The embodiment of the invention provides a digital intelligent product authentication and authorization method, as shown in fig. 1, which comprises the following steps:
the client sends a login request, wherein the login request carries encrypted login parameters;
the server checks whether the client is authorized or not, and queries a corresponding key stored in a database according to the encrypted login parameter input by the client, and verifies the login parameter to determine whether the client has login rights in the validity period;
after the client login request passes verification, the server side performs authentication and authorization on the operation request of the client, wherein the operation request carries a target service name, a target function name, a corresponding identity token and an access token, the identity token represents the identity information of the client, and the access token contains the maximum access authority of the call request and a certificate for verification.
In this embodiment, preferably, the encrypted login parameter includes a MAC address and an authorization code of the client server; the authorization code is obtained by the following steps: encrypting the enterprise basic information parameter package to obtain an encrypted character string; and splicing the encrypted character string and the enterprise identifier, and performing MD5 encryption to obtain an authorization code.
In this embodiment, preferably, the user sends an HTTP request through the client, and after load balancing, the application receives the request; then, an authentication layer in the application performs identity verification and authority approval on the request, and interaction with a back-end database is generally required during the authentication; after the identity and the authority pass verification, the system distributes the request to the corresponding business logic layer; and after the system finishes the related function operation, returning a result to the client. In the micro-service architecture, all external user requests go through the API gateway, and then the API gateway issues requests to the corresponding micro-service. The API gateway is a server, is the only node entering the system, and is responsible for service request routing, combination and protocol conversion. When a user logs into the system, the API gateway needs to verify the legitimacy of the identity of the logger. The system can extract the user account number and the password in the login request and perform matching judgment with the account number and the password in the database.
The embodiment of the invention provides a method for encrypting the user password by adding the salt to the random number, which can improve the security of the user password. The process of processing the user password by adding salt to the random number comprises the following steps: generating a random number character string with a fixed length, namely a salt value; splicing the user password and the random number character string into a new character string through a first combination rule; processing the new String1 by using a hash function to obtain a first ciphertext 1; and splicing the salt value and the ciphertext Cipher1 through a second combination rule to obtain a new ciphertext string, and storing the new ciphertext string and the corresponding account into a user account table in a database.
The process of verifying the identity of the user by the API gateway comprises the following steps: when a user inputs an account number and a password to carry out login verification, the system firstly takes out a ciphertext string Ciph Str corresponding to the account number from a database, and reversely splits the ciphertext Ciph 1 and a Salt value Salt according to Rule 2; then, the user password and the Salt value Salt form a new String2 according to the Rule 1; then the same hash function is used for processing the String2 to obtain a ciphertext 2; and finally comparing the ciphertext Cipher1 with the ciphertext Cipher2, and if the ciphertext Cipher1 and the ciphertext Cipher2 are the same, verifying that the user login is successful. The salt adding mode of the random numbers can enable the salt values corresponding to the passwords of each user to be different, and two different combination rules can also increase the difficulty of violent cracking of an attacker.
The access control flow of the micro service in the system is called by the external user request, which comprises the following steps: the source of the client requests may be mobile equipment, a browser or an internet of things device, and all the client requests need to pass through an API gateway after load balancing; then, the API gateway inquires out a corresponding key stored in a database according to an account number input by a front-end page of the user; and then the API gateway verifies the password input by the user in a random number salifying mode. If the verification is correct, the user login is successful, and the API gateway calls the corresponding micro-service. If the verification fails, the user login page is returned.
In this embodiment, preferably, the process of performing authentication and authorization on the request between services by the server side includes: verifying an identity token and aging thereof; decrypting and verifying the correctness of the access token by using the public key; after verifying that the access token is correct, searching corresponding authorities in the authority database according to the target service name and the target function name, if the authority value obtained by inquiry is not greater than the maximum access authority in the access token, inquiring the IP address of the target service according to the target service name, sending a new request to the target address so as to call the function of the corresponding service, and sending the identity token and the access token together; otherwise, illegal access is indicated.
In a micro-service architecture system, the implementation of many functions requires the invocation between multiple micro-services. Each service needs to authenticate and authorize the request source, because once a certain micro-service is held by an attacker, all communication data in the system can be intercepted, and even the system is paralyzed. However, if the user account and the password information are checked every time, a certain time consumption is caused to the software system, so that a significant delay is caused to the whole system. Therefore, for authentication control between services, the embodiment of the invention introduces the concepts of an identity token and an access token, wherein the identity token represents the identity information of the current user, but has an aging limit, and is valid only in a limited time; the access token contains the maximum access right of the call request and the certificate for verification. After each user sends a call request, the API gateway generates a corresponding identity token and access token.
After the user login request passes through the authentication of the API gateway, the API gateway forwards the operation request of the user to an authentication and authorization center and sends a corresponding identity token and an access token together, wherein the authentication and authorization center is a unified authentication center and is responsible for authentication and authorization of the request among all services. The operation request contains parameters including a target service name and a target function name. After receiving the request, the authentication authorization center firstly verifies the identity token and ages the identity token; after verifying the identity, the certificate of the access token is then verified, the certificate is encrypted by the private key of the API gateway, and the authentication authority can decrypt and verify the correctness of the access token by using the corresponding public key. After verifying that the access token is correct, the authentication and authorization center searches corresponding authorities in the authority database according to the target service name and the target function name. If the authority value obtained by inquiry is not greater than the maximum access authority in the access token, the authentication and authorization center inquires the IP address of the target service according to the target service name, sends a new request to the target address to call the function of the corresponding micro service, and sends the identity token and the access token together. Otherwise, illegal access is indicated.
Another embodiment of the present invention proposes a digital intelligent product authentication and authorization method, the entire authentication and authorization flow is shown in fig. 2, firstly, a PC end sends a request, which is intercepted by an authentication module, the authentication module obtains the MAC address of a client server and parameters agreed in advance, and after encryption, the authentication module sends an authentication request to an authentication center; the authentication module queries the database and returns the appointed content after receiving the request; the authentication module judges whether the authorization is authorized according to the returned content, if the authorization is not authorized, the MAC address is popped up, and meanwhile, the contact manager is prompted to enter an authorized operation; if the authorization is completed, further checking whether the authorization code is expired, and if so, prompting an administrator to re-authorize; if the login page is not expired, the user can perform the system login operation.
When the user requests the authorization, the user needs to fill in basic information, including the MAC address of the client server, the enterprise mark, the enterprise name, the project name, the basic information of the enterprise user, some necessary information of the power station (pcs equipment codes, cell stack sn codes, sn codes of each cluster of the cell stack), the authorization start time and the authorization duration (day is the unit), and then the authorization application is submitted. After receiving the information to be audited, the authorized auditor audits the basic information filled by the applicant, and the information can be refused to be replenished when the information is filled in error or not; the application can be directly refused when the application does not pass through; the authorization center can be automatically entered to carry out authorization operation when the application is carried out, and an authorization code can be returned to the applicant after the authorization is completed. The generation of the authorization code depends on the structure of the power station and the sn coding of the power station equipment as well as some other basic information. The specific parameters are the basic parameters of the power station: project name, pcs, stack, cluster; business name, user name, contact of the business master; the MAC address of the client server. And packaging the information into a json object, performing AES encryption on the object to obtain an encrypted character string (reversible), and then splicing the enterprise identifier on the obtained encrypted character string, and performing MD5 encryption to obtain an authorization code (irreversible).
The authentication flow is shown in fig. 3, firstly, the PC side sends a request; then, the authentication module intercepts, checks whether the client is authorized, pops up the MAC address of the client which is not authorized and prompts a contact manager to carry out authorization operation; checking whether the authorized authorization code is in the validity period, and jumping to the login page in the validity period; if the authorization has expired, a need for re-authorization is prompted.
The authorization flow is shown in fig. 4, first, a client initiates an authorization application; then, the approver approves the application, directly refuses or rejects the modified information, or automatically enters an authorization center through the application to complete the authorization operation; and after the authorization is finished, the authorization code is returned to the applicant.
The invention further provides a digital intelligent product authentication and authorization system, which comprises a client and a server, wherein the server comprises an authentication module and an authentication and authorization center; wherein, the liquid crystal display device comprises a liquid crystal display device,
the client is used for sending a login request, wherein the login request carries encrypted login parameters;
the authentication module is used for checking whether the client is authorized or not, inquiring a corresponding key stored in a database according to the encrypted login parameter input by the client, and verifying the login parameter to determine whether the client has login rights in the validity period or not;
the authentication and authorization center is used for carrying out authentication and authorization on the request among the services for the operation request of the client after the login request of the client passes the verification, wherein the operation request carries a target service name, a target function name, a corresponding identity token and an access token, the identity token represents the identity information of the client, and the access token contains the maximum access authority of the call request and a certificate for verification.
According to the embodiment of the present invention, as shown in fig. 5, the whole hierarchy is divided into authentication and authorization, the left side is the authentication function, and the right side is the authorization function. The two are interacted through the authentication authorization center. The authentication function comprises a pc monitoring interface, an authentication module and an authentication center; the authorization functions include authorization application, authorization center and authorization approval.
The authentication module is used for judging whether the current client is authorized, and the current client can enter a system login page after being authorized, otherwise, an authorization prompt can be popped up; the authentication center is used for managing the existing client which has completed authentication; the authorization center is also used for carrying out authorization operation on the new client and returning a corresponding authorization code.
The system also comprises an authorization approval module which is used for auditing the information and the authenticity of the proposed authorization application.
In this embodiment, preferably, the encrypted login parameter includes a MAC address and an authorization code of the client server; the authorization code is obtained by the following steps: encrypting the enterprise basic information parameter package to obtain an encrypted character string; and splicing the encrypted character string and the enterprise identifier, and performing MD5 encryption to obtain an authorization code.
In this embodiment, preferably, the encrypted login parameter includes an encrypted user account and a password; the encryption mode is as follows: encrypting the user password by adopting a random number and salt adding mode; the process of processing the user password by adding the salt to the random number comprises the following steps: generating a random number character string with a fixed length, namely a salt value; splicing the user password and the random number character string into a new character string through a first combination rule; processing the new String1 by using a hash function to obtain a first ciphertext 1; and splicing the salt value and the ciphertext Cipher1 through a second combination rule to obtain a new ciphertext string, and storing the new ciphertext string and the corresponding account into a user account table in a database.
In this embodiment, preferably, when the encrypted login parameter is an encrypted user account and a password, the process of verifying the login parameter by the server includes: when a user inputs an account number and a password to carry out login verification, firstly taking out a ciphertext string corresponding to the account number from a database, and reversely splitting according to a second combination rule to obtain ciphertext and a salt value; the user password and the salt value form a new String2 according to a first combination rule; processing the String2 by using the same hash function to obtain a ciphertext 2; comparing the ciphertext Cipher1 with the ciphertext Cipher2, and if the ciphertext Cipher1 and the ciphertext Cipher2 are the same, verifying that the user login is successful.
In this embodiment, preferably, the authentication and authorization center performs authentication and authorization on the request between services, including: decrypting and verifying the correctness of the access token by using the public key; after verifying that the access token is correct, searching corresponding authorities in the authority database according to the target service name and the target function name, if the authority value obtained by inquiry is not greater than the maximum access authority in the access token, inquiring the IP address of the target service according to the target service name, sending a new request to the target address so as to call the function of the corresponding service, and sending the identity token and the access token together; otherwise, illegal access is indicated.
The function of the authentication and authorization system for digital intelligent products according to the embodiment of the present invention can be described by the foregoing method for authenticating and authorizing digital intelligent products, so that details of the embodiment are not described, and reference is made to the above method embodiments, which are not repeated herein.
Although the operations of the method of the present invention are depicted in the drawings in a particular order, this is not required or suggested that the operations must be performed in this particular order or that all of the illustrated operations be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
While the spirit and principles of the present invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments nor does it imply that features of the various aspects are not useful in combination, nor are they useful in any combination, such as for convenience of description. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (10)
1. The authentication and authorization method for the digital intelligent product is characterized by comprising the following steps of:
the client sends a login request, wherein the login request carries encrypted login parameters;
the server checks whether the client is authorized or not, and queries a corresponding key stored in a database according to the encrypted login parameter input by the client, and verifies the login parameter to determine whether the client has login rights in the validity period;
after the client login request passes verification, the server side performs authentication and authorization on the operation request of the client, wherein the operation request carries a target service name, a target function name, a corresponding identity token and an access token, the identity token represents the identity information of the client, and the access token contains the maximum access authority of the call request and a certificate for verification.
2. The authentication and authorization method for a digital intelligent product according to claim 1, wherein the encrypted login parameters include a MAC address and an authorization code of a client server; the authorization code is obtained by the following steps: encrypting the enterprise basic information parameter package to obtain an encrypted character string; and splicing the encrypted character string and the enterprise identifier, and performing MD5 encryption to obtain an authorization code.
3. The method for authenticating and authorizing a digital product according to claim 1, wherein the encrypted login parameters include an encrypted user account and a password; the encryption mode is as follows: encrypting the user password by adopting a random number and salt adding mode; the process of processing the user password by adding the salt to the random number comprises the following steps: generating a random number character string with a fixed length, namely a salt value; splicing the user password and the random number character string into a new character string through a first combination rule; processing the new String1 by using a hash function to obtain a first ciphertext 1; and splicing the salt value and the ciphertext Cipher1 through a second combination rule to obtain a new ciphertext string, and storing the new ciphertext string and the corresponding account into a user account table in a database.
4. The authentication and authorization method for a digital intelligent product according to claim 3, wherein when the corresponding encrypted login parameters are an encrypted user account and a password, the process of verifying the login parameters by the server side includes: when a user inputs an account number and a password to carry out login verification, firstly taking out a ciphertext string corresponding to the account number from a database, and reversely splitting according to a second combination rule to obtain ciphertext and a salt value; the user password and the salt value form a new String2 according to a first combination rule; processing the String2 by using the same hash function to obtain a ciphertext 2; comparing the ciphertext Cipher1 with the ciphertext Cipher2, and if the ciphertext Cipher1 and the ciphertext Cipher2 are the same, verifying that the user login is successful.
5. The authentication and authorization method for a digital intelligent product according to claim 1, wherein the process of authenticating and authorizing the request between services by the server side comprises: decrypting and verifying the correctness of the access token by using the public key; after verifying that the access token is correct, searching corresponding authorities in the authority database according to the target service name and the target function name, if the authority value obtained by inquiry is not greater than the maximum access authority in the access token, inquiring the IP address of the target service according to the target service name, sending a new request to the target address so as to call the function of the corresponding service, and sending the identity token and the access token together; otherwise, illegal access is indicated.
6. The intelligent product authentication and authorization system is characterized by comprising a client and a server, wherein the server comprises an authentication module and an authentication and authorization center;
the client is used for sending a login request, wherein the login request carries encrypted login parameters;
the authentication module is used for checking whether the client is authorized or not, inquiring a corresponding key stored in a database according to the encrypted login parameter input by the client, and verifying the login parameter to determine whether the client has login rights in the validity period or not;
the authentication and authorization center is used for carrying out authentication and authorization on the request among the services for the operation request of the client after the login request of the client passes the verification, wherein the operation request carries a target service name, a target function name, a corresponding identity token and an access token, the identity token represents the identity information of the client, and the access token contains the maximum access authority of the call request and a certificate for verification.
7. The authentication and authorization system for a digital intelligent product according to claim 6, wherein the encrypted login parameters include a MAC address and an authorization code of the client server; the authorization code is obtained by the following steps: encrypting the enterprise basic information parameter package to obtain an encrypted character string; and splicing the encrypted character string and the enterprise identifier, and performing MD5 encryption to obtain an authorization code.
8. The authentication and authorization system for digital intelligent products according to claim 6, wherein the encrypted login parameters include an encrypted user account and a password; the encryption mode is as follows: encrypting the user password by adopting a random number and salt adding mode; the process of processing the user password by adding the salt to the random number comprises the following steps: generating a random number character string with a fixed length, namely a salt value; splicing the user password and the random number character string into a new character string through a first combination rule; processing the new String1 by using a hash function to obtain a first ciphertext 1; and splicing the salt value and the ciphertext Cipher1 through a second combination rule to obtain a new ciphertext string, and storing the new ciphertext string and the corresponding account into a user account table in a database.
9. The authentication and authorization system for digital intelligent products according to claim 8, wherein when the corresponding encrypted login parameters are the encrypted user account and the password, the process of verifying the login parameters by the server side includes: when a user inputs an account number and a password to carry out login verification, firstly taking out a ciphertext string corresponding to the account number from a database, and reversely splitting according to a second combination rule to obtain ciphertext and a salt value; the user password and the salt value form a new String2 according to a first combination rule; processing the String2 by using the same hash function to obtain a ciphertext 2; comparing the ciphertext Cipher1 with the ciphertext Cipher2, and if the ciphertext Cipher1 and the ciphertext Cipher2 are the same, verifying that the user login is successful.
10. The authentication and authorization system for digital intelligent products according to claim 6, wherein the authentication and authorization center performs authentication and authorization on the request between services, comprising: decrypting and verifying the correctness of the access token by using the public key; after verifying that the access token is correct, searching corresponding authorities in the authority database according to the target service name and the target function name, if the authority value obtained by inquiry is not greater than the maximum access authority in the access token, inquiring the IP address of the target service according to the target service name, sending a new request to the target address so as to call the function of the corresponding service, and sending the identity token and the access token together; otherwise, illegal access is indicated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310798236.3A CN116886352A (en) | 2023-06-30 | 2023-06-30 | Authentication and authorization method and system for digital intelligent products |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310798236.3A CN116886352A (en) | 2023-06-30 | 2023-06-30 | Authentication and authorization method and system for digital intelligent products |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116886352A true CN116886352A (en) | 2023-10-13 |
Family
ID=88267283
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310798236.3A Pending CN116886352A (en) | 2023-06-30 | 2023-06-30 | Authentication and authorization method and system for digital intelligent products |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116886352A (en) |
-
2023
- 2023-06-30 CN CN202310798236.3A patent/CN116886352A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10027670B2 (en) | Distributed authentication | |
| CN106209749B (en) | Single sign-on method and device, and related equipment and application processing method and device | |
| CN112822675B (en) | MEC environment-oriented OAuth 2.0-based single sign-on mechanism | |
| RU2417422C2 (en) | Single network login distributed service | |
| KR100463736B1 (en) | Method for permitting debugging and testing of software on mobile communication device in a secure environment | |
| CA2475150C (en) | System and method for providing key management protocol with client verification of authorization | |
| EP2842258B1 (en) | Multi-factor certificate authority | |
| CN108964885B (en) | Authentication method, device, system and storage medium | |
| CN109981561A (en) | Monomer architecture system moves to the user authen method of micro services framework | |
| MXPA04007546A (en) | Method and system for providing third party authentification of authorization. | |
| US20030135734A1 (en) | Secure mutual authentication system | |
| CN111800378A (en) | Login authentication method, device, system and storage medium | |
| JP2001186122A (en) | Authentication system and authentication method | |
| CN114938280A (en) | Authentication method and system based on non-interactive zero-knowledge proof and intelligent contract | |
| CN107347073A (en) | A kind of resource information processing method | |
| JP2024501326A (en) | Access control methods, devices, network equipment, terminals and blockchain nodes | |
| CN114764492A (en) | SDP access control method and system based on block chain | |
| Tiwari et al. | Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos | |
| CN111723347B (en) | Identity authentication method, identity authentication device, electronic equipment and storage medium | |
| CN116886352A (en) | Authentication and authorization method and system for digital intelligent products | |
| CN114500031B (en) | System, method, electronic equipment and medium for acquiring BI report based on single sign-on | |
| CN113742700B (en) | Cross-domain software system integration method based on portal | |
| Zhang et al. | Research on Edge Cloud Storage Identity Authentication Mechanism Based on Multi-Layer Integration | |
| Guo et al. | Design of Multi-dimensional Electronic Channel Unified Identity Authentication Method for Power Information System | |
| CN114650180A (en) | Micro-service authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |