CN117544361A - Access control method, system, device and medium based on password - Google Patents
Access control method, system, device and medium based on password Download PDFInfo
- Publication number
- CN117544361A CN117544361A CN202311510041.0A CN202311510041A CN117544361A CN 117544361 A CN117544361 A CN 117544361A CN 202311510041 A CN202311510041 A CN 202311510041A CN 117544361 A CN117544361 A CN 117544361A
- Authority
- CN
- China
- Prior art keywords
- access
- machine
- password
- key
- interviewee
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 81
- 238000011217 control strategy Methods 0.000 claims abstract description 66
- 230000006870 function Effects 0.000 claims description 23
- 238000004422 calculation algorithm Methods 0.000 claims description 19
- 238000009795 derivation Methods 0.000 claims description 18
- 230000015654 memory Effects 0.000 claims description 11
- 230000008569 process Effects 0.000 abstract description 17
- 238000010586 diagram Methods 0.000 description 12
- 238000004364 calculation method Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 5
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000006467 substitution reaction Methods 0.000 description 3
- 239000013598 vector Substances 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- VEMKTZHHVJILDY-UHFFFAOYSA-N resmethrin Chemical compound CC1(C)C(C=C(C)C)C1C(=O)OCC1=COC(CC=2C=CC=CC=2)=C1 VEMKTZHHVJILDY-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The application discloses a password-based access control method, a password-based access control system, a password-based access control device and a password-based access control storage medium, wherein the method comprises the following steps: acquiring an access request of an access machine and receiving a password of the access machine; the password comprises an access machine account number, an access machine IP, an access password, an access word corresponding to an access mode of the access machine and access time of the access request; determining a first access control strategy corresponding to the access machine from a preset access control strategy list according to the account number and the access password of the access machine; according to the account number, IP, password, word and time of access of the access machine, the first access control strategy is checked for integrity, and the target control strategy allowing the access of the access machine is determined; and running the target control strategy and accepting the access of the access machine. The method can simplify the access control process, improve the applicability of the access control and reduce the resource consumption of the access process. The method and the device can be widely applied to the technical field of equipment access.
Description
Technical Field
The application relates to the technical field of equipment access, in particular to a password-based access control method, a password-based access control system, a password-based access control device and a password-based access control storage medium.
Background
In the related technology, the traditional unified authentication invention adopts access control based on credentials, and the credential authentication process is completed in a central authentication module. However, in online service with extremely high reliability, once the central authentication module fails or the network fails, the identity authentication of the access machine cannot be completed, so that the service is interrupted. Accordingly, there still exists a technical problem in the related art that needs to be solved.
Disclosure of Invention
The object of the present application is to solve at least one of the technical problems existing in the prior art to a certain extent.
Therefore, an object of the embodiments of the present application is to provide a method, a system, an apparatus, and a storage medium for access control based on a password, where the method, the system, the apparatus, and the storage medium can simplify the access control process, improve the applicability of the access control, and reduce the resource consumption in the access process.
In order to achieve the technical purpose, the technical scheme adopted by the embodiment of the application comprises the following steps: a password-based access control method, comprising: acquiring an access request of an access machine and receiving a password of the access machine; the password comprises an access machine account number, an access machine IP, an access password, an access word corresponding to an access mode of the access machine and access time of the access request; determining a first access control strategy corresponding to the access machine from a preset access control strategy list according to the account number of the access machine and the access password; according to the account number of the access machine, the IP of the access machine, the access password, the access word and the access time, carrying out integrity check on the first access control strategy, and determining a target control strategy allowing the access of the access machine; and operating the target control strategy and accepting the access of the access machine.
In addition, the method for controlling access based on the password according to the above embodiment of the present invention may have the following additional technical features:
further, in this embodiment of the present application, the first access control policy includes an app value, an access machine login number, an access machine login maximum number, a policy creation time, an access machine login IP range, an access machine login time domain, and a random number stored in the access machine, and the step of performing integrity check on the first access control policy according to the access machine account number, the access machine IP, the access password, the access word, and the access time, and determining a target control policy that allows the access machine to access specifically includes: calculating the first hash value according to the accessor account number, the access password, the app value, the accessor maximum login times, the policy creation time, the accessor login IP range, the accessor login time domain and the random number; and taking a first access control strategy with the same access word as the app value as the target control strategy, wherein the first hash value is the same as a preset hash value, the access machine IP is in the access machine login IP range, the time difference value between the access time and the preset time is in the access machine login time range, the access machine login times are more than 0.
Further, in this embodiment of the present application, the step of calculating the first hash value according to the account number of the accessing machine, the access password, the app value, the maximum login number of the accessing machine, the policy creation time, the login IP range of the accessing machine, the login time domain of the accessing machine, and the random number specifically includes: performing hash operation on the account name, the access password, the app value, the maximum login times of the access machine, the policy creation time, the login IP range of the access machine, the login time domain of the access machine and the random number, and determining a first hash value; the formula corresponding to the hash operation is as follows:
V hash =SM3(U,PWD,APP,MCNT,ST,SIP,T,R)
wherein V is hash The method comprises the steps that U is an account number, PWD is an access password, APP is an APP value, MCNT is the maximum login times of an access machine, ST is policy creation time, SIP is the login IP range of the access machine, T is the login time domain of the access machine, R is a random number, and SM3 () is hash operation.
Further, in the embodiment of the present application, the access password is obtained by the following steps: acquiring an access machine PIN code, an access machine key, identity information of an accessed machine, a random number randomly generated by the accessed machine and an account number of the accessed machine; determining a interviewee key according to the interviewee key and the interviewee identity information; determining a first key for generating the access password according to the interviewee key and the interviewee PIN code;
And determining an access password according to the first key, the random number and the interviewee account number.
Further, in this embodiment of the present application, the access control policy includes a preset access account number, a random number, and a pass value, and the step of determining, according to the access machine account number and the access password, a first access control policy corresponding to the access machine from a preset access control policy list specifically includes: determining a pass hash value according to the random number and the access password; and determining that the access control policy with the same account name as the preset access account number is a first access control policy in the access control policy list, wherein the pass hash value is the same as the pass value.
Further, in this embodiment of the present application, the step of determining the secret key of the interviewee according to the secret key of the interviewee and the identity information of the interviewee specifically includes: determining the interviewee key according to the interviewee key, interviewee identity information and a key derivation algorithm, wherein the expression of the interviewee key is as follows:
HK=KDF(MK,DID)
wherein HK is the interviewee key, KDF () is the key derivation algorithm, MK is the interviewee key, and DID is the interviewee body information.
Further, in this embodiment of the present application, the step of determining, according to the interviewee key and the interviewee pin code, a first key for generating the interview password specifically includes: determining the first key according to the access machine PIN code, the accessed machine key and a key derivative function; the expression of the first key is:
HPWD=PBKDF(HK,PIN)
wherein HPWD is the first key used to generate the access password, HK is the interviewee key, PI N is the interviewee PIN code, and PBKDF () is the key derivation function.
In another aspect, an embodiment of the present application further provides a password-based access control system, including:
the access unit is used for acquiring the access request of the access machine and receiving the password of the access machine; the password comprises an access machine account number, an access machine IP, an access password, an access word corresponding to an access mode of the access machine and access time of the access request;
the first processing unit is used for determining a first access control strategy corresponding to the access machine from a preset access control strategy list according to the account number of the access machine and the access password;
the second processing unit is used for carrying out integrity check on the first access control strategy according to the access machine account number, the access machine IP, the access password, the access word and the access time, and determining a target control strategy which allows the access of the access machine;
And the control unit is used for running the target control strategy and accepting the access of the access machine.
On the other hand, the application also provides an access control device based on the password, which comprises:
at least one processor;
at least one memory for storing at least one program;
the at least one program, when executed by the at least one processor, causes the at least one processor to implement a password-based access control method as previously described.
Further, the present application provides a computer readable storage medium having stored therein processor executable instructions which when executed by a processor are for performing a password-based access control method as described above.
The advantages and benefits of the present application will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the present application.
The method and the device can acquire the access request of the access machine and receive the password of the access machine; the password comprises an access machine account number, an access machine IP, an access password, an access word corresponding to an access mode of the access machine and access time of the access request; determining a first access control strategy corresponding to the access machine from a preset access control strategy list according to the account number and the access password of the access machine; according to the account number, IP, password, word and time of access of the access machine, the first access control strategy is checked for integrity, and the target control strategy allowing the access of the access machine is determined; and running the target control strategy and accepting the access of the access machine. The method and the device adopt the offline access control based on the password, so that the credential authentication and access control process can be completed offline in the interviewee without depending on a network and a central authentication module. The access control method and the access control device can simplify the access control process, improve the applicability of the access control and reduce the resource consumption of the access process.
Drawings
FIG. 1 is a schematic diagram showing steps of a password-based access control method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of steps for determining a target control policy for allowing an access by an access machine according to an access machine account number, an access machine IP, an access password, an access word, and an access time, by performing integrity check on a first access control policy according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating steps for obtaining an access password in one embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating steps for determining a first access control policy corresponding to an access machine from a preset access control policy list according to an account number and an access password of the access machine in an embodiment of the present invention;
FIG. 5 is a schematic diagram of an apparatus for performing a control method according to an embodiment of the present invention;
FIG. 6 is a flow chart of a method for password-based access control in an embodiment of the invention;
FIG. 7 is a schematic flow chart of access machine key derivation in an embodiment of the invention;
FIG. 8 is a flow chart of authentication of an accessing machine in an embodiment of the invention;
FIG. 9 is a schematic diagram of a password-based access control system according to an embodiment of the present invention;
Fig. 10 is a schematic structural diagram of a password-based access control device according to an embodiment of the present invention.
Detailed Description
The principles and processes of the password-based access control method, system, apparatus and storage medium in the embodiments of the present invention are described in detail below with reference to the accompanying drawings.
In the related art, in accessing a machine or device that can provide a resource and accept the access, the control of the authority of the machine for opening the access is currently mainly dependent on the control of the access channel. Such as restricting illegal access intrusion through firewall policies, however channel-based access control mechanisms are very easy to bypass and can be moved laterally once the principal enters the intranet.
Traditional unified authentication schemes employ credential-based access control, and the credential authentication process can be accomplished in a central authentication module. However, in the online service with extremely high reliability, once the central authentication module of the machine receiving the access fails or the network fails, the identity authentication of the machine cannot be completed, thus resulting in service interruption. There is still a need to solve the problems in the related art.
In view of the foregoing drawbacks of the prior art, referring to fig. 1, fig. 1 is a schematic step diagram of a method for controlling access based on a password according to an embodiment of the present application. In fig. 1, the password-based access control method may include, but is not limited to, step S101 to step S103.
S101, acquiring an access request of an access machine and receiving a password of the access machine; the password comprises an access machine account number, an access machine IP, an access password, an access word corresponding to an access mode of the access machine and access time of the access request.
It will be appreciated that during access control, the accessing machine needs to send an access request and send a password to the accessed machine. The password can at least carry an account number of the access machine, an IP of the access machine, an access password, an access word corresponding to an access mode of the access machine and an access time corresponding to an access request. The access word may be a character string representing an access mode, and the accessed machine may determine, after receiving the access word, whether the access mode of the accessed machine is a remote access, a local access, or any other existing access mode.
In some possible embodiments of the application, the interviewee can establish a wired or wireless connection with the interviewee. After the connection is established, an access request of the access machine can be received, and a password of the access machine including an account number of the access machine, an IP of the access machine, an access password, an access word corresponding to an access mode of the access machine and an access time of the access request can be received.
It should be noted that the above wired connection manner may include connection between the mobile device and the processing module, and may also include connection between the processing module and the hardware device, and wired connection between other devices known now or developed in the future and the processing module; the wireless connection may include, but is not limited to, 3G/4G/5G connection, wiFi connection, bluetooth connection, wiMAX connection, zigbee connection, UWB (Ultra Wide Band) connection, and other now known or later developed wireless connection. While the accessed machine may be a centralized workstation, server, or mainframe computing device located in a network environment. It may be used to manage tasks, communicate instructions, and provide specific services to other network computers (clients). The accessed machine can also be any virtual machine that accepts access. The accessing machine may be the initiator of the accessing machine, which may be any physical device or virtual device that initiates the access.
S102, determining a first access control strategy corresponding to the access machine from a preset access control strategy list according to the account number and the access password of the access machine.
It will be appreciated that the access control policy list may be pre-set in the database of the interviewee. A plurality of mutually different access control policies may be included in the access control policy list, each access control policy including an access machine account number and an access password, among other information. Any two access control policies may be access control policies with the same access machine account number and access password, and other information may be access control policies with the same access machine account number and different access password and other information. The first access control policy may be an access control policy in which the access machine account number and the access password in the access control policy list are the same.
In some embodiments of the present application, the interviewee may parse or extract the interviewee account number and the interview password from the received password, and may obtain one or more first access control policies identical to the interviewee account number and the interview password from a preset control policy list according to the interviewee account number and the interview password.
S103, carrying out integrity check on the first access control strategy according to the account number of the access machine, the IP of the access machine, the access password, the access word and the access time, and determining a target control strategy which allows the access of the access machine.
It will be appreciated that the target control policy may be a control policy that allows access by the accessing machine. Whereas the information of the control policies that the access machine is allowed to access needs to be complete information, so that an integrity check needs to be made for each first access control policy.
In some possible embodiments of the present application, the interviewee may perform integrity check on the first access control policy according to an interviewee account number, an interviewee IP, an interview password, an interview word, and an interview time. Judging whether each first access control strategy has the information, and finally determining the control strategy comprising an account number of an access machine, an IP of the access machine, an access password, an access word and access time as a target control strategy for allowing the access machine to access.
S104, running the target control strategy and accepting the access of the access machine.
In some possible embodiments of the present application, the interviewee may run the access control policy and then accept the interviewee's access.
In summary, the embodiment adopts the password based on the access word including the account number of the access machine, the IP of the access machine, the access password, the access word corresponding to the access mode of the access machine and the access time of the access request to perform offline access control, so as to obtain the access control policy corresponding to the access machine, and then the access machine operates the access control policy, so that the credential authentication and the access control process can be completed offline in the access machine without depending on a network and a central authentication module. The access control method and the access control device can simplify the access control process, improve the applicability of the access control and reduce the resource consumption of the access process.
Further, the first access control policy includes an app value, a number of accessor logins, a maximum number of accessor logins, a policy creation time, an accessor login IP range, an accessor login time domain, and a accessor-stored random number. Referring to fig. 2, fig. 2 is a schematic diagram of steps for determining a target control policy to allow access by an access machine by performing integrity check on a first access control policy according to an account number of the access machine, an IP of the access machine, an access password, an access word, and an access time. This step may include, but is not limited to, step S201-step S202 in fig. 2.
S201, calculating a first hash value according to an account number of the accessing machine, an access password, an app value, the maximum login times of the accessing machine, policy creation time, an IP range of login of the accessing machine, a time domain of login of the accessing machine and a random number.
S202, taking a first access control strategy with the same hash value as a preset hash value, the IP of the access machine being in the IP range of the login of the access machine, the time difference between the access time and the preset time being in the time range of the login of the access machine, the login times of the access machine being more than 0, and the access word being the same as the app value as a target control strategy.
It is understood that the first hash value may be a hash value calculated by an accessor account number, an access password, an app value, a accessor maximum login number, a policy creation time, an accessor login IP range, an accessor login time domain, and a random number. And the preset hash value may be preconfigured on the interviewee. The access machine registration IP range may be an IP range formed by recording a plurality of consecutive access machine registration IPs, the access machine registration time domain may be a corresponding time range, and the random number may be a random number extracted from a database by the access machine at the time of access.
In some possible embodiments of the present application, the interviewee may calculate the first hash value based on the interviewee account number, the interviewee password, the app value, the interviewee maximum login number, the policy creation time, the interviewee login IP range, the interviewee login time domain, and the random number. Determining that the first hash value is the same as a preset hash value, determining that any one of the access control strategies is in an access machine login IP range, determining that the time difference between the access time and the preset time is in the access machine login time range, determining that the access machine login times are greater than 0, and determining that the access control strategy with the same access word as the app value is a target control strategy.
Further, calculating the first hash value according to the accessor account number, the access password, the app value, the accessor maximum login number, the policy creation time, the accessor login IP range, the accessor login time domain, and the random number may include step S301.
S301, carrying out hash operation on an account name, an access password, an app value, the maximum login times of an access machine, policy creation time, an access machine login IP range, an access machine login time domain and a random number, and determining a first hash value; wherein the hash operation corresponds to the formula:
Vhash=SM3(U,PWD,APP,MCNT,ST,SIP,T,R)
wherein V is hash The method comprises the steps that U is an account name provided by an access machine, PWD is an access password, APP is an APP value, MCNT is the maximum login times of the access machine, ST is policy creation time, SIP is an access machine login IP range, T is an access machine login time domain, R is a random number, and SM3 () is hash operation.
In some possible embodiments of the present application, an algorithm corresponding to SM3 () may be preconfigured on the visited machine, and after the visited machine receives data such as an account name, an access password, an app value, a maximum login number of the visited machine, a policy creation time, a login IP range of the visited machine, a login time domain of the visited machine, and a random number, the visited machine may input the data into the preconfigured SM3 () algorithm, so as to obtain a hash value. The hash value may be used to verify a control policy corresponding to the access machine.
Further, referring to fig. 3, fig. 3 is a schematic diagram illustrating steps for obtaining an access password in an embodiment of the present application. In fig. 3, this step may include, but is not limited to, step S401-step S404.
S401, acquiring an access machine PIN code, an access machine key, identity information of an accessed machine, a random number randomly generated by the accessed machine and an account number of the accessed machine;
s402, determining a interviewee key according to interviewee key and interviewee body information;
s403, determining a first key for generating an access password according to the accessed machine key and the access machine PIN code;
s404, determining an access password according to the first secret key, the random number and the account number of the interviewee.
It can be understood that the identity information of the interviewee can be the ID of the interviewee, the PIN is the identification number corresponding to the interviewee, and the PIN code can be configured by a user. The first key may be an intermediate key parameter that may be used in subsequent hash operations.
In some possible embodiments of the present application, the processor may establish a connection with the interviewee and the interviewee; and then acquiring an access machine PIN code, an access machine key, identity information of the access machine, a random number randomly generated by the access machine and an access machine account number from the access machine and the access machine through data transmission. The processor may then determine the interviewee key based on the interviewee key and the interviewee body information. The processor may then determine a first key for generating an access password based on the obtained interviewee key and the interviewee PIN code. And then processing the random number generated randomly according to the first secret key, the accessed machine and the accessed machine account number, and finally determining an access password.
It should be noted that the processor may be disposed in the interviewee, or in a third device different from the interviewee and the interviewee. When the processor is arranged in the interviewee, the interviewee can firstly send an access password to the interviewee before the interviewee accesses the interviewee, and then send the access password to the interviewee in the form of a password when the interview accesses the interviewee. When the processor is located within the accessing machine, the accessing machine may send the access machine directly to the accessed machine in the form of a password. When the processor is arranged in the third device, the third device can firstly send the access password to the accessing machine before the accessing machine accesses the third device, and then send the access password to the accessed machine in the form of a password when the accessing machine accesses the third device.
Further, the access control policy may include a preset access account number, a random number, and a pass value. Referring to fig. 4, fig. 4 is a schematic diagram illustrating steps of determining a first access control policy corresponding to an access machine from a preset access control policy list according to an account number and an access password of the access machine in an embodiment of the present application. In fig. 4, this step may include, but is not limited to, step S501-step S502.
S501, determining a pass hash value according to the random number and the access password;
S502, determining that the access control policy with the same account name as the preset access account number is a first access control policy in the access control policy list, wherein the pass hash value is the same as the pass value.
It will be appreciated that the random number may be a random number corresponding to the control policy, and the access password may be extracted from a password sent by the access machine.
In some possible embodiments of the present application, the interviewee may obtain the passhash value according to the following formula. Wherein the formula of the pass hash value includes:
PWDhash=SM3(PWD,R)
wherein PWDhash is a pass hash value, PWD is an access password, R is a random number, and SM3 is a hash algorithm. After the access hash value is obtained, the accessed machine can determine the access control policy with the same access hash value as the pass value and the same account name as the preset access account number in the access control policy list as the first access control policy with the same account number and the same access password of the accessed machine in the access control policy list.
Further, the step of determining the interviewee key may include, but is not limited to, step S601 based on the interviewee key and the interviewee identity information.
S601, determining a interviewee key according to the interviewee key, interviewee identity information and a key derivation algorithm, wherein the expression of the interviewee key is as follows:
HK=KDF(MK,DID)
Where HK is the interviewee key, KDF () is the key derivation algorithm, MK is the interviewee key, and DID is the interviewee body information.
In some possible embodiments of the present application, the key derivation algorithm may be configured in the visited machine first, and after the visited machine obtains the visited machine key and the visited machine body information, the visited machine key may be obtained by calculation according to the key derivation algorithm configured by the visited machine.
Further, determining the first key for generating the access password from the interviewee key and the interviewee PIN code may include, but is not limited to, step S701.
S701, determining a first key according to an access machine PIN code, an accessed machine key and a key derivative function, wherein the expression of the first key is as follows:
HPWD=PBKDF(HK,PIN)
wherein HPWD is a first key for generating an access password, HK is a interviewee key, PIN is interviewee PIN code, and PBKDF () is a key derivation function.
In some possible embodiments of the present application, the key derivation function may be configured in the interviewee first, and after the interviewee obtains the interviewee PIN code and the interviewee key, the interviewee key may be obtained by calculation according to the key derivation function configured by the interviewee.
The following describes the specific implementation principle of the present application with reference to the drawings:
In this embodiment, the device for executing the control method may include a host, an object, and a host server. The accessing machine is a host, i.e. a subject, and the accessed machine is a subject. Wherein referring to fig. 5, the subject may generate a password for the subject to access the object using a key derivation algorithm and a hash algorithm based on the key and the unique identification of the object. When the subject accesses the object, the correct password is provided, which may include an account number and a password. The guest may accept the subject request and provide it with the corresponding access resources. The access control policy may define a constraint for the subject to access the object and a password for the subject's identity. The access control strategy is stored in the per etc/acl. Json database of the object side. The access control policy enforcer may deny or allow the subject to access the object according to the content defined by the policy when the subject accesses the object. The identity authentication module may authenticate the identity of the principal based on the password in the access control policy. The secure storage module may be used to store a subject key and an access control policy; the policy manager may be configured to manage an object access control policy, and calculate a password for accessing the object according to the subject key, and store the password in the subject.
Referring to fig. 6, the access control method may include steps 1 to 5.
And step 1, generating a password of the object, so that the object can identify the identity of the subject according to the password.
And 2, generating an access control strategy of the password of the object, so that the object can perform access control on the subject based on the password.
And 3, accessing the object by the host and providing a password required by access.
Step 4, the identity authentication module deployed at the object side verifies the password provided by the host, compares whether the password is consistent with the password configured at the object side, and if so, the password passes the verification; otherwise, if the verification fails, the access of the main body is refused.
And 5, after the identity authentication of the object is completed, controlling the condition of the object to be accessed by the object according to the access control strategy, and allowing the object to be accessed if the condition is met, otherwise, refusing the object to be accessed.
Further, referring to fig. 7 and 8, in step 1, in order to avoid that the client password forgets to cause the client to be unable to log in, the user needs to set a PIN code for the host, and the PIN code is not stored in the host server. The subject then generates a subject key (MK, i.e., a set of 4 32-bit vectors) using a random function, and both the object-related key and the password are derived from the subject key by a key derivation algorithm. The object key (HK) can be obtained by combining the key derivation algorithm (KDF) with the object key (MK) and the object ID (DID). The calculation mode is as follows:
HK=KDF(MK,DID)
The subject may calculate a key (HPWD) for "generating the guest password" from the guest key and using a password-based key derivation function (PBKDF) with the PIN as the password.
HPWD=PBKDF(HK,PIN)
The host may generate a random number (R) for the object by using a key (HPWD) for generating a password for the object, and generate a password (PW D) for accessing the object by hashing the account name (U) of the object in combination with a random function, as follows:
PWD=Password(SM3(HPWD,U,R)
the Password is a Password PWD when the intermediate output value generated according to the SM3 algorithm is converted into a subject to access the object, and the following conditions are required to be satisfied: the length is more than or equal to 8, and three types of letters, numbers and special characters are included, so that the keyboard ordering cannot be realized, and the keyboard ordering cannot be the same as the account name.
After the above process is completed, when the subsequent user needs to replace the object password, only the random number (R, namely 4 32-bit vector sets) needs to be replaced. If the password is forgotten, the host can retrieve the forgotten object password by using a corresponding algorithm as long as the correct PIN code can be provided.
Step 2 may specifically include:
the host generates an access control policy of the object password, the access control policy is configured in a JSON form, the general form is as follows, and the access control policy covers the object password information:
[ { "preset Access machine (USER) account": "root", "password": "F6C53C6CC53BBBA5A670912B622E67B91C253BA5960720", "app": "su, sshd, sudo, ftp, logic", "count": 5"," maxcount ": 5", "statetime", "3232261377", "srclip": "3232261377-3232261631", "time": 1692761815-1692761815"," validate ":"6254A8550CEFBEF6D. "," random ":"8247C7150CEFB6D7B960720"} ].
In the above information, a preset access machine (USER) account may indicate that the access control policy belongs to that account. The password may represent a password SM3 hash value for the account. The app may represent a manner of restricting access of the subject to the object. maxcount may represent the maximum number of times the subject is allowed to access the object. The count may indicate that the subject may also access the object several times, in the initial state, the count=maxcount, and the count is automatically decremented by 1 each time the subject accesses, until the count=0, and the object will refuse the subject to access the object by reusing the account. statetime: policy creation or modification dates. srclip may be a source IP that limits the host's access to the object. the time may be a time to limit the subject's access to the object. random may be a random number, which is used when storing a password. The Password is a Password PWD when the intermediate output value generated according to the SM3 algorithm is converted into a subject access object. The following conditions are satisfied: the length is more than or equal to 8, and three types of letters, numbers and special characters are included, so that the keyboard ordering cannot be realized, and the keyboard ordering cannot be the same as the account name. validate may be a check value of the policy, and the check value calculation method includes:
Vhash=SM3(U,PWD,APP,MCNT,ST,SIP,T,R)
Wherein V is hash The first hash value is also a policy check value, U is an account name, PWD is an access password, APP is an APP value, MCNT is the maximum login times of an access machine, ST is policy creation time, SIP is the login IP range of the access machine, T is the login time domain of the access machine, R is a random number, and SM3 () is hash operation
When the host accesses the object, the object needs to prompt, and the host is required to provide a password required for identity authentication, including an account Name (preset access machine (USER) account Name) and a Password (PWD).
Step 3 may specifically include:
before the identity authentication of the object to the host is executed, an access control strategy with the preset access machine (USER) account number consistent with the account name is found out from an access control strategy list stored at the object side according to the account name provided by the host.
If the object end does not store the access control strategy, the object automatically downloads the access control strategy of the object from the host service end and stores the access control strategy of the object. If the subject server does not respond to the download request, the subject is considered to fail in authentication of the subject, and the subject will refuse the subject's identity access. In order to ensure the security of the downloaded data, the data transmission adopts symmetric encryption. The encryption method is as follows:
ACLenc=ENC_SM4_CBC(acl.json,PWD,IV)
wherein acl.json is an access control policy file, PWD is a password required by the host to access the object, the host server side can obtain the password according to step 1, IV is an encryption initial vector, enc_sm4_cbc () is encryption operation, and ACLenc is ciphertext.
After receiving the ciphertext ACLenc and IV, the object decrypts the policy by combining with the Password (PWD) provided by the host, and stores the policy in the database, where acl.json data is obtained by the following steps.
acl.json=DEC_SM4_CBC(ACLenc,PWD,IV)
Where dec_sm4_cbc () is a decryption operation.
If the object finds out the access control strategy of which the preset access machine (USER) account number is consistent with the account name, calculating whether the strategy exceeds 90 days by using statetime on the strategy, and if the strategy exceeds 90 days, automatically downloading the object from the host server and updating the access control strategy of the object. If the main server side does not respond to the downloading request, the access control strategy is considered to be updated successfully, and the follow-up offline identity authentication is facilitated.
If the guest does not find an access control policy with a preset access machine (USER) account number consistent with the account name, the identity authentication of the host is considered to be failed, and the guest refuses the identity access of the host.
If the object finds out the access control strategy with the preset access machine (USER) account number consistent with the account name, when the object compares the host password, the object extracts the value of the random domain (R for short) from the access control strategy, and performs hash calculation by combining with the Password (PWD) provided by the host to obtain the PWD hash And then comparing the value of the password domain in the access control strategy, wherein the calculation mode is as follows:
PWD hash =SM3(PWD,R)
If PWD hash And comparing and concordance with the value of the password domain in the access control strategy to indicate that the identity authentication of the subject passes, otherwise, the identity authentication fails, and the subject refuses the access of the subject.
Step 4 may specifically include:
after the identity of the subject is authenticated, the subject also needs to be access-controlled. The object firstly finds out an access control strategy with the same preset USER account number and account name from an access control strategy list stored at the object side according to the account name provided by the host. The object performs integrity check on the access control strategy according to the password provided by the host so as to prevent the access control strategy from being maliciously modified, and the checking process is as follows:
V hash =SM3(U,PWD,APP,MCNT,ST,SIP,T,R)
wherein U is the account name provided by the main body. The PWD provides the password to the principal. APP is an APP value in the policy, indicating the manner in which the principal is allowed to log in. MCNT is a maxcount threshold in the policy, representing the number of allowed subject logins. ST is a statetime threshold in the policy, representing the policy creation time. SIP is a srclip field in the policy that indicates from which IPs the principal is allowed to log in. T is a time threshold in the policy, indicating the time period from which the subject is allowed to log in. R is a random number in the policy.
When V is hash And when the value is consistent with the value of the validate threshold preset in the strategy, indicating that the strategy is not tampered. And the object acquires information such as the source IP of the object accessed by the subject, the current time and the like, and compares the information with the value of the corresponding domain in the strategy. Judging that when the source IP of the subject access object is in the srclip threshold range in the strategy, the judging method is to convert the IP address into 10 scale, such as 255.255.255.255 into 2 scale 111111111111111111111111 and then into decimal 4294967295. According to the method, whether the IP is positioned in the IP section can be judged. And then judging that the current time is within the time threshold range of the strategy, wherein the judging method is to convert the current time into a time stamp from 1970, 1 month and 1 day to date. According to the method, whether the current access time is within the time range of the allowed access can be judged. And then judging that the access mode of the subject to the object is within the app value range of the strategy. ThenJudging count in strategy>0. When the conditions of all the above policies are met, this indicates that the guest allows access by the host. Otherwise, the present login of the subject violates the access control policy of the subject, and the subject refuses the access of the subject.
In summary, the password-based access control method of the present application has the following advantages:
The method and the device can overcome the defects of the conventional access control mechanism based on the channel in terms of detour prevention, reliability, safety, flexibility and the like. The present application may also provide fine-grained, reliable, and high-security access control for access processes that incorporate a host's password as a host to access an object. The method and the device can improve the reliability and the flexibility of access control, and achieve the aim of cost reduction and efficiency enhancement when managing the host.
In addition, referring to fig. 9, corresponding to the method of fig. 1, a password-based access control system is also provided in an embodiment of the present application. The system may include: an acquisition unit 1001, a first processing unit 1002, a second processing unit 1003, and a control unit 1004. Wherein the obtaining unit 1001 may be configured to obtain an access request of an access machine and receive a password of the access machine; the password comprises an access machine account number, an access machine IP, an access password, an access word corresponding to an access mode of the access machine and access time of the access request. The first processing unit 1002 may be configured to determine, according to an account number and an access password of the access machine, a first access control policy corresponding to the access machine from a preset access control policy list. The second processing unit 1003 may be configured to perform integrity check on the first access control policy according to the account number of the accessing machine, the IP of the accessing machine, the access password, the access word, and the access time, and determine a target control policy that allows the accessing machine to access. The control unit 1004 may be configured to run a target control policy and accept access from an accessing machine.
The acquiring unit may be any integrated circuit unit or a micro processor unit obtained by integrating a chip with a processing function and its peripheral circuit by the existing integration technology. The first processing unit and the second processing unit may be any integrated circuit module or a micro processor module obtained by integrating a chip with a processing function and a peripheral circuit thereof in the prior art. And the first processing unit and the second processing unit may further comprise one or more memories. One or more memories may be used to store the specific algorithms used for the compression adjustment process in this application.
In some embodiments of the present application, the obtaining unit 1001 may be provided in the same gateway or a device with a processor as the processing unit 1002. The obtaining unit 1001 may obtain an access request of the access machine through a chip inside the own processor and receive a password of the access machine; the password comprises an access machine account number, an access machine IP, an access password, an access word corresponding to an access mode of the access machine and access time of the access request. The first processing unit 1002 may receive the access machine account number and the access password, and determine a first access control policy corresponding to the access machine from a preset access control policy list. The second processing unit 1003 may receive the accessor account number, the accessor IP, the access password, the access word, and the access time, perform integrity check on the first access control policy, and determine a target control policy that allows the accessor to access; finally, the control unit 1004 runs the target control policy and accepts the access of the accessor. The acquisition unit 1001 may be any unit connected to a gateway or a processor inside a device. The acquisition unit 1001 may transmit the acquired data to the processor of the processing unit 1002 through a wired or wireless connection with the processor. The processor of the processing unit 1002 may perform data processing through an internal chip, to finally obtain a search result. The specific device connection manner and device arrangement of the acquisition unit 1001 and the first processing unit 1002, and the first processing unit 1002 and the second processing unit 1003 are not limited.
It should be noted that, the contents of the above-mentioned embodiment of the access control method based on the password are all applicable to the embodiment of the access control system based on the password, and the functions of the embodiment of the access control system based on the password are the same as those of the embodiment of the access control method based on the password, and the advantages achieved by the embodiment of the access control method based on the password are the same as those achieved by the embodiment of the access control method based on the password.
Corresponding to the method of fig. 1, the embodiment of the present application further provides a password-based access control device, with reference to fig. 10, including:
at least one processor 1011;
at least one memory 1012 for storing at least one program;
the at least one program, when executed by the at least one processor, causes the at least one processor to implement the password-based access control method.
The content in the method embodiment is applicable to the embodiment of the device, and the functions specifically realized by the embodiment of the device are the same as those of the method embodiment, and the obtained beneficial effects are the same as those of the method embodiment.
Corresponding to the method of fig. 1, the present embodiment also provides a computer readable storage medium having stored therein processor executable instructions which, when executed by a processor, are for performing the password-based access control method.
The contents of the above-mentioned access control method embodiment based on the password are all applicable to the present storage medium embodiment, and the functions implemented by the present storage medium embodiment are the same as those of the above-mentioned access control method embodiment based on the password, and the advantages achieved by the present storage medium embodiment are the same as those achieved by the above-mentioned access control method embodiment based on the password.
In some alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flowcharts of this application are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed, and in which sub-operations described as part of a larger operation are performed independently.
Furthermore, while the present application is described in the context of functional modules, it should be appreciated that, unless otherwise indicated, one or more of the functions and/or features may be integrated in a single physical device and/or software module or one or more of the functions and/or features may be implemented in separate physical devices or software modules. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary to an understanding of the present application. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be apparent to those skilled in the art from consideration of their attributes, functions and internal relationships. Thus, those of ordinary skill in the art will be able to implement the present application as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative and are not intended to be limiting upon the scope of the application, which is to be defined by the appended claims and their full scope of equivalents.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several programs for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable programs for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with a program execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the programs from the program execution system, apparatus, or device and execute the programs. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the program execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable program execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
In the foregoing description of the present specification, descriptions of the terms "one embodiment/example", "another embodiment/example", "certain embodiments/examples", and the like, are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present application have been shown and described, it will be understood by those of ordinary skill in the art that: many changes, modifications, substitutions and variations may be made to the embodiments without departing from the principles and spirit of the application, the scope of which is defined by the claims and their equivalents.
While the preferred embodiment of the present invention has been described in detail, the present invention is not limited to the embodiments described above, and various equivalent modifications and substitutions can be made by those skilled in the art without departing from the spirit of the present invention, and these equivalent modifications and substitutions are intended to be included in the scope of the present invention as defined in the appended claims.
Claims (10)
1. A method of access control based on a password, comprising the steps of:
acquiring an access request of an access machine and receiving a password of the access machine; the password comprises an access machine account number, an access machine IP, an access password, an access word corresponding to an access mode of the access machine and access time of the access request;
determining a first access control strategy corresponding to the access machine from a preset access control strategy list according to the account number of the access machine and the access password;
According to the account number of the access machine, the IP of the access machine, the access password, the access word and the access time, carrying out integrity check on the first access control strategy, and determining a target control strategy allowing the access of the access machine;
and operating the target control strategy and accepting the access of the access machine.
2. The access control method based on a password as claimed in claim 1, wherein the first access control policy includes an app value, a number of times of access machine login, a maximum number of times of access machine login, a policy creation time, an access machine login IP range, an access machine login time domain, and a random number stored in the access machine, and the step of performing integrity check on the first access control policy according to the access machine account number, the access machine IP, the access password, the access word, and the access time, and determining a target control policy that allows access by the access machine specifically includes:
calculating the first hash value according to the accessor account number, the access password, the app value, the accessor maximum login times, the policy creation time, the accessor login IP range, the accessor login time domain and the random number;
And taking a first access control strategy with the same access word as the app value as the target control strategy, wherein the first hash value is the same as a preset hash value, the access machine IP is in the access machine login IP range, the time difference value between the access time and the preset time is in the access machine login time range, the access machine login times are more than 0.
3. The method according to claim 2, wherein the step of calculating the first hash value based on the accessor account number, the access password, the app value, the accessor maximum login number, the policy creation time, the accessor login IP range, the accessor login time field, and the random number comprises:
performing hash operation on the account name, the access password, the app value, the maximum login times of the access machine, the policy creation time, the login IP range of the access machine, the login time domain of the access machine and the random number, and determining a first hash value; the formula corresponding to the hash operation is as follows:
Vhash=SM3(U,PWD,APP,MCNT,ST,SIP,T,R)
wherein V is hash The method comprises the steps that U is an account number, PWD is an access password, APP is an APP value, MCNT is the maximum login times of an access machine, ST is policy creation time, SIP is the login IP range of the access machine, T is the login time domain of the access machine, R is a random number, and SM3 () is hash operation.
4. The access control method based on the password as recited in claim 1, wherein the access password is obtained by:
acquiring an access machine PIN code, an access machine key, identity information of an accessed machine, a random number randomly generated by the accessed machine and an account number of the accessed machine;
determining a interviewee key according to the interviewee key and the interviewee identity information;
determining a first key for generating the access password according to the interviewee key and the interviewee PIN code;
and determining an access password according to the first key, the random number and the interviewee account number.
5. The access control method based on the password as recited in claim 1, wherein the access control policy includes a preset access account number, a random number and a pass value, and the step of determining a first access control policy corresponding to the access machine from a preset access control policy list according to the access machine account number and the access password specifically includes:
determining a pass hash value according to the random number and the access password;
and determining that the access control policy with the same account name as the preset access account number is a first access control policy in the access control policy list, wherein the pass hash value is the same as the pass value.
6. The access control method according to claim 4, wherein the step of determining the secret key of the interviewee based on the secret key of the interviewee and the identity information of the interviewee comprises:
determining the interviewee key according to the interviewee key, interviewee identity information and a key derivation algorithm, wherein the expression of the interviewee key is as follows:
HK=KDF(MK,DID)
wherein HK is the interviewee key, KDF () is the key derivation algorithm, MK is the interviewee key, and DID is the interviewee body information.
7. The access control method based on a password as recited in claim 4, wherein the step of determining the first key for generating the access password based on the interviewee key and the interviewee PIN code comprises:
determining the first key according to the access machine PIN code, the accessed machine key and a key derivative function; the expression of the first key is:
HPWD=PBKDF(HK,PIN)
wherein HPWD is the first key used to generate the access password, HK is the interviewee key, PIN is interviewee PIN code, and PBKDF () is the key derivation function.
8. A password-based access control system, comprising:
The access unit is used for acquiring the access request of the access machine and receiving the password of the access machine; the password comprises an access machine account number, an access machine IP, an access password, an access word corresponding to an access mode of the access machine and access time of the access request;
the first processing unit is used for determining a first access control strategy corresponding to the access machine from a preset access control strategy list according to the account number of the access machine and the access password;
the second processing unit is used for carrying out integrity check on the first access control strategy according to the access machine account number, the access machine IP, the access password, the access word and the access time, and determining a target control strategy which allows the access of the access machine;
and the control unit is used for running the target control strategy and accepting the access of the access machine.
9. A password-based access control device, comprising:
at least one processor;
at least one memory for storing at least one program;
the at least one program, when executed by the at least one processor, causes the at least one processor to implement a password-based access control method as recited in any of claims 1-7.
10. A computer readable storage medium having stored therein processor executable instructions which, when executed by a processor, are for performing a password-based access control method as recited in any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311510041.0A CN117544361A (en) | 2023-11-13 | 2023-11-13 | Access control method, system, device and medium based on password |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311510041.0A CN117544361A (en) | 2023-11-13 | 2023-11-13 | Access control method, system, device and medium based on password |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117544361A true CN117544361A (en) | 2024-02-09 |
Family
ID=89795162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311510041.0A Pending CN117544361A (en) | 2023-11-13 | 2023-11-13 | Access control method, system, device and medium based on password |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117544361A (en) |
-
2023
- 2023-11-13 CN CN202311510041.0A patent/CN117544361A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11063928B2 (en) | System and method for transferring device identifying information | |
| US9467475B2 (en) | Secure mobile framework | |
| US11005812B2 (en) | Autonomous decentralization of centralized stateful security services with systematic tamper resistance | |
| US9313203B2 (en) | Systems and methods for identifying a secure application when connecting to a network | |
| US9332019B2 (en) | Establishment of a trust index to enable connections from unknown devices | |
| US11722517B1 (en) | Predictive modeling for anti-malware solutions | |
| US20140281539A1 (en) | Secure Mobile Framework With Operating System Integrity Checking | |
| US20160182491A1 (en) | Methods, systems and apparatus to manage an authentication sequence | |
| US9589130B2 (en) | Application trust-listing security service | |
| US10891370B2 (en) | Path-based access control for message-based operating systems | |
| CN112231692A (en) | Security authentication method, device, equipment and storage medium | |
| US20150304329A1 (en) | Method and apparatus for managing access rights | |
| EP3149882A1 (en) | Secure mobile framework with operating system integrity checking | |
| US10419439B1 (en) | Authentication and authorization without the use of supplicants | |
| CN117544361A (en) | Access control method, system, device and medium based on password | |
| US10412097B1 (en) | Method and system for providing distributed authentication | |
| WO2024043812A1 (en) | Trust based access control in communication network | |
| CN117118642A (en) | Access request processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |