CN101754215A - Authentication method and system - Google Patents
Authentication method and system Download PDFInfo
- Publication number
- CN101754215A CN101754215A CN200810217773A CN200810217773A CN101754215A CN 101754215 A CN101754215 A CN 101754215A CN 200810217773 A CN200810217773 A CN 200810217773A CN 200810217773 A CN200810217773 A CN 200810217773A CN 101754215 A CN101754215 A CN 101754215A
- Authority
- CN
- China
- Prior art keywords
- identifier
- authentication
- session
- server
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000013475 authorization Methods 0.000 claims description 41
- 230000002427 irreversible effect Effects 0.000 claims description 29
- 238000012545 processing Methods 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 description 8
- 230000009466 transformation Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an authentication method which comprises the following steps: receiving an access request sent by a terminal device, wherein the access request contains an authentication identifier generated according to a session identifier and a device identifier of the terminal device; resolving the authentication identifier obtained by the access request; and utilizing the authentication identifier for authenticating the terminal device. The invention further discloses an authentication system, a server and a method and a device for requesting authentication. The method can improve the safety and the reliability of the authentication of the server side to the terminal device side.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to an authentication method and system.
Background
In the current society, mobile terminals including wireless terminals, WIFI terminals, wireless-access DPFs and the like are increasingly popularized, the capabilities of the mobile terminals are further improved, and the access requirements on network resources are more and more increased. For network resource providers, how to implement authentication of mobile terminals and provide services for users to implement authorized access is also becoming more and more important.
The technical scheme in the prior art is that the equipment serial number information of all legally authorized mobile terminals is required to be stored at a server side, the equipment serial number information of the mobile terminals is carried when the legally authorized mobile terminals access network resources, and the resource server authenticates the mobile terminals by verifying the equipment serial number information of the legally authorized mobile terminals.
According to the technical scheme, when a legally authorized mobile terminal accesses network resources, after authentication information of a carried equipment serial number is intercepted by the other party, the legally authorized mobile terminal is unauthorized to access the network resources by utilizing the intercepted authentication information through authentication of a resource server. The reliability and the safety of the server side authentication are low, and the loss of the network resource accessed by the legally authorized mobile terminal is also influenced.
Disclosure of Invention
In view of this, to avoid unauthorized mobile terminals using the intercepted authentication information to access network resources through the authentication of the resource server, the problem of poor security and low reliability of the authentication of the terminal device by the server is solved.
The embodiment of the invention provides an authentication method, which comprises the following steps:
receiving an access request sent by terminal equipment, wherein the access request comprises an authentication identifier generated according to a session identifier and an equipment identifier of the terminal equipment; analyzing the access request to obtain the authentication identifier; and authenticating the terminal equipment by utilizing the authentication identifier.
Meanwhile, the embodiment of the invention also provides an authentication system, which comprises: the authentication server can be used for authenticating terminal equipment, the terminal equipment is used for sending an access request to the authentication server, and the access request comprises an authentication identifier generated by the terminal equipment according to a session identifier and an equipment identifier of the terminal equipment;
and the authentication server is used for receiving the access request sent by the terminal equipment, analyzing the access request to obtain the authentication identifier, and authenticating the terminal equipment by using the authentication identifier.
The embodiment of the present invention further provides an authentication server, including:
a receiving module, configured to receive an access request sent by a terminal device, where the access request includes an authentication identifier generated according to a session identifier and a device identifier of the terminal device; the analysis module is used for analyzing the received access request to obtain the authentication identifier; an authentication processing module: for authenticating the terminal device using the authentication identifier.
The embodiment of the invention also provides an authentication request method, which comprises the following steps:
acquiring a session identifier, and generating an authentication identifier according to the session identifier and a device identifier;
and carrying the authentication identifier in an access request, and sending the access request to a server to request authentication.
In addition, an embodiment of the present invention further provides a terminal device, including:
an acquisition module for acquiring a session identifier; the generation module is used for generating an authentication identifier by adopting an algorithm according to the session identifier and the equipment identifier; and the sending module is used for sending an authentication access request to the server, wherein the authentication access request carries the authentication identifier.
The method comprises the steps that an access request which is sent by terminal equipment and carries an authentication identifier is received, and the authentication identifier is generated by the terminal equipment according to a session identifier and an equipment identifier of the terminal equipment; and completing the authentication of the access request according to the authentication identifier obtained by analyzing the access request. Because the authentication identifier is generated by adopting the session identifier and the equipment identifier, the phenomenon that the mobile terminal which is not legally authorized accesses network resources through the authentication of the resource server by using the intercepted authentication information without authorization is avoided, and the security of the authentication of the mobile terminal by the server side is improved.
Drawings
Fig. 1 is a flowchart of an embodiment of an authentication method of the present invention.
Fig. 2 is a flowchart of another embodiment of the authentication method of the present invention.
Fig. 3 is a flowchart of another embodiment of the authentication method of the present invention.
Fig. 4 is a flowchart of another embodiment of the authentication method of the present invention.
Fig. 5 is a schematic structural diagram of an authentication system according to an embodiment of the present invention.
Fig. 6 is a schematic structural diagram of an authentication server according to an embodiment of the present invention.
Fig. 7 is a schematic structural diagram of another embodiment of the authentication server of the present invention.
FIG. 8 is a flowchart of an authentication request method according to an embodiment of the present invention
Fig. 9 is a schematic structural diagram of an embodiment of a terminal device of the present invention.
Detailed Description
With the popularization of networks, mobile terminal devices including Wireless terminals, Wireless Fidelity (WIFI) terminals, and wirelessly accessed Digital Photo Frames (DPF) access network resources more and more. For a network resource provider, how to implement authentication of a mobile terminal device, thereby implementing authorized access and providing services for a mobile terminal user is an urgent problem to be solved.
An embodiment of the present invention provides an authentication method, please refer to fig. 1 in combination, including:
And the terminal equipment generates an authentication identifier by adopting an algorithm according to the session identifier and the equipment identifier of the terminal equipment. The authentication identifier is carried in an access request sent by the terminal device.
Optionally, the algorithm used by the terminal device to generate the authentication identifier may be an irreversible algorithm. This feature may be applicable to other embodiments of the present invention. Specifically, the authentication identifier (Auth _ ID) may be generated by using a Message-Digest Algorithm 5 (MD 5) irreversible encryption Algorithm, and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)).
Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier.
Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
And the resource server receives an access request sent by the terminal equipment, and analyzes the access request to obtain an authentication identifier carried in the access request.
The resource server generates the authorization identifier according to the session identifier and the device identifier by adopting the same algorithm as that adopted by the terminal device to generate the authentication identifier. If the terminal equipment adopts an irreversible algorithm, the resource server also adopts the irreversible algorithm. If the terminal device generates the authentication identifier by using the irreversible algorithm MD5, the resource server side also uses the irreversible algorithm MD 5.
And comparing the authorization identifier with the session identifier obtained by analyzing the access request, and finishing the authentication of the terminal equipment according to the comparison result.
Referring to fig. 2 in combination, an embodiment of the present invention provides an authentication method, including:
step 201, receiving an access request carrying an authentication identifier sent by a terminal device.
And receiving an access request which is sent by the terminal equipment and carries an authentication identifier, wherein the authentication identifier is generated by the terminal equipment according to the received session identifier and the equipment identifier of the terminal equipment by adopting an algorithm.
And the terminal equipment generates an authentication identifier by adopting an algorithm according to the session identifier and the equipment identifier of the terminal equipment.
Optionally, the algorithm used by the authorization terminal to generate the authentication identifier may be an irreversible algorithm, and the access request sent by the terminal device to the resource server carries the authentication identifier.
Step 202, parsing the received access request to obtain an authentication identifier.
And the resource server receives the access request sent by the terminal equipment, and analyzes the access request to obtain the authentication identifier carried in the access request.
And step 203, finishing the authentication of the terminal equipment by using the analyzed authentication identifier.
Referring to fig. 3, an embodiment of the present invention provides an authentication method, which specifically includes:
in step 301, a session identifier is generated.
The resource server generates a session identifier, which may be randomly generated by the resource server.
Optionally, the session identifier may also be included in a message sent by the resource server to the terminal device.
The resource server sends the session identifier to the terminal device.
Optionally, the resource server may carry the session identifier in a message and send the message to the terminal device.
And the terminal equipment receives the session identifier sent by the resource server, and generates an authentication identifier by adopting an algorithm according to the session identifier and the equipment identifier of the terminal equipment.
Optionally, the terminal device receives a message carrying the session identifier sent by the resource server, analyzes the message to obtain the session identifier, and generates the authentication identifier by using an algorithm according to the analyzed session identifier and the device identifier of the terminal device itself. And the terminal equipment sends the access request carrying the authentication identifier to the resource server for authentication. And the resource server receives the access request carrying the authentication identifier.
And the resource server analyzes the received access request to obtain an authentication identifier.
The resource server reads the generated session identifier and the stored device identifier.
At step 306, an algorithm is used to generate the authorization identifier.
And the resource server generates the authorization identifier by adopting an algorithm according to the read session identifier and the device identifier. The algorithm is the same as that used by the terminal device to generate the authentication identifier.
Alternatively, the algorithm used for generating the authorization identifier may also use the same irreversible algorithm as that used for generating the authentication identifier by the terminal device.
And 308, finishing the authentication of the terminal equipment according to the comparison result.
If the result of the comparison is that the authorization identifier is consistent with the authentication identifier, the access request is legal authorization access and the authentication is passed; otherwise, the access request is illegal authorized access and authentication refuses.
And if the resource server passes the authentication of the access request, feeding back information of successful authentication to the terminal equipment. Otherwise, feeding back the information of authentication failure to the terminal equipment.
Referring to fig. 4, an embodiment of the present invention provides an authentication method. The embodiment of the invention takes a DPF terminal with a built-in SIM card and adopts a General Packet Radio Service (GPRS) mode to access network resources as an example.
The resource server stores the Device identifier (Device _ ID) of the DPF terminal Device. The device identifier may be a device string number or a device identification number of the terminal device, or may even be a device type number code, which is applicable to other embodiments of the present invention. The user is required to enter a device identifier when registering or provisioning network services. The resource server stores the device identifier input by the user when registering or opening the network service.
In step 401, the resource server generates a Session identifier (Session _ ID).
Before the DPF terminal device triggers access to the resource server or the resource server actively requires the DPF terminal device to access the resource server, the resource server generates a session identifier.
Alternatively, the session identifier may be randomly generated by the resource server.
The resource server sends 402 the session identifier to the DPF terminal device.
Alternatively, the resource server may send the session identifier to the DPF terminal device in a message. The session identifier to be generated is sent to the DPF terminal device in the form of a message.
In step 403, the DPF terminal device generates an authentication identifier (Auth _ ID) based on the received session identifier.
The DPF terminal receives the session identifier sent by the resource server, and generates an authentication identifier (Auth _ ID) by adopting an encryption algorithm according to the session identifier and the equipment identifier of the DPF terminal equipment.
Alternatively, the encryption algorithm may be an irreversible encryption algorithm. The MD5 irreversible encryption algorithm may be used to generate the authentication identifier (Auth _ ID), and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)).
Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier.
Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
In step 404, the DPF terminal device sends an access request to the resource server.
The DPF terminal device sends an access request to the resource server, and the access request carries the authentication identifier generated by the DPF terminal device.
In step 405, the resource server authenticates the access request.
And the resource server analyzes the access request to obtain the carried authentication identifier. The resource server generates the generated session identifier and the stored device identifier into an authorization identifier by using the same encryption algorithm as the DPF terminal device generates the authentication identifier. In the embodiment of the invention, the access request is analyzed to obtain the authentication identifier, and the authentication identifier and the resource server generated authorization identifier do not have a certain sequence, and even can be simultaneously carried out. And the resource server compares the generated authorization identifier with the authentication identifier carried by the access request. If the result of the comparison is that the authorization identifier is consistent with the authentication identifier, the access request is legal authorization access and the authentication is passed; otherwise, the access request is illegal authorized access, and the access of the DPF terminal equipment is refused by authentication.
Optionally, the method may further include the step of feeding back the authentication result to the authorized terminal.
On one hand, because the authentication identifier is generated by the session identifier and the equipment identifier, the authentication identifier is difficult to intercept by other parties, and the security of server-side authentication is improved. Meanwhile, the same algorithm is adopted at the network server end to generate the session identifier and the stored device identifier, and authentication of the authentication information is completed through comparison of the authorization identifier and the authentication identifier. Meanwhile, the session identifier is randomly generated, and the authentication identifier is generated by using the randomly generated session identifier and the equipment identifier, so that the authentication identifier is more difficult to intercept by other parties, and the security of server-side authentication is improved.
On the other hand, the authentication identifier generated by the terminal equipment end authorized legally is consistent with the algorithm adopted by the authorization identifier generated by the resource server end, so that the reliability of the resource server authentication is improved. Meanwhile, the authentication identifier generated by the terminal equipment end authorized legally and the authorization identifier generated by the resource server end adopt the same irreversible algorithm, namely after the one-time authentication is passed, the authentication is finished. The other party is rejected even if the authentication identifier of the legally authorized terminal equipment is intercepted for access. The security of the resource server side authentication is improved.
Referring to fig. 5 in combination, an embodiment of the present invention provides an authentication system, including: the authentication server 501 may be configured to authenticate the terminal device 502. The authentication server 501 may be a resource server or an independent authentication device.
The authentication server 501 is configured to send a session identifier to the terminal device 502, where the session identifier may be carried in a message sent by the authentication server 501 to the terminal device; after the terminal device 502 receives the session identifier or the message carrying the session identifier sent by the authentication server 501, if the received session identifier is the session identifier, an authentication identifier is generated by using an algorithm according to the received session identifier and the device identifier of the terminal device 502; if the received message carries the session identifier, the message is firstly analyzed to obtain the session identifier, and then the authentication identifier is generated by the session identifier and the equipment identifier by adopting an algorithm. The algorithm employed may be an irreversible algorithm such as the MD5 algorithm mentioned above. After generating the authentication identifier, the terminal device 502 sends the authentication identifier to the authentication server 501 with the access request.
The authentication server 501 is configured to receive an access request carrying an authentication identifier sent by the terminal device 502, and analyze the received access request to obtain the authentication identifier. The authentication server 501 generates an authorization identifier by using the same algorithm as that used by the terminal device 502 to generate an authentication identifier according to the session identifier generated by itself and the stored device identifier, where the algorithm used by the authentication server 501 is the same as that used by the terminal device 502 to generate an authentication identifier, for example, if the terminal device 502 uses the MD5 algorithm, the authentication server 501 also uses the MD5 algorithm, and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)).
Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier.
Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
The authentication server 501 is configured to compare the authorized identifiers with the authentication identifiers, and complete authentication of the access request according to a comparison result. If the result of the comparison is that the authorization identifier is consistent with the authentication identifier, the access request is legal authorization access and the authentication is passed; otherwise, the access request is illegal authorized access, and the access request is authenticated and refused.
Alternatively, the session identifier generated by the authentication server 501 may be randomly generated.
Optionally, the server is further configured to feed back the authentication result to the terminal device 502. If the authentication is passed, a message of successful authentication is fed back to the terminal device 502; otherwise, a message of authentication failure is fed back to the terminal device 502, and the terminal device 502 is prompted to reapply for authentication.
Referring to fig. 6, an embodiment of the present invention provides an authentication server 501, where the authentication server 501 may be a resource server or an independent authentication device. This feature may be applicable to other embodiments of the present invention. The embodiment of the invention takes a resource server as an example, and specifically comprises the following steps: a receiving module 601, a parsing module 602, and an authentication processing module 603.
The receiving module 601 is configured to receive an access request sent by a terminal device, where the access request carries an authentication identifier generated by the terminal device according to a session identifier and a device identifier of the terminal device by using an algorithm.
Before the terminal equipment triggers to access the resource server or the resource server actively requires the terminal equipment to access the resource server, the resource server generates a session identifier.
Alternatively, the session identifier may be randomly generated by the resource server.
The parsing module 602 is configured to parse the access request received by the receiving module 601 to obtain the authentication identifier.
An authentication processing module 603, configured to complete authentication on the access request according to the authentication identifier obtained by parsing in the parsing module 602.
The authentication processing module 603 generates an authorization identifier using an algorithm based on the session identifier and the device identifier. The algorithm can be the same algorithm used for generating the authentication identifier with the terminal equipment; the algorithm may be an irreversible encryption algorithm. The MD5 irreversible encryption algorithm may be used to generate the authentication identifier (Auth _ ID), and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)). Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier. Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
The authentication processing module 603 compares the authentication identifier obtained by the analysis of the analysis module 602 with the generated authorization identifier; and according to the comparison result, the authentication of the terminal equipment is completed. If the result of the comparison is that the authorization identifier is consistent with the authentication identifier, the access request is legal authorization access, the authentication is passed, and the terminal equipment is legal authorization equipment; otherwise, the access request is illegal authorized access, and the access of the terminal equipment is refused through authentication.
The specific structure of each module of the authentication server shown in fig. 6 can refer to the embodiment shown in fig. 7.
Referring to fig. 7 in combination, an embodiment of the present invention provides an authentication server 501, which includes a sending module 701, a generating module 702, a receiving module 703, an analyzing module 704, a storing module 705, an authentication processing module 706, and a feedback module 707. Authentication processing module 706 includes generating unit 7061, comparing unit 7062, and result unit 7063. The sending module 701, the generating module 702, the saving module 705 and the feedback module 707 are optional.
Optionally, the server further comprises a generating module 702 for generating the session identifier.
Optionally, the generating module may further generate a message carrying the session identifier. The session identifier may be randomly generated by the generation module 702.
Optionally, the server further includes a sending module 701, configured to send the session identifier generated by the generating module 702 to the terminal device.
Optionally, the sending module 701 is configured to send, to the terminal device, the message carrying the session identifier generated by the generating module 702. Wherein the session identifier may be randomly generated by the generation module 702.
A receiving module 703 is configured to receive an access request sent by a terminal device. The access request carries the session identifier sent by the terminal device receiving and sending module 701, and an authentication identifier generated by an algorithm according to the device identifier of the terminal device itself.
The parsing module 704 is configured to parse the access request received by the receiving module 703 to obtain the authentication identifier.
Optionally, the server further includes a saving module 705, configured to save the device identifier of the terminal device.
The server further includes an authentication processing module 706 configured to complete authentication of the terminal device according to the session identifier obtained by the parsing module 704.
Optionally, the server further includes a feedback module 707, configured to feed back the authentication result of the processing module 706 to the terminal device. If the authentication result is that the access request successfully passes the authentication, feeding back information of successful authentication to the terminal equipment; otherwise, the information of authentication failure is fed back to the terminal equipment, and the terminal equipment is prompted to reapply authentication.
The authentication processing module 706 includes:
the generating unit 7061 is configured to generate the authorization identifier by using an algorithm according to the session identifier and the device identifier stored in the storage module 705. The algorithm can be the same algorithm used for generating the authentication identifier with the terminal equipment; the algorithm employed may be an irreversible algorithm. Specifically, the authentication identifier (Auth _ ID) may be generated by using a Message-Digest Algorithm (MD 5) irreversible encryption Algorithm, and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)). Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier. Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
Comparing unit 7062 is configured to compare the authentication identifier obtained through analysis by analysis module 704 with the authorization identifier generated by generating unit 7061.
A result unit 7063, configured to complete authentication on the terminal device according to the comparison result of the comparison unit 7062. If the result of the comparison is that the authorization identifier is consistent with the authentication identifier, the access request is legal authorization access, the authentication is passed, and the terminal equipment is legal authorization equipment; otherwise, the access request is illegal authorized access, and the access of the terminal equipment is refused through authentication.
Referring to fig. 8 in combination, an embodiment of the present invention provides an authentication request method, including:
step 801 obtains a session identifier and generates an authentication identifier from the session identifier and a device identifier.
The terminal equipment receives the session identifier sent by the server, or receives and analyzes the message carrying the session identifier sent by the server to obtain the session identifier. Optionally, the session identifier is randomly generated by the server.
And generating an authentication identifier according to the acquired session identifier and the device identifier of the terminal device, wherein the device identifier can be a device serial number of the terminal device, or a device identification number, or even a device type number code. The device identifier is an inherent unique identifier of the terminal device.
Optionally, the authentication identifier is generated by an algorithm according to the session identifier and the device identifier. The algorithm employed may be an irreversible algorithm. Specifically, the MD5 irreversible encryption algorithm may be used to generate the authentication identifier (Auth _ ID), and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)). Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier. Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
Step 802, the authentication identifier is carried in the access request, and the access request is sent to the server to request authentication.
And sending the access request carrying the authentication identifier to a server to request for authenticating the terminal equipment.
Referring to fig. 9 in combination, an embodiment of the present invention provides a terminal device 502, specifically a mobile terminal device, where the terminal device 502 may be a wireless terminal device, a WIFI terminal device, a wireless access DPF, and other mobile terminal devices, and the terminal device 502 specifically includes:
an obtaining module 901, configured to obtain a session identifier sent by a server.
Optionally, the obtaining module 901 may be configured to receive a message sent by the server and carrying the session identifier, and analyze the message to obtain the session identifier.
A generating module 902, configured to generate an authentication identifier according to the session identifier acquired by the acquiring module 901 and the device identifier of the terminal device 502 itself. The authentication identifier is generated using an algorithm and based on the session identifier and the device identifier. Optionally, the algorithm is an irreversible algorithm. For example, the irreversible algorithm MD 5. The specific formula can be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)). Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier. Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
A sending module 903, configured to send the access request carrying the authentication identifier to a server, requesting authentication.
In the implementation of the invention, the mobile terminal equipment adopts an algorithm to generate an authentication identifier according to the session identifier generated by the receiving server and the equipment identifier of the mobile terminal equipment, and carries out an authentication request on an access request carrying the authentication identifier. The authentication information is difficult to be counterfeited by the non-legal terminal equipment, and the authentication security is improved. In the whole authentication request process, manual operation input is not needed, and great convenience is provided for a mobile terminal user to access a network. Meanwhile, due to the adoption of the automatic authentication application of the mobile terminal equipment, the authentication failure caused by the error of manual operation input is avoided, and the authentication is smoother and quicker.
In the foregoing embodiment of the present invention, on one hand, at the mobile terminal device end, since the authentication information of the access sent by the mobile terminal device end carries the authentication identifier, the authentication identifier is generated by using an algorithm between the session identifier generated by the server end and the device identifier of the mobile terminal device end itself. The authentication identifier is generated by adopting an algorithm according to the session identifier generated by the server side and the equipment identifier of the mobile terminal equipment side, so that the authentication information in the access request is difficult to intercept. In addition, because the own device identifier of the mobile terminal device is used, the device identifier has uniqueness, so that the device identifier is difficult to be counterfeited by other parties, and the authentication has safety. Because the authentication identifier is generated by adopting an algorithm, the difficulty of counterfeiting the authentication identifier is increased.
On the other hand, at the server side, the authentication identifier of the mobile terminal equipment side is made to have randomness by the randomly generated session identifier sent by the server side, meanwhile, the server side adopts the same algorithm as that of the mobile terminal equipment side to generate the session identifier and the stored authorization identifier, and as the authorization identifier is compared with the authentication identifier in the authentication process, the same algorithm is adopted, so that the authentication has reliability. In addition, because the authentication identifier can be generated by adopting an irreversible algorithm, based on the irreversibility of the irreversible algorithm, even if the authentication identifier is intercepted by the other party in the transmission process, because the terminal equipment which is legally authorized to access has accessed the server, the authentication is finished at the time, namely, the authentication is carried out once, the mobile terminal equipment adopts a new authentication identifier for the next access, and the other party cannot access the server by utilizing the intercepted authentication identifier because the authentication is finished due to the irreversibility of the algorithm. The use of an irreversible algorithm improves the security of the authentication.
As will be apparent to those skilled in the art from this disclosure, all or part of the steps of the above method can also be implemented by hardware associated with program instructions, and the program can be stored in a computer-readable storage medium, such as: ROM, RAM, or optical disks, etc.
In summary, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (27)
1. A method of authentication, the method comprising:
receiving an access request sent by terminal equipment, wherein the access request comprises an authentication identifier generated according to a session identifier and an equipment identifier of the terminal equipment;
analyzing the access request to obtain the authentication identifier;
and authenticating the terminal equipment by utilizing the authentication identifier.
2. The method of claim 1, wherein the method further comprises:
transmitting the randomly generated session identifier to the terminal device.
3. The method of claim 2, wherein the sending the randomly generated session identifier comprises:
sending a randomly generated session identifier in a message manner; or,
the randomly generated session identifier is transmitted with the access server.
4. The method according to any of claims 1 to 3, wherein the authentication identifier generated from the session identifier and the terminal device identifier is specifically:
an authentication identifier is algorithmically generated from the session identifier and the device identifier.
5. The method of claim 4, wherein the algorithm employed may be an irreversible algorithm.
6. The method according to claim 5, wherein the irreversible algorithm may specifically be an information digest MD5 algorithm, and the specific formula for generating the authentication identifier by applying the algorithm according to the session identifier and the device identifier may specifically be: auth _ ID ═ (MD5(Session _ ID + Device _ ID)), where "Auth _ ID" is the authentication identifier, "Session _ ID" is the Session identifier, and "Device _ ID" is the Device identifier. And generating the Auth _ ID by adopting an MD5 algorithm according to the Session _ ID and the Device _ ID.
7. The method of claim 6, wherein the formula can add a characteristic string, specifically: auth _ ID ═ MD5(Session _ ID + "! @ # $" + Device _ ID)), where "! @ # $ "is the characteristic string.
8. The method of claim 6, wherein the formula may further use a coding scheme, specifically: aut _ IID ═ Base64(MD5(Session _ ID + Device _ ID)), "Base 64" is used to convert the formula from binary to visible strings.
9. The method of any of claims 5 to 8, further comprising:
generating an authorization identifier using the algorithm based on the session identifier and the device identifier.
10. The method according to claim 9, wherein said authenticating the terminal device with the authentication identifier is in particular:
and comparing the authentication identifier with the authorization identifier, and finishing the authentication of the terminal equipment according to the comparison result.
11. An authentication system, characterized in that the system comprises:
the authentication server can be used for authenticating terminal equipment, the terminal equipment is used for sending an access request to the authentication server, and the access request comprises an authentication identifier generated by the terminal equipment according to a session identifier and an equipment identifier of the terminal equipment;
and the authentication server is used for receiving the access request sent by the terminal equipment, analyzing the access request to obtain the authentication identifier, and authenticating the terminal equipment by using the authentication identifier.
12. The system of claim 11, wherein the server is configured to receive the access request sent by the terminal device, parse the access request to obtain the authentication identifier, and authenticate the terminal device using the authentication identifier specifically includes:
the server is used for sending the session identifier generated randomly to the terminal equipment and receiving an access request sent by the terminal, wherein the access request comprises an authentication identifier generated by the terminal equipment according to the session identifier and the equipment identifier; and the server generates an authorization identifier by adopting the algorithm according to the session identifier and the equipment identifier, compares the authorization identifier with the session identifier obtained by analyzing the access request, and completes authentication on the terminal equipment according to the comparison result.
13. An authentication server, characterized in that the server comprises:
a receiving module, configured to receive an access request sent by a terminal device, where the access request includes an authentication identifier generated according to a session identifier and a device identifier of the terminal device;
the analysis module is used for analyzing the received access request to obtain the authentication identifier;
and the authentication processing module is used for authenticating the terminal equipment by utilizing the authentication identifier.
14. The server of claim 13, wherein the server further comprises:
a generation module for generating a session identifier;
and the sending module is used for sending the session identifier generated by the generating module to the terminal equipment.
15. The server according to claim 13 or 14, wherein the authentication processing module includes:
a generation unit, configured to generate an authorization identifier according to the session identifier and the device identifier generated by the generation module;
a comparing unit for comparing the authorization identifier with the authentication identifier;
and the result unit completes the authentication of the access request according to the comparison result of the comparison unit.
16. The server according to claim 15, wherein the generating unit is configured to generate an authorization identifier according to the session identifier and the device identifier acquired by the acquiring unit, specifically:
the generation unit is used for generating an authorization identifier according to the session identifier and the device identifier acquired by the acquisition unit by adopting the same algorithm as the authentication identifier generated by the terminal device.
17. The server of claim 16, wherein the server further comprises:
a storage module, configured to store the device identifier of the terminal device.
18. The server of claim 17, wherein the server further comprises:
and the feedback module is used for feeding back the authentication result of the authentication module to the terminal equipment.
19. A method of authentication request, the method comprising:
acquiring a session identifier, and generating an authentication identifier according to the session identifier and a device identifier;
and carrying the authentication identifier in an access request, and sending the access request to a server to request authentication.
20. The method according to claim 19, wherein said obtaining a session identifier is specifically: acquiring a session identifier generated by the server; or,
and receiving the message carrying the session identifier sent by the server, and analyzing the message to obtain the session identifier.
21. The method according to claim 19 or 20, wherein the generating an authentication identifier from the session identifier and the device identifier is specifically:
and generating an authentication identifier by adopting an algorithm according to the session identifier and the equipment identifier.
22. The method according to claim 21, wherein the algorithm used may be an irreversible algorithm, and wherein the algorithm used to generate the authentication identifier from the session identifier and the device identifier specifically comprises: and generating an authentication identifier by adopting an irreversible algorithm according to the session identifier and the equipment identifier.
23. The method according to claim 22, wherein the irreversible algorithm is specifically an information digest MD5 algorithm, and the formula is: auth _ ID ═ (MD5(Session _ ID + Device _ ID)), where "Auth _ ID" is the authentication identifier, "Session _ ID" is the Session identifier, and "Device _ ID" is the Device identifier. And generating the Auth _ ID by adopting an MD5 algorithm according to the Session _ ID and the Device _ ID.
24. The method of claim 23, wherein the formula can add a characteristic string, specifically: auth _ ID ═ Base64(MD5(Session _ ID + "! @ # $" + Device _ ID)), where "! @ # $ "is the characteristic string.
25. The method of claim 23, wherein the formula may further use a coding scheme, specifically: auth _ ID is Base64(MD5(Session _ ID + Device _ ID)), and "Base 64" is used to convert the formula from binary to visible strings.
26. A terminal device, characterized in that the device comprises:
an acquisition module for acquiring a session identifier;
the generation module is used for generating an authentication identifier by adopting an algorithm according to the session identifier and the equipment identifier;
and the sending module is used for sending an authentication access request to the server, wherein the authentication access request carries the authentication identifier.
27. The device of claim 26, wherein the generation module is to generate an authentication identifier using an irreversible algorithm based on the session identifier and a device identifier.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810217773XA CN101754215B (en) | 2008-12-01 | 2008-12-01 | Authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810217773XA CN101754215B (en) | 2008-12-01 | 2008-12-01 | Authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101754215A true CN101754215A (en) | 2010-06-23 |
| CN101754215B CN101754215B (en) | 2012-08-08 |
Family
ID=42480431
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810217773XA Expired - Fee Related CN101754215B (en) | 2008-12-01 | 2008-12-01 | Authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101754215B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102394857A (en) * | 2011-06-29 | 2012-03-28 | 福建星网锐捷网络有限公司 | Method, device and equipment for establishing point-to-point protocol session on Ethernet |
| CN102736993A (en) * | 2011-09-23 | 2012-10-17 | 新奥特(北京)视频技术有限公司 | Data equipment type identification method and system |
| CN102932365A (en) * | 2012-11-13 | 2013-02-13 | 黄昱钊 | Device control method and system based on mobile phone camera |
| CN104811443A (en) * | 2015-04-07 | 2015-07-29 | 深圳市金立通信设备有限公司 | Identity authentication method |
| CN104836795A (en) * | 2015-04-07 | 2015-08-12 | 深圳市金立通信设备有限公司 | Terminal |
| CN104869434A (en) * | 2014-02-21 | 2015-08-26 | 海尔集团公司 | Method/terminals used for transmitting multimedia flows, playing device and server |
| CN106209727A (en) * | 2015-04-29 | 2016-12-07 | 阿里巴巴集团控股有限公司 | A kind of session access method and apparatus |
| CN106603461A (en) * | 2015-10-14 | 2017-04-26 | 阿里巴巴集团控股有限公司 | Business authentication method, apparatus and system |
| CN108768616A (en) * | 2018-05-30 | 2018-11-06 | 红塔烟草(集团)有限责任公司 | A kind of method of model data anti-leak in device management platform |
| WO2018205148A1 (en) * | 2017-05-09 | 2018-11-15 | 华为技术有限公司 | Data packet checking method and device |
| CN109618194A (en) * | 2018-12-10 | 2019-04-12 | 深圳贝尔创意科教有限公司 | A kind of authentication order method and its device based on program request platform end |
| CN110728867A (en) * | 2019-10-16 | 2020-01-24 | 北京潇游科技有限公司 | MQTT protocol-based connection communication mode and interactive answering equipment |
| CN114745169A (en) * | 2022-04-06 | 2022-07-12 | 北京天融信网络安全技术有限公司 | Multi-port access method, device, equipment, medium and product based on NAT mapping |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1698309A (en) * | 2003-04-21 | 2005-11-16 | 索尼株式会社 | Device authentication system |
| JP4675618B2 (en) * | 2004-01-16 | 2011-04-27 | パナソニック株式会社 | Authentication server device, unauthorized terminal detection method, unauthorized terminal detection system, and program |
| CN100579013C (en) * | 2005-04-06 | 2010-01-06 | 华为技术有限公司 | Access authentication system and method for global access mutual operation network |
| CN101207485B (en) * | 2007-08-15 | 2010-12-01 | 深圳市同洲电子股份有限公司 | System and method of unification identification safety authentication for users |
-
2008
- 2008-12-01 CN CN200810217773XA patent/CN101754215B/en not_active Expired - Fee Related
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102394857B (en) * | 2011-06-29 | 2015-02-25 | 福建星网锐捷网络有限公司 | Method, device and equipment for establishing point-to-point protocol session on Ethernet |
| CN102394857A (en) * | 2011-06-29 | 2012-03-28 | 福建星网锐捷网络有限公司 | Method, device and equipment for establishing point-to-point protocol session on Ethernet |
| CN102736993A (en) * | 2011-09-23 | 2012-10-17 | 新奥特(北京)视频技术有限公司 | Data equipment type identification method and system |
| CN102932365A (en) * | 2012-11-13 | 2013-02-13 | 黄昱钊 | Device control method and system based on mobile phone camera |
| CN102932365B (en) * | 2012-11-13 | 2016-08-24 | 黄昱钊 | A kind of apparatus control method based on mobile phone camera and system |
| CN104869434A (en) * | 2014-02-21 | 2015-08-26 | 海尔集团公司 | Method/terminals used for transmitting multimedia flows, playing device and server |
| CN104811443B (en) * | 2015-04-07 | 2019-05-14 | 深圳市金立通信设备有限公司 | A kind of identity identifying method |
| CN104811443A (en) * | 2015-04-07 | 2015-07-29 | 深圳市金立通信设备有限公司 | Identity authentication method |
| CN104836795A (en) * | 2015-04-07 | 2015-08-12 | 深圳市金立通信设备有限公司 | Terminal |
| CN104836795B (en) * | 2015-04-07 | 2019-05-14 | 深圳市金立通信设备有限公司 | A kind of terminal |
| CN106209727A (en) * | 2015-04-29 | 2016-12-07 | 阿里巴巴集团控股有限公司 | A kind of session access method and apparatus |
| CN106603461A (en) * | 2015-10-14 | 2017-04-26 | 阿里巴巴集团控股有限公司 | Business authentication method, apparatus and system |
| CN110392998A (en) * | 2017-05-09 | 2019-10-29 | 华为技术有限公司 | A kind of data packet method of calibration and equipment |
| WO2018205148A1 (en) * | 2017-05-09 | 2018-11-15 | 华为技术有限公司 | Data packet checking method and device |
| EP3614621A4 (en) * | 2017-05-09 | 2020-04-08 | Huawei Technologies Co., Ltd. | Data packet checking method and device |
| US11706618B2 (en) | 2017-05-09 | 2023-07-18 | Huawei Technologies Co., Ltd. | Data packet verification method and device |
| CN108768616A (en) * | 2018-05-30 | 2018-11-06 | 红塔烟草(集团)有限责任公司 | A kind of method of model data anti-leak in device management platform |
| CN109618194A (en) * | 2018-12-10 | 2019-04-12 | 深圳贝尔创意科教有限公司 | A kind of authentication order method and its device based on program request platform end |
| CN110728867A (en) * | 2019-10-16 | 2020-01-24 | 北京潇游科技有限公司 | MQTT protocol-based connection communication mode and interactive answering equipment |
| CN114745169A (en) * | 2022-04-06 | 2022-07-12 | 北京天融信网络安全技术有限公司 | Multi-port access method, device, equipment, medium and product based on NAT mapping |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101754215B (en) | 2012-08-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101754215B (en) | Authentication method and system | |
| EP3223549B1 (en) | Wireless network access method and access apparatus, client and storage medium | |
| US8107623B2 (en) | Method for verifying a first identity and a second identity of an entity | |
| EP1860906B1 (en) | A general authentication form and a method for implementing the authentication | |
| US9445269B2 (en) | Terminal identity verification and service authentication method, system and terminal | |
| CN107086979B (en) | User terminal verification login method and device | |
| CN104247485B (en) | Network application function authorization in Generic Bootstrapping Architecture | |
| CN101053273A (en) | Method, device and system for mutual authentication with modified message authentication code | |
| CN109890029B (en) | Automatic network distribution method of intelligent wireless equipment | |
| CN103220673B (en) | WLAN user authentication method, certificate server and subscriber equipment | |
| EP1680940B1 (en) | Method of user authentication | |
| CN112383401B (en) | User name generation method and system for providing identity authentication service | |
| CN109583154A (en) | A kind of system and method based on Web middleware access intelligent code key | |
| CN104579657A (en) | Method and device for identity authentication | |
| CN104936177B (en) | A kind of access authentication method and access authentication system | |
| CN114390524B (en) | Method and device for realizing one-key login service | |
| CN115278676A (en) | WAPI certificate application method, wireless terminal and certificate discriminator | |
| CN100479570C (en) | Connection set-up method, system, network application entity and user terminal | |
| CN108123918A (en) | A kind of account authentication login method and device | |
| AU2010329814B2 (en) | Smart card security feature profile in home subscriber server | |
| CN106453400B (en) | A kind of authentication method and system | |
| CN105429978A (en) | Data access methods and system, and equipment | |
| CN106412904B (en) | Method and system for preventing counterfeit user authentication authority | |
| CN108076460B (en) | Method and terminal for authentication | |
| CN106162645B (en) | A kind of the quick of Mobile solution reconnects method for authenticating and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20170815 Address after: 519031, Guangdong, Zhuhai province Hengqin financial industry service base building No. 5 2-I Patentee after: The International Intellectual Property Trading Center Co. Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: Huawei Technologies Co., Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180125 Address after: Room 302, room 5, No. 2, torch South Street, Hebei, Zhuozhou, Hebei Patentee after: Li Yuanyuan Address before: 519031, Guangdong, Zhuhai province Hengqin financial industry service base building No. 5 2-I Patentee before: The International Intellectual Property Trading Center Co. Ltd. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120808 Termination date: 20171201 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |