Detailed Description
With the popularization of networks, mobile terminal devices including Wireless terminals, Wireless Fidelity (WIFI) terminals, and wirelessly accessed Digital Photo Frames (DPF) access network resources more and more. For a network resource provider, how to implement authentication of a mobile terminal device, thereby implementing authorized access and providing services for a mobile terminal user is an urgent problem to be solved.
An embodiment of the present invention provides an authentication method, please refer to fig. 1 in combination, including:
step 101, receiving an access request sent by a terminal device, wherein the access request includes an authentication identifier generated according to a session identifier and a device identifier of the terminal device.
And the terminal equipment generates an authentication identifier by adopting an algorithm according to the session identifier and the equipment identifier of the terminal equipment. The authentication identifier is carried in an access request sent by the terminal device.
Optionally, the algorithm used by the terminal device to generate the authentication identifier may be an irreversible algorithm. This feature may be applicable to other embodiments of the present invention. Specifically, the authentication identifier (Auth _ ID) may be generated by using a Message-Digest Algorithm 5 (MD 5) irreversible encryption Algorithm, and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)).
Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier.
Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
Step 102, resolving the access request to obtain the authentication identifier.
And the resource server receives an access request sent by the terminal equipment, and analyzes the access request to obtain an authentication identifier carried in the access request.
Step 103 authenticates the terminal device using the authentication identifier.
The resource server generates the authorization identifier according to the session identifier and the device identifier by adopting the same algorithm as that adopted by the terminal device to generate the authentication identifier. If the terminal equipment adopts an irreversible algorithm, the resource server also adopts the irreversible algorithm. If the terminal device generates the authentication identifier by using the irreversible algorithm MD5, the resource server side also uses the irreversible algorithm MD 5.
And comparing the authorization identifier with the session identifier obtained by analyzing the access request, and finishing the authentication of the terminal equipment according to the comparison result.
Referring to fig. 2 in combination, an embodiment of the present invention provides an authentication method, including:
step 201, receiving an access request carrying an authentication identifier sent by a terminal device.
And receiving an access request which is sent by the terminal equipment and carries an authentication identifier, wherein the authentication identifier is generated by the terminal equipment according to the received session identifier and the equipment identifier of the terminal equipment by adopting an algorithm.
And the terminal equipment generates an authentication identifier by adopting an algorithm according to the session identifier and the equipment identifier of the terminal equipment.
Optionally, the algorithm used by the authorization terminal to generate the authentication identifier may be an irreversible algorithm, and the access request sent by the terminal device to the resource server carries the authentication identifier.
Step 202, parsing the received access request to obtain an authentication identifier.
And the resource server receives the access request sent by the terminal equipment, and analyzes the access request to obtain the authentication identifier carried in the access request.
And step 203, finishing the authentication of the terminal equipment by using the analyzed authentication identifier.
Referring to fig. 3, an embodiment of the present invention provides an authentication method, which specifically includes:
in step 301, a session identifier is generated.
The resource server generates a session identifier, which may be randomly generated by the resource server.
Optionally, the session identifier may also be included in a message sent by the resource server to the terminal device.
Step 302, a session identifier is sent to a terminal device.
The resource server sends the session identifier to the terminal device.
Optionally, the resource server may carry the session identifier in a message and send the message to the terminal device.
Step 303, receiving an access request carrying an authentication identifier sent by a terminal device.
And the terminal equipment receives the session identifier sent by the resource server, and generates an authentication identifier by adopting an algorithm according to the session identifier and the equipment identifier of the terminal equipment.
Optionally, the terminal device receives a message carrying the session identifier sent by the resource server, analyzes the message to obtain the session identifier, and generates the authentication identifier by using an algorithm according to the analyzed session identifier and the device identifier of the terminal device itself. And the terminal equipment sends the access request carrying the authentication identifier to the resource server for authentication. And the resource server receives the access request carrying the authentication identifier.
Step 304, the received access request is analyzed to obtain the authentication identifier.
And the resource server analyzes the received access request to obtain an authentication identifier.
Step 305, read the session identifier and the device identifier.
The resource server reads the generated session identifier and the stored device identifier.
At step 306, an algorithm is used to generate the authorization identifier.
And the resource server generates the authorization identifier by adopting an algorithm according to the read session identifier and the device identifier. The algorithm is the same as that used by the terminal device to generate the authentication identifier.
Alternatively, the algorithm used for generating the authorization identifier may also use the same irreversible algorithm as that used for generating the authentication identifier by the terminal device.
Steps 305 to 306 and step 304 may not be in a sequential order, and steps 305 to 306 may be before or after step 304, or may be performed simultaneously.
Step 307, comparing the parsed authentication identifier with the authorization identifier.
And 308, finishing the authentication of the terminal equipment according to the comparison result.
If the result of the comparison is that the authorization identifier is consistent with the authentication identifier, the access request is legal authorization access and the authentication is passed; otherwise, the access request is illegal authorized access and authentication refuses.
Step 309, feeding back the authentication result to the terminal device.
And if the resource server passes the authentication of the access request, feeding back information of successful authentication to the terminal equipment. Otherwise, feeding back the information of authentication failure to the terminal equipment.
Referring to fig. 4, an embodiment of the present invention provides an authentication method. The embodiment of the invention takes a DPF terminal with a built-in SIM card and adopts a General Packet Radio Service (GPRS) mode to access network resources as an example.
The resource server stores the Device identifier (Device _ ID) of the DPF terminal Device. The device identifier may be a device string number or a device identification number of the terminal device, or may even be a device type number code, which is applicable to other embodiments of the present invention. The user is required to enter a device identifier when registering or provisioning network services. The resource server stores the device identifier input by the user when registering or opening the network service.
In step 401, the resource server generates a Session identifier (Session _ ID).
Before the DPF terminal device triggers access to the resource server or the resource server actively requires the DPF terminal device to access the resource server, the resource server generates a session identifier.
Alternatively, the session identifier may be randomly generated by the resource server.
The resource server sends 402 the session identifier to the DPF terminal device.
Alternatively, the resource server may send the session identifier to the DPF terminal device in a message. The session identifier to be generated is sent to the DPF terminal device in the form of a message.
In step 403, the DPF terminal device generates an authentication identifier (Auth _ ID) based on the received session identifier.
The DPF terminal receives the session identifier sent by the resource server, and generates an authentication identifier (Auth _ ID) by adopting an encryption algorithm according to the session identifier and the equipment identifier of the DPF terminal equipment.
Alternatively, the encryption algorithm may be an irreversible encryption algorithm. The MD5 irreversible encryption algorithm may be used to generate the authentication identifier (Auth _ ID), and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)).
Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier.
Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
In step 404, the DPF terminal device sends an access request to the resource server.
The DPF terminal device sends an access request to the resource server, and the access request carries the authentication identifier generated by the DPF terminal device.
In step 405, the resource server authenticates the access request.
And the resource server analyzes the access request to obtain the carried authentication identifier. The resource server generates the generated session identifier and the stored device identifier into an authorization identifier by using the same encryption algorithm as the DPF terminal device generates the authentication identifier. In the embodiment of the invention, the access request is analyzed to obtain the authentication identifier, and the authentication identifier and the resource server generated authorization identifier do not have a certain sequence, and even can be simultaneously carried out. And the resource server compares the generated authorization identifier with the authentication identifier carried by the access request. If the result of the comparison is that the authorization identifier is consistent with the authentication identifier, the access request is legal authorization access and the authentication is passed; otherwise, the access request is illegal authorized access, and the access of the DPF terminal equipment is refused by authentication.
Optionally, the method may further include the step of feeding back the authentication result to the authorized terminal.
On one hand, because the authentication identifier is generated by the session identifier and the equipment identifier, the authentication identifier is difficult to intercept by other parties, and the security of server-side authentication is improved. Meanwhile, the same algorithm is adopted at the network server end to generate the session identifier and the stored device identifier, and authentication of the authentication information is completed through comparison of the authorization identifier and the authentication identifier. Meanwhile, the session identifier is randomly generated, and the authentication identifier is generated by using the randomly generated session identifier and the equipment identifier, so that the authentication identifier is more difficult to intercept by other parties, and the security of server-side authentication is improved.
On the other hand, the authentication identifier generated by the terminal equipment end authorized legally is consistent with the algorithm adopted by the authorization identifier generated by the resource server end, so that the reliability of the resource server authentication is improved. Meanwhile, the authentication identifier generated by the terminal equipment end authorized legally and the authorization identifier generated by the resource server end adopt the same irreversible algorithm, namely after the one-time authentication is passed, the authentication is finished. The other party is rejected even if the authentication identifier of the legally authorized terminal equipment is intercepted for access. The security of the resource server side authentication is improved.
Referring to fig. 5 in combination, an embodiment of the present invention provides an authentication system, including: the authentication server 501 may be configured to authenticate the terminal device 502. The authentication server 501 may be a resource server or an independent authentication device.
The authentication server 501 is configured to send a session identifier to the terminal device 502, where the session identifier may be carried in a message sent by the authentication server 501 to the terminal device; after the terminal device 502 receives the session identifier or the message carrying the session identifier sent by the authentication server 501, if the received session identifier is the session identifier, an authentication identifier is generated by using an algorithm according to the received session identifier and the device identifier of the terminal device 502; if the received message carries the session identifier, the message is firstly analyzed to obtain the session identifier, and then the authentication identifier is generated by the session identifier and the equipment identifier by adopting an algorithm. The algorithm employed may be an irreversible algorithm such as the MD5 algorithm mentioned above. After generating the authentication identifier, the terminal device 502 sends the authentication identifier to the authentication server 501 with the access request.
The authentication server 501 is configured to receive an access request carrying an authentication identifier sent by the terminal device 502, and analyze the received access request to obtain the authentication identifier. The authentication server 501 generates an authorization identifier by using the same algorithm as that used by the terminal device 502 to generate an authentication identifier according to the session identifier generated by itself and the stored device identifier, where the algorithm used by the authentication server 501 is the same as that used by the terminal device 502 to generate an authentication identifier, for example, if the terminal device 502 uses the MD5 algorithm, the authentication server 501 also uses the MD5 algorithm, and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)).
Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier.
Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
The authentication server 501 is configured to compare the authorized identifiers with the authentication identifiers, and complete authentication of the access request according to a comparison result. If the result of the comparison is that the authorization identifier is consistent with the authentication identifier, the access request is legal authorization access and the authentication is passed; otherwise, the access request is illegal authorized access, and the access request is authenticated and refused.
Alternatively, the session identifier generated by the authentication server 501 may be randomly generated.
Optionally, the server is further configured to feed back the authentication result to the terminal device 502. If the authentication is passed, a message of successful authentication is fed back to the terminal device 502; otherwise, a message of authentication failure is fed back to the terminal device 502, and the terminal device 502 is prompted to reapply for authentication.
Referring to fig. 6, an embodiment of the present invention provides an authentication server 501, where the authentication server 501 may be a resource server or an independent authentication device. This feature may be applicable to other embodiments of the present invention. The embodiment of the invention takes a resource server as an example, and specifically comprises the following steps: a receiving module 601, a parsing module 602, and an authentication processing module 603.
The receiving module 601 is configured to receive an access request sent by a terminal device, where the access request carries an authentication identifier generated by the terminal device according to a session identifier and a device identifier of the terminal device by using an algorithm.
Before the terminal equipment triggers to access the resource server or the resource server actively requires the terminal equipment to access the resource server, the resource server generates a session identifier.
Alternatively, the session identifier may be randomly generated by the resource server.
The parsing module 602 is configured to parse the access request received by the receiving module 601 to obtain the authentication identifier.
An authentication processing module 603, configured to complete authentication on the access request according to the authentication identifier obtained by parsing in the parsing module 602.
The authentication processing module 603 generates an authorization identifier using an algorithm based on the session identifier and the device identifier. The algorithm can be the same algorithm used for generating the authentication identifier with the terminal equipment; the algorithm may be an irreversible encryption algorithm. The MD5 irreversible encryption algorithm may be used to generate the authentication identifier (Auth _ ID), and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)). Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier. Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
The authentication processing module 603 compares the authentication identifier obtained by the analysis of the analysis module 602 with the generated authorization identifier; and according to the comparison result, the authentication of the terminal equipment is completed. If the result of the comparison is that the authorization identifier is consistent with the authentication identifier, the access request is legal authorization access, the authentication is passed, and the terminal equipment is legal authorization equipment; otherwise, the access request is illegal authorized access, and the access of the terminal equipment is refused through authentication.
The specific structure of each module of the authentication server shown in fig. 6 can refer to the embodiment shown in fig. 7.
Referring to fig. 7 in combination, an embodiment of the present invention provides an authentication server 501, which includes a sending module 701, a generating module 702, a receiving module 703, an analyzing module 704, a storing module 705, an authentication processing module 706, and a feedback module 707. Authentication processing module 706 includes generating unit 7061, comparing unit 7062, and result unit 7063. The sending module 701, the generating module 702, the saving module 705 and the feedback module 707 are optional.
Optionally, the server further comprises a generating module 702 for generating the session identifier.
Optionally, the generating module may further generate a message carrying the session identifier. The session identifier may be randomly generated by the generation module 702.
Optionally, the server further includes a sending module 701, configured to send the session identifier generated by the generating module 702 to the terminal device.
Optionally, the sending module 701 is configured to send, to the terminal device, the message carrying the session identifier generated by the generating module 702. Wherein the session identifier may be randomly generated by the generation module 702.
A receiving module 703 is configured to receive an access request sent by a terminal device. The access request carries the session identifier sent by the terminal device receiving and sending module 701, and an authentication identifier generated by an algorithm according to the device identifier of the terminal device itself.
The parsing module 704 is configured to parse the access request received by the receiving module 703 to obtain the authentication identifier.
Optionally, the server further includes a saving module 705, configured to save the device identifier of the terminal device.
The server further includes an authentication processing module 706 configured to complete authentication of the terminal device according to the session identifier obtained by the parsing module 704.
Optionally, the server further includes a feedback module 707, configured to feed back the authentication result of the processing module 706 to the terminal device. If the authentication result is that the access request successfully passes the authentication, feeding back information of successful authentication to the terminal equipment; otherwise, the information of authentication failure is fed back to the terminal equipment, and the terminal equipment is prompted to reapply authentication.
The authentication processing module 706 includes:
the generating unit 7061 is configured to generate the authorization identifier by using an algorithm according to the session identifier and the device identifier stored in the storage module 705. The algorithm can be the same algorithm used for generating the authentication identifier with the terminal equipment; the algorithm employed may be an irreversible algorithm. Specifically, the authentication identifier (Auth _ ID) may be generated by using a Message-Digest Algorithm (MD 5) irreversible encryption Algorithm, and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)). Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier. Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
Comparing unit 7062 is configured to compare the authentication identifier obtained through analysis by analysis module 704 with the authorization identifier generated by generating unit 7061.
A result unit 7063, configured to complete authentication on the terminal device according to the comparison result of the comparison unit 7062. If the result of the comparison is that the authorization identifier is consistent with the authentication identifier, the access request is legal authorization access, the authentication is passed, and the terminal equipment is legal authorization equipment; otherwise, the access request is illegal authorized access, and the access of the terminal equipment is refused through authentication.
Referring to fig. 8 in combination, an embodiment of the present invention provides an authentication request method, including:
step 801 obtains a session identifier and generates an authentication identifier from the session identifier and a device identifier.
The terminal equipment receives the session identifier sent by the server, or receives and analyzes the message carrying the session identifier sent by the server to obtain the session identifier. Optionally, the session identifier is randomly generated by the server.
And generating an authentication identifier according to the acquired session identifier and the device identifier of the terminal device, wherein the device identifier can be a device serial number of the terminal device, or a device identification number, or even a device type number code. The device identifier is an inherent unique identifier of the terminal device.
Optionally, the authentication identifier is generated by an algorithm according to the session identifier and the device identifier. The algorithm employed may be an irreversible algorithm. Specifically, the MD5 irreversible encryption algorithm may be used to generate the authentication identifier (Auth _ ID), and the specific formula may be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)). Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier. Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
Step 802, the authentication identifier is carried in the access request, and the access request is sent to the server to request authentication.
And sending the access request carrying the authentication identifier to a server to request for authenticating the terminal equipment.
Referring to fig. 9 in combination, an embodiment of the present invention provides a terminal device 502, specifically a mobile terminal device, where the terminal device 502 may be a wireless terminal device, a WIFI terminal device, a wireless access DPF, and other mobile terminal devices, and the terminal device 502 specifically includes:
an obtaining module 901, configured to obtain a session identifier sent by a server.
Optionally, the obtaining module 901 may be configured to receive a message sent by the server and carrying the session identifier, and analyze the message to obtain the session identifier.
A generating module 902, configured to generate an authentication identifier according to the session identifier acquired by the acquiring module 901 and the device identifier of the terminal device 502 itself. The authentication identifier is generated using an algorithm and based on the session identifier and the device identifier. Optionally, the algorithm is an irreversible algorithm. For example, the irreversible algorithm MD 5. The specific formula can be: auth _ ID ═ Base64(MD5(Session _ ID + "| @ # $" + Device _ ID)). Wherein, optionally, "! @ # $ "is a characteristic string that can also be arbitrarily set, increasing the complexity of the authentication identifier. Optionally, the role of the Base64 transformation is to convert binary numbers into visible character strings, making transmission more convenient.
A sending module 903, configured to send the access request carrying the authentication identifier to a server, requesting authentication.
In the implementation of the invention, the mobile terminal equipment adopts an algorithm to generate an authentication identifier according to the session identifier generated by the receiving server and the equipment identifier of the mobile terminal equipment, and carries out an authentication request on an access request carrying the authentication identifier. The authentication information is difficult to be counterfeited by the non-legal terminal equipment, and the authentication security is improved. In the whole authentication request process, manual operation input is not needed, and great convenience is provided for a mobile terminal user to access a network. Meanwhile, due to the adoption of the automatic authentication application of the mobile terminal equipment, the authentication failure caused by the error of manual operation input is avoided, and the authentication is smoother and quicker.
In the foregoing embodiment of the present invention, on one hand, at the mobile terminal device end, since the authentication information of the access sent by the mobile terminal device end carries the authentication identifier, the authentication identifier is generated by using an algorithm between the session identifier generated by the server end and the device identifier of the mobile terminal device end itself. The authentication identifier is generated by adopting an algorithm according to the session identifier generated by the server side and the equipment identifier of the mobile terminal equipment side, so that the authentication information in the access request is difficult to intercept. In addition, because the own device identifier of the mobile terminal device is used, the device identifier has uniqueness, so that the device identifier is difficult to be counterfeited by other parties, and the authentication has safety. Because the authentication identifier is generated by adopting an algorithm, the difficulty of counterfeiting the authentication identifier is increased.
On the other hand, at the server side, the authentication identifier of the mobile terminal equipment side is made to have randomness by the randomly generated session identifier sent by the server side, meanwhile, the server side adopts the same algorithm as that of the mobile terminal equipment side to generate the session identifier and the stored authorization identifier, and as the authorization identifier is compared with the authentication identifier in the authentication process, the same algorithm is adopted, so that the authentication has reliability. In addition, because the authentication identifier can be generated by adopting an irreversible algorithm, based on the irreversibility of the irreversible algorithm, even if the authentication identifier is intercepted by the other party in the transmission process, because the terminal equipment which is legally authorized to access has accessed the server, the authentication is finished at the time, namely, the authentication is carried out once, the mobile terminal equipment adopts a new authentication identifier for the next access, and the other party cannot access the server by utilizing the intercepted authentication identifier because the authentication is finished due to the irreversibility of the algorithm. The use of an irreversible algorithm improves the security of the authentication.
As will be apparent to those skilled in the art from this disclosure, all or part of the steps of the above method can also be implemented by hardware associated with program instructions, and the program can be stored in a computer-readable storage medium, such as: ROM, RAM, or optical disks, etc.
In summary, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.