CN103139191A - Network authentication method and network authentication equipment - Google Patents
Network authentication method and network authentication equipment Download PDFInfo
- Publication number
- CN103139191A CN103139191A CN 201110400985 CN201110400985A CN103139191A CN 103139191 A CN103139191 A CN 103139191A CN 201110400985 CN201110400985 CN 201110400985 CN 201110400985 A CN201110400985 A CN 201110400985A CN 103139191 A CN103139191 A CN 103139191A
- Authority
- CN
- China
- Prior art keywords
- server
- client
- secret keys
- network
- data block
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a network authentication method and network authentication equipment. By adopting the mode of execution, network authentication no longer completely depends on safe connection between a server and a client but is ensured through information hiding of a secret key. Convention about information hiding can be determined in advance between the server and the client side. The server can encode and embed the secret key to a data block which is used as a carrier according to the convention, and then sends the data block to the client side. The client side extracts the secret key according to the convention and generates authentication information. With adoption of the mode of execution, network authentication process is safe and reliable. The invention provides a method and a device of the server and two sides of the client side in a detailed mode.
Description
Technical field
Embodiments of the present invention relate generally to information security field, more specifically, relate to the method and apparatus for network authentication.
Background technology
In network service and operation, usually need client device (being called for short " client ") or its user's identity are verified, to confirm its legitimacy and/or validity.For example, in the network service that a lot of websites provide, the network service provider only offers service the client of legal registration, the client of for example being developed and being issued by this network service provider.
In the prior art, network authentication is completed based on key usually.Typical operation is that when the client-requested server carried out authentication to it, its foundation was connected with the secure network of this server, for example encryption connection.Then, server can client-based request send to client with key (normally secret keys).Client utilizes this key to generate authorization information, for example, produces the cryptographic Hash that is associated with this key, and connects by safety the authorization information that will produce and return to server.After server received this authorization information, whether it checked this authorization information legal.
The reason of using safety to be connected between server and client is to steal key that server generates and/or the authorization information (for example, cryptographic Hash) of client generation in order to prevent by this connection.In case key and authorization information are stolen by illegal third party, this third party just might crack by reverse deduction generting machanism and the key itself of authorization information, and utilizes this mechanism and key generation to seem legal authorization information.Like this, originally illegal client or its user just can be smoothly checking by server, thereby cause damage for the network service provider.
Yet it not is always reliable that safety connects.The third party often can reach the purpose of stealing key and authorization information by attacking this safety connection.And, although the senior authorization information generating technique such as the MD5 cryptographic Hash has been developed and use in practice, still there is the risk that is cracked.The similar situation of several times had occured in practice.In order to prevent or to alleviate this situation, proposed the key and the data that exchange between server and client are carried out the one or many encryption.Yet as is understood by persons skilled in the art, any cryptographic algorithm all exists decrypted risk.The time of using along with cryptographic algorithm increases, and this risk also can correspondingly improve.And setting up the safety connection and key/data are carried out repeatedly encryption and decryption meeting increases extra cost.
Therefore, server is connected with safety between network authentication between client places one's entire reliance upon both and/or the authentication information generating technique is not enough.Need in the art a kind of safer, reliable network authentication technology.
Summary of the invention
In view of the problems referred to above that exist in this area, the present invention proposes a kind of method and apparatus that is used for network authentication of novelty.
In one aspect of the invention, provide a kind of for carry out the method for authentication at client-side.Described method comprises: connect from server receive data piece by network; Based on resolving about the agreement of Information hiding the described data block that receives between described client and described server, to extract by the secret keys of described server code in described data block; At least based on described secret keys producing authentication information; And connect to the described authentication information of described server transmission by described network, carry out described authentication for described server.
In still another aspect of the invention, provide a kind of for carry out the method for authentication at server side.Described method comprises: based between described server and client about the agreement of Information hiding, the secret keys that will use in described authentication is encoded to data block; Connect to described client by network and send described data block; And connect from described client authentication information to carry out described authentication by described network, wherein said authentication information is that described client generates based on described secret keys at least.
In another aspect of this invention, provide a kind of for carry out the equipment of authentication at client-side.Described equipment comprises: receiving system, configuration are used for connecting from server receive data piece by network; Resolver, configuration are used for based on resolving about the agreement of Information hiding the described data block that receives between described client and described server, to extract by the secret keys of described server code in described data block; Generating apparatus, configuration is used at least based on described secret keys producing authentication information; And dispensing device, configuration is used for connecting to the described authentication information of described server transmission by described network, carries out described authentication for described server.
In one side more of the present invention, provide a kind of for carry out the equipment of authentication at server side.Described comprising: code device, configuration be used for based between described server and client about the agreement of Information hiding, the secret keys that will use in described authentication is encoded to data block; Dispensing device, configuration are used for connecting to the described data block of described client transmission by network; And receiving system, configuration is used for connecting from described client authentication information to carry out described authentication by described network, and wherein said authentication information is that described client generates based on described secret keys at least.
Will be understood that by hereinafter describing in detail, according to the embodiment of the present invention, the network authentication server that no longer places one's entire reliance upon is connected with secure network between client, but guarantee by the Information hiding to secret keys.Particularly, can determine in advance agreement about Information hiding between the server and client side.According to this agreement, server can or such as plain text, multimedia (image, audio frequency, video), Rich Media (for example be embedded in the secret keys coding, Flash) etc. in non-structured data block, then send the data block as carrier.Client is according to agreement extractor decryption key, and producing authentication information.
In this way, even the third party has intercepted and captured data block, due to the Information hiding agreement that can't obtain between server and client, also can't obtain secret keys illegally to authenticate.Like this, the verification process in network can be more safely with reliable.
Description of drawings
Read hereinafter detailed description by the reference accompanying drawing, above-mentioned and other purposes of embodiment of the present invention, the feature and advantage easy to understand that will become.In the accompanying drawings, show some execution modes of the present invention in exemplary and nonrestrictive mode, wherein:
Fig. 1 shows the schematic diagram based on the network environment 100 of client-server (C/S) framework according to one exemplary embodiment;
Fig. 2 shows the flow chart that is used for carrying out at client-side the method 200 of authentication according to one exemplary embodiment;
Fig. 3 shows the flow chart that is used for carrying out at server side the method 300 of authentication according to one exemplary embodiment;
Fig. 4 shows the block diagram that is used for carrying out at client-side the equipment 400 of authentication according to one exemplary embodiment;
Fig. 5 shows the block diagram that is used for carrying out at server side the equipment 500 of authentication according to one exemplary embodiment;
Fig. 6 show according to one exemplary embodiment server and client between mutual swimming lane Figure 60 0; And
Fig. 7 shows the block diagram of the computer system 700 that is fit to put into practice embodiment of the present invention.
In each accompanying drawing, identical or corresponding label represents identical or corresponding part.
Embodiment
Some illustrative embodiments are below with reference to the accompanying drawings described principle of the present invention and spirit.Should be appreciated that providing these execution modes is only in order to make those skilled in the art can understand better and then realize the present invention, and be not to limit the scope of the invention by any way.
At first with reference to figure 1, it shows the schematic diagram based on the network environment 100 of client-server (C/S) framework according to one exemplary embodiment.As shown in Figure 1, client 102-1 can be connected to server or server group 106 by network 104 to 102-N.
Client 102-1 such as comprising the mobile terminals such as personal digital assistant (PDA), cell phone, smart phone, laptop computer, can be also the conventional desktop type computing equipment such as personal computer (PC) to 102-N.Should be appreciated that above-named is only some possible examples, is not intended to limit scope of the present invention.In fact, client 102-1 can be any equipment with information processing and network communications capability to 102-N, no matter be now known or exploitation in the future.
Network shown in Fig. 1 or title network connect 104 can comprise known or any cable network, wireless network or its combination exploitation in the future at present, include but not limited to following at least one: cellular phone network, Ethernet, based on IEEE 802.11,802.16,802.20 etc. WLAN (wireless local area network) (WLAN), and/or World Interoperability for Microwave Access, WiMax (WiMAX) network.In addition, network 106 can be public network (such as, internet), dedicated network (such as, intranet) or its combination.Under the layer-stepping network communication architectures, the transport layer of network 106 can operate according to transmission control protocol (TCP), RTP (RTP) or other transmission logics.Network layer can be come route information based on the 4th edition (IPv4) or the 6th edition (IPv6) of Internet protocol or other network layer protocols.Data link layer can comprise wired or Radio Link, as other data link layers on asynchronous transfer mode (ATM), Fiber Distributed Data Interface (FDDI), optical fiber, coaxial cable, twisted-pair feeder or other physical layers.
Server 106 is can operate to connect 104 by network to communicate by letter with client 102 thereby any suitable machine of various services is provided as it.Especially, as mentioned above, in a lot of services and applied environment, server 106 need to be verified client 102 or its user's identity.
Below with reference to Fig. 2, it shows the flow chart that is used for carrying out at client-side the method 200 of authentication according to one exemplary embodiment.The step that should be appreciated that the method 200 shown in Fig. 2 is only the purpose for explanation.Method 200 can comprise additional and/or alternative step.According to the embodiment of the present invention, method 200 can be located to carry out in client (for example, the client shown in Fig. 1 102).
After method 200 beginnings, at step S202, client connects from server receive data piece by network.According to the embodiment of the present invention, to be connected with network between server can be any suitable connection to client.Especially, in step S202, can be as prior art set up and be connected safe network to be connected (for example, encryption connection) between server and client.Alternatively, according to the embodiment of the present invention, it can be non-encryption connection that server is connected with network between client.This is because as described below, network authentication will no longer merely depend on the fail safe of connection, connect the upper information of transmitting even the third party has obtained this network, also can't realize the purpose of illegal checking.In this way, can need not to set up and arrange the process of encryption connection between the server and client side, thereby reduce cost and expense.
According to the embodiment of the present invention, the data block that receives at step S202 can be any suitable data block.For example, data block can be complete file, can be also fragment or the part of file.Especially, according to the embodiment of the present invention, the data block that receives at step S202 place can be non-structured data block.In other words, this data block is not the structural datas such as message with specific fields structure.Do like this and more be conducive to secret keys hiding in data block, to reach the purpose that is not cracked easily by illegal third party.As example, data block can comprise text data, multi-medium data (for example, image, audio frequency, video etc.), rich media data and other any suitable data.
In addition, the data block that receives at step S202 place can be a data block, can be also a plurality of data blocks.Under latter event, a plurality of secret keys can be encoded in different data blocks; Perhaps single secret keys can be divided into a plurality of parts by serviced device, comprises one or more such parts in each data block, and this also will be described below.
Next, method 200 proceeds to step S204, resolves about the agreement of Information hiding the data block that receives based between it and server in this client, to extract by server code the secret keys in data block.
According to the embodiment of the present invention, server no longer by independent BlueDrama to client transmitter decryption key, but secret keys is coded in the data block that sends to client.Especially, as mentioned above, this data block can be non-structured data block.At this moment, secret keys can be encoded as the part of this data block.
For example, sending to the data block of client from server can be the specific part of an image or image.As known in the art, image file can be tolerated content modification to a certain degree.For example, some contents of image file ending place can be replaced, and outward appearance that can the appreciable impact image.And for example, the caused picture appearance of RGB color component, gray value and/or transparence value of change a few pixels changes difficult quilt to be discovered, or even negligible.Like this, can select the one or more parts in image file, the information that these parts are comprised originally replaces with the information that represents secret keys.Secret keys can be coded in a plurality of parts in data block, and these parts can be discontinuous.
Note, image is only a possible example of data block.The data block of other any suitable types all can be combined with the present invention.For example, secret keys can be inserted into the specific part of video file, etc.Scope of the present invention is unrestricted in this regard.
Should be appreciated that according to the embodiment of the present invention which part of Update Table piece and how to revise be that server and client are pre-determined.In other words, there is agreement about Information hiding between server and client.Server will come according to this agreement about Information hiding the content of Update Table piece in operation.Equally, client can be resolved the specific part of data block about the agreement of Information hiding between both, thereby extracts and recover secret keys.
Agreement about Information hiding between server and client can be pre-determined, also can dynamically change.Especially, this agreement can be transmitted (for example, passing through network) by Information Technology Methods between server and client.Alternatively or additionally, this agreement also can be shared by means of traditional communication medium (for example, phone, fax, etc.), even can transmit by manual type.Scope of the present invention is unrestricted in this regard.And according to some execution mode of the present invention, the agreement about Information hiding between server and client can dynamically change and upgrade.
" at least " described here refers to that client can also be combined with other information and/or parameter with secret keys from server, thereby further improves the safety and reliability of authentication.As example, In some embodiments of the present invention, except secret keys, can also there be the public keys of sharing between client and server.At this moment, at step S206, can both come producing authentication information based on secret keys and public keys.For example, public keys is designated as K1, the secret keys that step S204 is resolved is designated as K2, can pass through calculating K 1 and K2 MD5 cryptographic Hash MD5 (K1+K2) both as authorization information.
Note, the cryptographic Hash of above using is only an example.Given secret keys (and optional public keys), those skilled in the art can utilize any suitable technological means to produce corresponding information, and used as authentication information.
After producing authentication information, method 200 is connected the authentication information that will generate at step S208 place by client and network between server and sends to server, carries out described authentication for server.As mentioned above, according to some execution mode of the present invention, authentication information can be sent to server from client by unencrypted network connection.Thus, can save and expense and the cost of setting up safety (encryption) network join dependency connection.
The above has described with reference to figure 2 authentication method according to embodiment of the present invention of carrying out at client-side.With reference now to Fig. 3,, it shows the flow chart that is used for carrying out at server side the method 300 of authentication according to one exemplary embodiment.
The step that should be appreciated that the method 300 shown in Fig. 3 is only the purpose for explanation.Method 300 can comprise additional and/or alternative step.According to the embodiment of the present invention, method 300 can be carried out in server (for example, the server shown in Fig. 1 106) side.
After method 300 beginning, at step S302, server based between it and client about the agreement of Information hiding, the secret keys that will use in described authentication is encoded to data block.
According to the embodiment of the present invention, secret keys can be that server generates, and can be also that server receives from external source.For example, can be equipped with special equipment to be used for generating this type of secret keys.Alternatively, the generative process of this key also can comprise user's manual intervention.Known or any key generation technique exploitation in the future all can be combined with embodiments of the present invention at present, and scope of the present invention is unrestricted in this regard.
And at step S302, server can be encoded to one or more secret keys in one or more data blocks.Corresponding relation between secret keys and data block can be arbitrarily, as long as satisfy the Information hiding agreement between server and client.
As mentioned above, at step S302, the operated data block of server can be non-structured data block.At this moment, secret keys can be encoded as the part of this data block.For example, revise some part (for example, the gray value of partial pixel or color value) in image file or other multimedia files, in order to comprise the information that represents secret keys.Note, image is only a possible example of data block.The data block of other any suitable types all can be combined with the present invention, includes but not limited to text, image, and audio frequency, perhaps video, etc.
In fact, the operation carried out at step S302 place of server can be considered to that a kind of content is hidden or Steganography (Steganography) operation.Operated data block (for example, text or multimedia file) is the carrier of Information hiding, and information to be hidden (that is, secret keys) is encoded or is embedded in this carrier.It will be understood by those skilled in the art that by utilizing Information Hiding Techniques that secret keys is embedded in the carrier data piece, not only can guarantee crypticity and the integrality of secret keys, and can guarantee that the variation of carrier file do not discovered by people or machine.Like this, even illegal third party has intercepted and captured the data block as carrier, as long as he does not know the Information hiding agreement between server and client, just can't obtain to encode or be embedded in secret keys in data block, thereby also just can't constitute a threat to verification process.Known or any Information Hiding Algorithms or mode exploitation in the future all can be combined with embodiments of the present invention at present.Scope of the present invention is unrestricted in this regard.
Next, at step S306, server connects from the client authentication information to carry out authentication by network.This authentication information client generates based on the secret keys that is coded in data block at least.
According to the embodiment of the present invention, authentication information can only be generated according to secret keys by client.Alternatively, the generation of authentication information it is also conceivable that other factor/parameters.For example, in some embodiments, what authentication information can be based on secret keys and the public keys shared between server and client generates.At this moment, the authentication of server comprises based on secret keys and public keys and generate described authentication information and authenticate.Especially, in some embodiments, authentication information is based on secret keys and public keys and the cryptographic Hash that generates.In this case, whether server can be verified the cryptographic Hash of such generation, be that legal client generates to confirm it.
Should be appreciated that verification process mentioned above is only example, other any suitable authentication modes all can be combined with embodiments of the present invention.In fact, core concept of the present invention is to improve by Information Hiding Techniques the safety and reliability of network authentication, and concrete authentication method is not that the present invention wants problems of concern.Therefore, according to the embodiment of the present invention, acts of authentication can be completed by method 300.Alternatively, actual authentication action also can be completed by other processes and/or equipment that server side is independent of method 300.
Below with reference to Fig. 4, it shows the block diagram that is used for carrying out at client-side the equipment 400 of authentication according to one exemplary embodiment.As shown in the figure, being used for carrying out at client-side the equipment 400 that authenticates comprises: receiving system 402, configuration are used for connecting from server receive data piece by network; Resolver 404, configuration are used for based on resolving about the agreement of Information hiding the described data block that receives between described client and described server, to extract by the secret keys of described server code in described data block; Generating apparatus 406, configuration is used at least based on described secret keys producing authentication information; And dispensing device 408, configuration is used for connecting to the described authentication information of described server transmission by described network, carries out described authentication for described server.
According to optional execution mode of the present invention, receiving system 402 comprises: first receiving device, configuration are used for connecting from server reception unstructured data piece by network.At this moment, resolver 404 comprises: the first resolver, configuration is used for resolving from described unstructured data piece the described secret keys of the part that is encoded as described unstructured data piece.According to optional execution mode of the present invention, the unstructured data piece is selected from: text data, multi-medium data, perhaps rich media data.
According to optional execution mode of the present invention, generating apparatus 406 comprises: the first generating apparatus, configuration are used for generating described authentication information based on described secret keys and by the shared public keys of described client and described server.According to optional execution mode of the present invention, the first generating apparatus comprises: configuration is used for calculating the cryptographic Hash of described secret keys and described public keys with the device as described authentication information.
According to optional execution mode of the present invention, it is non-encryption connection that server is connected with network between client.
With reference now to Fig. 5,, it shows the block diagram that is used for carrying out at server side the equipment 500 of authentication according to one exemplary embodiment.As shown in the figure, equipment 500 comprises: code device 502, configuration be used for based between described server and client about the agreement of Information hiding, the secret keys that will use in described authentication is encoded to data block; Dispensing device 504, configuration are used for connecting to the described data block of described client transmission by network; And receiving system 506, configuration is used for connecting from described client authentication information to carry out described authentication by described network, and wherein said authentication information is that described client generates based on described secret keys at least.
According to optional execution mode of the present invention, code device 502 comprises: the first code device, configuration are used for described secret keys is encoded to the unstructured data piece with the part as described unstructured data piece.According to optional execution mode of the present invention, the unstructured data piece is selected from: text data, multi-medium data, perhaps rich media data.
According to optional execution mode of the present invention, equipment 500 also comprises the authenticate device (not shown), and configuration is used for based on described secret keys and generate described authentication information by the shared public keys of described client and described server and authenticate.According to optional execution mode of the present invention, described authenticate device comprises: the first authenticate device, configuration are used for the cryptographic Hash that calculates based on described secret keys and described public keys is authenticated.
According to optional execution mode of the present invention, it is non-encryption connection that server is connected with network between client.
Note, for the purpose of clear, the sub-device that optional device and each device comprise is not shown in Fig. 4-5.Yet, should be appreciated that each device of record in equipment 400 and 50 corresponds respectively to above referring to figs. 2 and 3 each step in the method 200 and 300 of describing.Thus, the operations of above describing for method 200 and 300 and feature are equally applicable to equipment 400 and 500 and the device that wherein comprises, do not repeat them here.
It is also understood that equipment 400 and 500 can utilize variety of way to realize.For example, in some embodiments, equipment 400 and 500 can utilize software and/or firmware to realize.Alternatively or additionally, equipment 400 and 500 can partially or fully be realized based on hardware.For example, equipment 400 and 500 can be implemented as integrated circuit (IC) chip or application-specific integrated circuit (ASIC) (ASIC).Equipment 400 and 500 also can be implemented as SOC (system on a chip) (SOC).Known or other modes exploitation in the future are also feasible now, and scope of the present invention is unrestricted in this regard.
Below with reference to Fig. 6, its show according to one exemplary embodiment server and client between mutual swimming lane figure.As shown in Figure 6 and mentioned above, server based between it and client about the agreement of Information hiding, the secret keys coding (embedded in other words) that will use in verification process in the data block as carrier.Then, server sends to client with this data block.Especially, according to the embodiment of the present invention, the transmission of data block even can use unencrypted general network to connect.
At client-side, in response to the data block that receives from server, server is resolved this data block according to Information hiding agreement, with extractor decryption key therefrom.Next, client is according to this secret keys and optional other information (for example, server and client share public keys) producing authentication information, for example cryptographic Hash.Client sends to server with the authentication information that is about to generate.Data block is similar with sending, and the transmission of authentication information also can not used encryption connection.Thus, server can be carried out corresponding suitably verification process to the authentication information that receives.
Fig. 7 shows the schematic block diagram of the computer system that is suitable for putting into practice embodiment of the present invention.For example, computer system shown in Figure 7 can be used for realizing server described above and/or client.As shown in the figure, computer system 700 comprises: CPU (CPU) 701, RAM (random access memory) 702, ROM (read-only memory) 703, system bus 704, hard disk controller 705, keyboard controller 706, serial interface controller 707, parallel interface controller 708, display controller 709, hard disk 710, keyboard 711, serial external equipment 712, parallel external equipment 713 and display 714.In these equipment, with system bus 704 coupling CPU 701, RAM 702, ROM 703, hard disk controller 705, keyboard controller 706, serialization controller 707, parallel controller 708 and display controller 709 arranged.Hard disk 710 and hard disk controller 705 couplings, keyboard 711 and keyboard controller 706 couplings, serial external equipment 712 and serial interface controller 707 couplings, parallel external equipment 713 and parallel interface controller 708 couplings, and display 714 and display controller 709 couplings.Should be appreciated that the described structured flowchart of Fig. 7 illustrates just to the purpose of example, rather than limitation of the scope of the invention.In some cases, can increase or reduce as the case may be some equipment.
Should be appreciated that the described structured flowchart of Fig. 7 illustrates just to the purpose of example, rather than limitation of the scope of the invention.In some cases, can increase or reduce as the case may be some equipment.
As mentioned above, equipment 400 and 500 can be implemented as pure hardware, such as chip, ASIC, SOC etc.These hardware can be integrated in computer system 700.In addition, embodiments of the present invention also can realize by the form of computer program.For example, can realize by computer program referring to figs. 2 and 3 the method 200 and 300 of describing.This computer program can be stored in RAM for example shown in Figure 7 704, ROM 704, hard disk 710 and/or any suitable storage medium, perhaps downloads on computer system 700 from suitable position by network.Computer program can comprise the computer code part, and it comprises can be by the program command of suitable treatment facility (for example, the CPU shown in Fig. 7 701) execution.Described program command can comprise the instruction for the step of implementation method 200 and 300 at least.
Above spirit of the present invention and principle have been explained in conjunction with some embodiments.According to the embodiment of the present invention, the network authentication server that no longer places one's entire reliance upon is connected with secure network between client, but guarantee by the Information hiding to secret keys.Particularly, can determine in advance agreement about Information hiding between the server and client side.According to this agreement, server can or be embedded in non-structured data blocks such as plain text, multimedia (image, audio frequency, video), Rich Media (flash) the secret keys coding, then sends the data block as carrier.Client is according to agreement extractor decryption key, and producing authentication information.In this way, even the third party has intercepted and captured data block, due to the Information hiding agreement that can't obtain between server and client, also can't obtain secret keys illegally to authenticate.Like this, the verification process in network can be more safely with reliable.
Should be noted that embodiments of the present invention can realize by the combination of hardware, software or software and hardware.Hardware components can utilize special logic to realize; Software section can be stored in memory, and by suitable instruction execution system, for example microprocessor or special designs hardware are carried out.Those having ordinary skill in the art will appreciate that above-mentioned equipment and method can and/or be included in the processor control routine with computer executable instructions realizes, for example provides such code on such as the mounting medium of disk, CD or DVD-ROM, such as the programmable memory of read-only memory (firmware) or the data medium such as optics or electronic signal carrier.Equipment of the present invention and module thereof can be by such as very lagre scale integrated circuit (VLSIC) or gate array, realize such as the semiconductor of logic chip, transistor etc. or such as the hardware circuit of the programmable hardware device of field programmable gate array, programmable logic device etc., also can use the software of being carried out by various types of processors to realize, also can by the combination of above-mentioned hardware circuit and software for example firmware realize.
The communication network of mentioning in specification can comprise disparate networks, include but not limited to local area network (LAN) (" LAN "), wide area network (" WAN "), according to the network of IP agreement (for example, the internet) and ad-hoc network (for example, ad hoc peer-to-peer network).
Although should be noted that some devices or the sub-device of having mentioned equipment in above-detailed, this division is not only enforceable.In fact, according to the embodiment of the present invention, the feature of above-described two or more devices and function can be specialized in a device.Otherwise, the feature of an above-described device and function can Further Division for to be specialized by a plurality of devices.
In addition, although described in the accompanying drawings the operation of the inventive method with particular order,, this is not that requirement or hint must be carried out these operations according to this particular order, or the operation shown in must carrying out all could realize the result of expectation.On the contrary, the step of describing in flow chart can change execution sequence.Additionally or alternatively, can omit some step, a plurality of steps be merged into a step carry out, and/or a step is decomposed into a plurality of steps carries out.
Although described the present invention with reference to some embodiments, should be appreciated that, the present invention is not limited to disclosed embodiment.The present invention is intended to contain interior included various modifications and the equivalent arrangements of spirit and scope of claims.The scope of claims meets the most wide in range explanation, thereby comprises all such modifications and equivalent structure and function.
Claims (24)
1. one kind is used for carrying out at client-side the method that authenticates, and comprising:
Connect from server receive data piece by network;
Based on resolving about the agreement of Information hiding the described data block that receives between described client and described server, to extract by the secret keys of described server code in described data block;
At least based on described secret keys producing authentication information; And
Connect to the described authentication information of described server transmission by described network, carry out described authentication for described server.
2. method according to claim 1, wherein said data block is non-structured data block, and described secret keys is encoded as the part of described unstructured data piece.
3. method according to claim 2, wherein said unstructured data piece is selected from: text data, multi-medium data, perhaps rich media data.
4. method according to claim 1 wherein comprises based on described secret keys producing authentication information at least:
Generate described authentication information based on described secret keys and the public keys shared by described client and described server.
5. method according to claim 4, wherein based on described secret keys and generate described authentication information by the public keys that described client and described server are shared and comprise: calculate the cryptographic Hash of described secret keys and described public keys, with as described authentication information.
6. method according to claim 1, it is non-encryption connection that wherein said network connects.
7. one kind is used for carrying out at server side the method that authenticates, and comprising:
Based between described server and client about the agreement of Information hiding, the secret keys that will use in described authentication is encoded to data block;
Connect to described client by network and send described data block; And
Connect from described client authentication information to carry out described authentication by described network, wherein said authentication information is that described client generates based on described secret keys at least.
8. method according to claim 7, wherein said data block is non-structured data block, and wherein the secret keys that will use is encoded to data block comprises the part that described secret keys is encoded to described unstructured data piece in described authentication.
9. method according to claim 8, wherein said unstructured data piece is selected from: text data, multi-medium data, perhaps rich media data.
10. method according to claim 7 also comprises:
The described authentication information that the public keys shared based on described secret keys and by described client and described server is generated authenticates.
11. method according to claim 10, the described authentication information that wherein public keys shared based on described secret keys and by described client and described server is generated authenticates and comprises: the cryptographic Hash that calculates based on described secret keys and described public keys is authenticated.
12. method according to claim 7, it is non-encryption connection that wherein said network connects.
13. an equipment that is used for carrying out at client-side authentication comprises:
Receiving system, configuration are used for connecting from server receive data piece by network;
Resolver, configuration are used for based on resolving about the agreement of Information hiding the described data block that receives between described client and described server, to extract by the secret keys of described server code in described data block;
Generating apparatus, configuration is used at least based on described secret keys producing authentication information; And
Dispensing device, configuration are used for connecting to the described authentication information of described server transmission by described network, carry out described authentication for described server.
14. equipment according to claim 13, wherein
Described receiving system comprises: first receiving device, configuration are used for connecting from server reception unstructured data piece by described network,
Described resolver comprises: the first resolver, configuration is used for resolving from described unstructured data piece the described secret keys of the part that is encoded as described unstructured data piece.
15. equipment according to claim 14, wherein said unstructured data piece is selected from: text data, multi-medium data, perhaps rich media data.
16. equipment according to claim 13, wherein said generating apparatus comprises:
The first generating apparatus, configuration are used for generating described authentication information based on described secret keys and by the shared public keys of described client and described server.
17. equipment according to claim 16, wherein said the first generating apparatus comprises: configuration is used for calculating the cryptographic Hash of described secret keys and described public keys with the device as described authentication information.
18. equipment according to claim 13, it is non-encryption connection that wherein said network connects.
19. an equipment that is used for carrying out at server side authentication comprises:
Code device, configuration be used for based between described server and client about the agreement of Information hiding, the secret keys that will use in described authentication is encoded to data block;
Dispensing device, configuration are used for connecting to the described data block of described client transmission by network; And
Receiving system, configuration are used for connecting from described client authentication information to carry out described authentication by described network, and wherein said authentication information is that described client generates based on described secret keys at least.
20. equipment according to claim 19, wherein said code device comprises: the first code device, configuration are used for described secret keys is encoded to the unstructured data piece with the part as described unstructured data piece.
21. equipment according to claim 20, wherein said unstructured data piece is selected from: text data, multi-medium data, perhaps rich media data.
22. equipment according to claim 19 also comprises:
Authenticate device, configuration are used for based on described secret keys and generate described authentication information by the shared public keys of described client and described server and authenticate.
23. equipment according to claim 22, wherein said authenticate device comprises: the first authenticate device, configuration are used for the cryptographic Hash that calculates based on described secret keys and described public keys is authenticated.
24. equipment according to claim 19, it is non-encryption connection that wherein said network connects.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110400985 CN103139191A (en) | 2011-11-25 | 2011-11-25 | Network authentication method and network authentication equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110400985 CN103139191A (en) | 2011-11-25 | 2011-11-25 | Network authentication method and network authentication equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103139191A true CN103139191A (en) | 2013-06-05 |
Family
ID=48498501
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110400985 Pending CN103139191A (en) | 2011-11-25 | 2011-11-25 | Network authentication method and network authentication equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103139191A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105592450A (en) * | 2014-10-21 | 2016-05-18 | 中兴通讯股份有限公司 | Password generation method, password generation device and password generation system |
| CN105846994A (en) * | 2016-03-24 | 2016-08-10 | 深圳大学 | Physical layer steganography method and physical layer steganography system |
| CN108512830A (en) * | 2018-02-26 | 2018-09-07 | 平安普惠企业管理有限公司 | Information cipher processing method, device, computer equipment and storage medium |
| CN109409099A (en) * | 2018-09-03 | 2019-03-01 | 中国平安人寿保险股份有限公司 | Cookie data processing method, device, computer equipment and storage medium |
-
2011
- 2011-11-25 CN CN 201110400985 patent/CN103139191A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105592450A (en) * | 2014-10-21 | 2016-05-18 | 中兴通讯股份有限公司 | Password generation method, password generation device and password generation system |
| CN105846994A (en) * | 2016-03-24 | 2016-08-10 | 深圳大学 | Physical layer steganography method and physical layer steganography system |
| WO2017161616A1 (en) * | 2016-03-24 | 2017-09-28 | 深圳大学 | Physical layer steganography method and system |
| CN105846994B (en) * | 2016-03-24 | 2018-11-27 | 深圳大学 | A kind of physical layer steganography method and system |
| CN108512830A (en) * | 2018-02-26 | 2018-09-07 | 平安普惠企业管理有限公司 | Information cipher processing method, device, computer equipment and storage medium |
| CN109409099A (en) * | 2018-09-03 | 2019-03-01 | 中国平安人寿保险股份有限公司 | Cookie data processing method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110177354B (en) | Wireless control method and system for vehicle | |
| CN109863770B (en) | Configurator key package for device provisioning protocol | |
| US20140181929A1 (en) | Method and apparatus for user authentication | |
| US11736304B2 (en) | Secure authentication of remote equipment | |
| EP3602991A1 (en) | Mechanism for achieving mutual identity verification via one-way application-device channels | |
| US9614827B2 (en) | Secure user presence detection and authentication | |
| CN105282168B (en) | Data interactive method and device based on CHAP agreement | |
| US20100293376A1 (en) | Method for authenticating a clent mobile terminal with a remote server | |
| CN113268715A (en) | Software encryption method, device, equipment and storage medium | |
| US20080072297A1 (en) | Method for protecting software based on network | |
| CN109949461B (en) | Unlocking method and device | |
| US8397281B2 (en) | Service assisted secret provisioning | |
| US9137224B2 (en) | System and method for secure remote access | |
| CN104751538A (en) | Implementation method for opening access controller, and access control system | |
| WO2019161285A1 (en) | Devices and systems for industrial internet of things security | |
| Xu et al. | Authentication‐Based Vehicle‐to‐Vehicle Secure Communication for VANETs | |
| JP2017525236A (en) | Ensuring communication safety with enhanced media platform | |
| US20110010544A1 (en) | Process distribution system, authentication server, distribution server, and process distribution method | |
| TWI556618B (en) | Network Group Authentication System and Method | |
| WO2015100418A2 (en) | Method for associating an image-forming device, a mobile device, and a user | |
| CN103139191A (en) | Network authentication method and network authentication equipment | |
| KR102321405B1 (en) | System and method for providing security service using blockchain and biometric information | |
| CN112737780B (en) | Electronic tag ownership transfer method | |
| CN115801287A (en) | Signature authentication method and device | |
| KR102053993B1 (en) | Method for Authenticating by using Certificate |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130605 |
|
| WD01 | Invention patent application deemed withdrawn after publication |