CN104158816A - Authentication method and device as well as server - Google Patents

Authentication method and device as well as server Download PDF

Info

Publication number
CN104158816A
CN104158816A CN 201410421329 CN201410421329A CN104158816A CN 104158816 A CN104158816 A CN 104158816A CN 201410421329 CN201410421329 CN 201410421329 CN 201410421329 A CN201410421329 A CN 201410421329A CN 104158816 A CN104158816 A CN 104158816A
Authority
CN
China
Prior art keywords
message
server
digital signature
authentication
ip
Prior art date
Application number
CN 201410421329
Other languages
Chinese (zh)
Inventor
姜妮
张宇
赵志军
Original Assignee
中国科学院声学研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院声学研究所 filed Critical 中国科学院声学研究所
Priority to CN 201410421329 priority Critical patent/CN104158816A/en
Publication of CN104158816A publication Critical patent/CN104158816A/en

Links

Abstract

The invention relates to an authentication method and device as well as a server. The method comprises the following steps that: a server receives a command sent by a message releasing end, wherein the command is used for instructing the server to generate a key pair in order that the message releasing end generates a digital signature according to a private key in the key pair; the sever receives a first message sent by the message releasing end, wherein the first message comprises a public key in the key pair, the digital signature, a message and a message releasing end IP (Internet Protocol); the server matches the message releasing end IP with a preset white list according to the message releasing end IP; and after successful matching, the server verifies the message according to the public key and the digital signature, and pushes the message after successful verification.

Description

认证方法、装置和服务器 Authentication method, apparatus and server

技术领域 FIELD

[0001] 本发明涉及通信技术领域,尤其涉及消息推送系统的认证方法、装置和服务器。 [0001] The present invention relates to communications technologies, and in particular relates to a method of the authentication message push system, and the server apparatus.

背景技术 Background technique

[0002] 随着物联网技术的发展,人们更加迫切希望能够随时随地地从互联网获取信息和服务。 [0002] With the development of networking technology, people are more eager to anytime, anywhere access to information and services from the Internet. 然而越来越多的内容正不断地充斥着网络,人们已经很难通过简单的主动搜索来发现自己所感兴趣的资源。 However, more and more content is constantly filled with the network, it has been difficult to find the resources they are interested in a simple active search. 为了保证这些信息能够及时有效的被用户看到,相比于传统的拉取方式,消息推送方式更满足实际应用中的需要。 In order to ensure timely and effective information can be seen by the user, compared to conventional pull mode, push mode message satisfies more needs of practical application. 对于分布式的消息推送系统应用来说,发布或者订阅的消息是否能够安全及时的到达,对通信双方都具有非常重要的作用。 For the message push system applications for distributed, published or subscribed message is safe and timely arrival of the communicating parties have a very important role. 消息推送系统需要保证消息的完整性和可靠性,确保消息在传输过程中不丢失、不重复、不篡改。 Push message system needs to ensure the integrity and reliability of the message, to ensure that messages are not lost during transmission, and is not repeated tampering.

[0003] 然而,在现有的消息推送系统的设计中,由于计算机软件的非法复制,通信的泄密,数据安全受到威胁,但缺乏安全认证机制,造成了消息推送系统中的安全漏洞。 [0003] However, in the design of an existing message push system, due to the illegal copying of computer software, leaks communications, data security is threatened, but the lack of security authentication mechanism, resulting in a security loophole message push system.

发明内容 SUMMARY

[0004] 本发明的目的是保证消息推送系统的安全性,避免个别用户非法连接侵入破坏数据,影响网络安全。 [0004] The object of the present invention is to guarantee the security of message push system to avoid damage to individual users of illegal intrusion data connection, compromising network security.

[0005] 第一方面,本发明实施例提供了一种认证方法,所述方法包括: [0005] In a first aspect, the present invention provides a method of authentication, said method comprising:

[0006] 服务器接收消息发布端发送的指令,所述指令用于指示所述服务器生成密钥对, 以使所述消息发布端根据所述密钥对中的私钥生成数字签名; [0006] The server receives the message sent by issuing instructions, the instructions for the indication of the server generates the key, so that the end of the message publisher private key pair generated in accordance with a digital signature;

[0007] 所述服务器接收消息发布端发送的第一消息,所述第一消息包括所述密钥对中的公钥、数字签名、报文和消息发布端IP ; [0007] The server receives the release message sent by a first message, the first message comprising the public key pair, a digital signature, the message and the IP message publishing side;

[0008] 所述服务器根据所述消息发布端IP,将所述消息发布端IP与本地预设的白名单进行匹配; [0008] The message server according to the IP publishing side, the end of the preset IP and local whitelist of the release message matching;

[0009] 当匹配成功后,所述服务器根据所述公钥和数字签名,对所述报文进行验证,当验证成功后,对所述报文进行推送。 [0009] When the matching is successful, the server according to the public key and digital signature authentication of the packet, when the authentication is successful, the packet push.

[0010] 优选地,所述服务器根据所述公钥和数字签名,对所述报文进行验证具体包括: [0010] Preferably, the server according to the public key and digital signature, the authentication packet comprises:

[0011] 所述服务器采用哈希算法获取所述报文的报文摘要; [0011] The server uses a hashing algorithm to obtain a message digest of the message;

[0012] 所述服务器采用公钥对所述报文的数字签名进行解密,获取到解密报文摘要; [0012] The server uses the public key digital signature of the message is decrypted, to obtain decrypted message digest;

[0013] 当所述报文摘要和所述解密报文摘要相同时,验证成功。 [0013] When the decrypted message digest and the message digest is the same, the verification succeeds.

[0014] 优选地,所述哈希算法具体为MD2、MD4、MD5或SHA-1中的任意一种。 [0014] Preferably, the hashing algorithm is specifically MD2, either MD4, MD5 or SHA-1 is.

[0015] 优选地,所述服务器是MQTT代理服务器。 [0015] Preferably the server is a proxy server MQTT.

[0016] 第二方面,本发明实施例提供了一种认证装置,所述装置包括:第一接收单元,第二接收单元,第一匹配单元,第二匹配单元; [0016] a second aspect, the present invention provides an authentication apparatus, the apparatus comprising: a first receiving unit, a second receiving unit, a first matching unit, a second matching unit;

[0017] 所述第一接收单元,用于服务器接收消息发布端发送的指令,所述指令用于指示所述服务器生成密钥对,以使所述消息发布端根据所述密钥对中的私钥生成数字签名; [0017] The first receiving means for receiving a message distribution server sends instructions, the instructions for instructing said server to generate a key pair, so that the end of message distribution according to the key pair private key to generate a digital signature;

[0018] 所述第二接收单元,用于接收消息发布端发送的第一消息,所述第一消息包括所述密钥对中的公钥、数字签名、报文和消息发布端IP ; [0018] The second receiving means for receiving a release message sent by a first message, the first message comprising the public key pair, a digital signature, the message and the IP message publishing side;

[0019] 所述第一匹配单元,用于根据所述消息发布端IP,将所述消息发布端IP与本地预设的白名单进行匹配; [0019] The first matching unit, according to the Post IP terminal, the IP message and the publishing side local whitelist preset matching;

[0020] 所述第二匹配单元,用于根据所述公钥和数字签名,对所述报文进行验证,当验证成功后,对所述报文进行推送。 [0020] The second matching unit, according to the public key and the digital signature to authenticate the message, when the authentication is successful, the packet push.

[0021] 优选地,所述第二匹配单元具体用于: [0021] Preferably, the second matching unit is configured to:

[0022] 所述服务器采用哈希算法获取所述报文的报文摘要; [0022] The server uses a hashing algorithm to obtain a message digest of the message;

[0023] 所述服务器采用公钥对所述报文的数字签名进行解密,获取到解密报文摘要; [0023] The server uses the public key digital signature of the message is decrypted, to obtain decrypted message digest;

[0024] 当所述报文摘要和所述解密报文摘要相同时,验证成功。 [0024] When the decrypted message digest and the message digest is the same, the verification succeeds.

[0025] 优选地,所述哈希算法具体为MD2、MD4、MD5或SHA-1中的任意一种。 [0025] Preferably, the hashing algorithm is specifically MD2, either MD4, MD5 or SHA-1 is.

[0026] 优选地,所述服务器是MQTT代理服务器。 [0026] Preferably the server is a proxy server MQTT.

[0027] 第三方面,本发明实施例提供了一种服务器,所述服务器包括: [0027] a third aspect, embodiments of the present invention there is provided a server, the server comprising:

[0028] 接收器,接收消息发布端发送的指令,所述指令用于指示处理器生成密钥对,以使所述消息发布端根据所述密钥对中的私钥生成数字签名; [0028] The receiver receives a message sent by issuing instructions, the instructions for instructing the processor to generate a key pair, so that the end of the message publisher private key pair generated in accordance with a digital signature;

[0029] 所述接收器还用于,接收消息发布端发送的第一消息,所述第一消息包括所述密钥对中的公钥、数字签名、报文和消息发布端IP ; [0029] The receiver is further for receiving a first message sent by release message, the first message comprising the public key pair, a digital signature, the message and the IP message publishing side;

[0030] 处理器,根据所述消息发布端IP,将所述消息发布端IP与存储器中预设的白名单进行匹配; [0030] processor, based on the publishing side IP message, the IP terminal in a predetermined memory whitelist of the release message matching;

[0031] 所述处理器还用于,当匹配成功后,根据所述公钥和数字签名,对所述报文进行验证。 [0031] The processor is further configured, when the matching is successful, according to the public key and the digital signature to authenticate the message.

[0032] 发送器,当验证成功后,对所述报文进行推送。 [0032] The transmitter, when the authentication is successful, the packet push.

[0033] 优选地,所述处理器具体用于: [0033] Preferably, the processor is configured to:

[0034] 所述处理器采用哈希算法获取所述报文的报文摘要; [0034] The processor uses the hashing algorithm to obtain a message digest of the message;

[0035] 所述处理器采用公钥对所述报文的数字签名进行解密,获取到解密报文摘要; [0035] The processor uses a public key digital signature of the message is decrypted, to obtain decrypted message digest;

[0036] 当所述报文摘要和所述解密报文摘要相同时,验证成功。 [0036] When the decrypted message digest and the message digest is the same, the verification succeeds.

[0037] 通过应用本发明实施例提供的认证方法、装置和服务器,当匹配成功后,所述服务器根据公钥和数字签名,对报文进行验证,当成功后,将报文推送给消息订阅端,保证了消息发布端到消息订阅端的报文的安全性,完整性,可靠性和不可抵赖性,避免了报文在传输过程中遭到篡改或非法攻击,满足了企业级应用的安全需求,部署简单,节约成本,可扩展性强,同样能够应用到其它系统中。 [0037] authentication method, apparatus and a server provided by the embodiment of the present invention is applied, when the matching succeeds, the server according to the public key and digital signature authentication of the packet, when successful, the packet will be pushed to subscribe message end to ensure that the security needs of end news release security news Subscribe to the end of the message, integrity, non-repudiation and reliability, to avoid the message has been tampered with during transmission or illegal attack, to meet the enterprise application simple deployment, cost, scalable, can likewise be applied to other systems.

附图说明 BRIEF DESCRIPTION

[0038] 图1为本发明实施例一提供的基于MQTT发布/订阅机制消息推送系统架构图; [0038] FIG. 1 Push message-based system architecture diagram MQTT publish / subscribe according to a first embodiment of the present invention;

[0039] 图2为本发明实施例一提供的认证方法流程图; [0039] FIG. 2 authentication method according to a first embodiment of the present invention, a flow chart;

[0040] 图3为本发明实施例一提供的基于主题的发布/订阅机制; [0040] FIG. 3 topic-based publish / subscribe mechanism according to a first embodiment of the present invention;

[0041] 图4为本发明实施例二提供的认证装置示意图; [0041] Fig 4 a schematic view of the authentication apparatus according to a second embodiment of the present invention;

[0042] 图5为本发明实施例三提供的服务器示意图。 [0042] FIG. 5 is a schematic of a server according to a third embodiment of the present invention.

具体实施方式 Detailed ways

[0043] 为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。 [0043] In order that the invention object, technical solutions, and advantages of the embodiments more clearly, the following the present invention in the accompanying drawings, technical solutions of embodiments of the present invention are clearly and completely described, obviously, the described the embodiment is an embodiment of the present invention is a part, but not all embodiments. 基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。 Based on the embodiments of the present invention, all other embodiments of ordinary skill in the art without any creative effort shall fall within the scope of the present invention.

[0044] 为便于对本发明实施例的理解,下面将结合附图以具体实施例做进一步的解释说明,实施例并不构成对本发明实施例的限定。 [0044] To facilitate understanding of the embodiments of the present invention, following with reference to specific embodiments further explanation description, examples not intended to limit embodiments of the present invention.

[0045] 本申请实施例提供的认证方法、装置及服务器,适用于对消息推送进行安全认证的场景,尤其适用于对消息队列遥测传输(Message Queuing Telemetry Transport,MQTT) 发布/订阅机制系统的安全认证的场景。 Authentication method, apparatus and a server provided in [0045] the present application, suitable for push messaging security authentication scenario, especially for Message Queuing Telemetry Transport (Message Queuing Telemetry Transport, MQTT) released security / subscribe mechanism system certified scene.

[0046] 为了保证消息推送系统的安全性,避免个别用户非法连接侵入破坏数据,影响网络安全,本申请可以通过IP认证和数字签名机制,保证消息推送操作时的安全。 [0046] To secure push message system, the safety of individual users avoid illegal intrusion destroy data connection, compromising network security, the present application by IP authentication and digital signature scheme, to ensure message push operation.

[0047] 图1为本发明实施例一提供的基于MQTT发布/订阅机制消息推送系统架构图。 [0047] FIG. 1 according to a first embodiment of the present invention based MQTT publish / push message-subscription system architecture of FIG.

[0048] 消息推送系统主要包括三大部分:消息发布端110,消息服务器120 (在下文中也可以简称服务器),消息订阅端130。 [0048] push messaging system includes three parts: a message 110 on the publishing side, the message server 120 (hereinafter may be referred to as a server), subscription message 130 ends. 消息发布端110相当于消息的生产者,应用程序每生产一条消息,并不直接交给消息接收者,而是交给服务器,由服务器120决定将消息发送给哪些接收端。 Post end 110 corresponds to the message producers, each producing an application message, the message not directly to the recipient, but to the server, sends a message to the server 120 determines which receiving end. 消息订阅端130相当于消息的消费者,消息订阅端130向服务器120订阅消息或者取消订阅消息,消息订阅端130有自己的消息接收队列,并可以根据需要对消息进行解包、解压缩和解密处理。 Subscribe message consumer end 130 corresponds to the message, the message subscription server 120 to the terminal 130 to subscribe or unsubscribe message message, end message subscription 130 has its own message receive queue, and messages may be necessary unpacked, decompressed and decrypted deal with. 服务器120是整个消息推送系统的灵魂所在,对于接收到的消息进行相关处理,推送到相应的消息订阅端130。 Server 120 is a soul of the entire message push system for performing correlation processing of the received message, pushed to the end of the subscription message 130.

[0049] 下面以图2为例详细说明本发明实施例提供的认证方法,图2为本发明实施例一提供的认证方法流程图,在本发明实施例中实施主体为具有处理能力的设备:服务器或者装置,例如:MQTT代理服务器。 [0049] In the following detailed description of an example in FIG. 2 authentication method provided in the embodiment of the present invention, the authentication method of the present embodiment FIG. 2 is a flowchart of an embodiment of the invention, the main device embodiment having a processing capability in the embodiment of the present invention: server or device, such as: MQTT proxy server. 如图2所示,该实施例具体包括以下步骤: As shown, this embodiment includes the following two steps:

[0050] S210,服务器接收消息发布端发送的指令,所述指令用于指示所述服务器生成密钥对,以使所述消息发布端根据所述密钥对中的私钥生成数字签名。 [0050] S210, the server receives the message sent by issuing instructions, the instructions for instructing said server to generate a key pair, so that the end of message distribution according to the private key to generate a digital signature key pair.

[0051] 消息发布端可以但不限于物联网平台中的网页服务器。 [0051] Post end may be but is not limited to things web server platform. 服务器包括但不限于MQTT 代理服务器。 Including but not limited to MQTT server proxy.

[0052] 服务器接收消息发布端发送的指令,该指令用于调用服务器中的数字签名认证模块,服务器根据所述指令,生成密钥对。 [0052] The server receives the message sent by issuing instructions, instructions for calling the digital signature authentication server module, the server according to the instructions, generate a key pair. 其中,数字签名认证模块是服务器中的子程序,可以看成是相对独立的模块,当消息订阅端需要进行相应某个处理时,调用对应的模块(处理子程序)即可,例如需要生成密钥对时,调用数字签名认证模块。 Wherein the digital signature authentication of the server module is a subroutine, can be considered as independent modules, when a message needs to subscribe to the corresponding end of a process, call the corresponding module (processing routine) can be, for example, need to generate a cipher when the key pair is called a digital signature authentication module. 为了更详细地说明本发明的实施过程,在本发明实施例中涉及到的软件模块,都处于服务器中。 To illustrate in more detail the process embodiment of the present invention, in the embodiment of the present invention, software modules involved in the embodiment, are in the server.

[0053] 密钥对包括公钥和私钥,消息发布端采用哈希算法,将要发送的报文生生成报文摘要,采用私钥对报文摘要进行加密,加密后的摘要即为报文的数字签名。 [0053] The public key and private key pair comprising a message publishing side uses hashing algorithm to generate a message to be transmitted Vincent message digest, using the private key to encrypt the message digest, the digest is the encrypted message digital signature.

[0054] 哈希算法包括但不限于消息摘要算法(Message-Digest Algorithm2, MD2)、MD4、 MD5 或安全散列算法(Secure Hash Algorithm,SHA-1)。 [0054] algorithms include, but are not limited to hash message digest algorithm (Message-Digest Algorithm2, MD2), MD4, MD5 or the Secure Hash Algorithm (Secure Hash Algorithm, SHA-1).

[0055] S220,服务器接收消息发布端发送的第一消息,所述第一消息包括所述密钥对中的公钥、数字签名、报文和消息发布端IP。 [0055] S220, the server receives the release message sent by a first message, the first message comprising the public key of the key pair, a digital signature, the message and message distribution terminal IP.

[0056] 消息发布端IP为网页服务器的IP地址。 [0056] Post-side IP IP address of the web server.

[0057] 报文为消息发布端所要发布的数据信息。 [0057] message released data information to be published for the end of the message.

[0058] S230,根据消息发布端IP,将所述消息发布端IP与预设的白名单进行匹配。 [0058] S230, according to the publishing side IP message, the IP message publishing side match with a preset white list.

[0059] 服务器中预先设置有白名单,白名单即为服务器授权的消息发布端IP。 [0059] The server is provided in advance with a white list, the whitelist is the authorization message distribution server side IP. 服务器可以调用其IP验证模块,将消息发布端IP与白名单进行匹配,其中,IP验证模块和数字签名认证模块一样,为服务器中的处理子程序。 The server can invoke its IP verification module, end IP whitelist will match news release, which, verification IP module and digital signature authentication modules, to handle routine server.

[0060] 当消息发布端IP与白名单匹配成功时,说明消息发布端合法,此时进入步骤S240。 [0060] When IP terminal publish message matches whitelist succeeds, the publishing side legitimate message, then proceeds to step S240.

[0061] 当消息发布端IP与白名单匹配失败时,说明消息发布端非法,此时服务器向消息发布端返回错误提示。 [0061] When news release end IP whitelist match fails, the news release end illegal, then released to the news server end returns an error message.

[0062] S240,当匹配成功后,所述服务器根据所述公钥和数字签名,对所述报文进行验证,当验证成功后,对所述报文进行推送。 [0062] S240, when the matching succeeds, the server according to the public key and digital signature authentication of the packet, when the authentication is successful, the packet push.

[0063] 服务器调用其数字签名认证模块,对报文进行验证。 [0063] The server calls its digital signature authentication module to authenticate packets.

[0064] 优选地,所述服务器根据所述公钥和数字签名,对所述报文进行验证具体包括: [0064] Preferably, the server according to the public key and digital signature, the authentication packet comprises:

[0065] 所述服务器采用哈希算法获取所述报文的报文摘要; [0065] The server uses a hashing algorithm to obtain a message digest of the message;

[0066] 所述服务器采用公钥对所述报文的数字签名进行解密,获取到解密报文摘要; [0066] The server uses the public key digital signature of the message is decrypted, to obtain decrypted message digest;

[0067] 当所述报文摘要和所述解密报文摘要相同时,验证成功。 [0067] When the decrypted message digest and the message digest is the same, the verification succeeds. 此时,服务器将报文推送给消息订阅端,并向消息发布端返回成功提示。 At this point, the server will be pushed to the packet message subscription ends, and announced end to return success tips.

[0068] 当所述报文摘要和所述解密报文摘要不同时,验证失败。 [0068] When the decrypted message digest and the message digest either simultaneously, authentication fails. 此时,服务器不向消息订阅端推送该报文,并向消息发布端返回错误提示。 In this case, the server does not push the message to the message subscription ends, and announced end to return an error message.

[0069] 其中,消息订阅端为终端,包括但不限于手机、平板电脑、笔记本电脑、台式电脑。 [0069] wherein the terminal end is a subscription message, including but not limited to mobile phones, tablet computers, notebook computers, desktop computers.

[0070] 可以理解的是,服务器获取报文摘要时采用的哈希算法和消息发布端提取报文摘要时的哈希算法为同一算法。 [0070] can be understood that the server gets the message using a hashing algorithm and the message digest is to be released at the end of the hash algorithm to extract the same message digest algorithm.

[0071] 进一步地,所述报文包括报文主题; [0071] Further, the packet comprises packet topics;

[0072] 当验证成功后,消息服务器将所述报文主题与消息订阅端的主题进行匹配,并将报文主题所对应的报文推送给相应的消息订阅端。 [0072] When the authentication is successful, the message server and the messages relating to packet relating to the subscribing side are matched, and the packets corresponding to the packets relating to the corresponding message to the push end of the subscription.

[0073] 具体地,如图3所示,图3为本发明实施例一提供的基于主题的发布/订阅机制。 [0073] Specifically, as shown in FIG. 3, FIG. 3 is a topic-based publish embodiment provided / subscribe mechanism embodiment of the invention. 图3中,服务器可以将接收到的消息发布端发送的合法的报文进行排列,示例而非限定,月艮务器可以将报文按照报文主题排列,构成主题队列,比如,可以将报文分类为含有主题X,主题Y的报文等。 In FIG. 3, the server can release the received message valid packet sent by arranging, example and not limitation, that works to months may be packet based on the packet relating to the arrangement, form the subject of the queue, for example, the message can be Wen theme classified as containing X, Y theme of the message and so on. 消息订阅端连接到服务器,完成注册获得注册账号,订阅或者取消自己的主题。 Subscribe to newsletters end connects to the server, complete the registration get registered account, or cancel your subscription topics. 消息订阅端可以包括一个终端,也可以包括多个终端,所述一个或多个终端订阅不同或者相同主题的报文,服务器根据本地的报文主题和消息订阅端所订阅的报文的主题将报文推送到相应的终端,比如终端A和终端C订阅了主题X,服务器则将主题X的报文推送给终端A和终端C,终端B订阅了主题Y,服务器则将主题Y的报文推送给终端B。 Subscription message may include a terminal end, also may include a plurality of terminals, the one or more packets terminal subscribes different or the same subject matter, according to the local server subscribed subject and message subscription message received packets relating to message pushed to the terminal, such as terminals a and C subscribe to topic X, packets relating to X server will be pushed to the terminal a and the terminal C, the terminal subscribed to topic Y B, Y theme server then packets pushed to the terminal B.

[0074] 采用本发明实施例提供的认证方法,服务器根据消息发布端IP,将消息发布端IP 与预设的白名单进行匹配;当匹配成功后,服务器根据所述公钥和数字签名,对报文进行验证,当验证成功后,将报文推送给消息订阅端,保证了消息发布端到消息订阅端的报文的安全性,完整性,可靠性和不可抵赖性,避免了报文在传输过程中遭到篡改或非法攻击,满足了企业级应用的安全需求,部署简单,节约成本,可扩展性强,同样能够应用到其它系统中。 [0074] The authentication method according to an embodiment of the present invention, according to the message server IP publishing side, the publishing side IP message match with a preset white list; when a match is found, based on the server public key and digital signature of packet authentication, when authentication is successful, the message will be pushed to the end of the message subscription, the news release to ensure the security of end to end message subscription message, integrity, non-repudiation and reliability, to avoid the transmission of packets the process has been tampered with or unlawful attacks and meet the security needs of enterprise applications, simple to deploy, cost-effective, scalable, the same can be applied to other systems.

[0075] 图4是本发明实施例二提供的认证装置示意图。 [0075] FIG. 4 is a schematic diagram of authentication apparatus according to a second embodiment of the present invention. 如图4所示,本实施例中,包括: 第一接收单元410,第二接收单元420,第一匹配单元430,第二匹配单元440 ; 4, in this embodiment, comprises: a first receiving unit 410, a second receiving unit 420, first matching unit 430, the second matching unit 440;

[0076] 所述第一接收单元410,用于服务器接收消息发布端发送的指令,所述指令用于指示所述服务器生成密钥对,以使所述消息发布端根据所述密钥对中的私钥生成数字签名; [0077] 所述第二接收单元420,用于接收消息发布端发送的第一消息,所述第一消息包括所述密钥对中的公钥、数字签名、报文和消息发布端IP ; [0076] The first receiving unit 410 for receiving a message distribution server sends instructions, the instructions for instructing said server to generate a key pair, so that the end of message distribution according to the key pair generating a digital signature private key; [0077] the second receiving unit 420 for receiving a release message sent by a first message, the first message comprising the public key of the key pair, digital signatures, message text messages and publish end IP;

[0078] 所述第一匹配单元430,用于根据所述消息发布端IP,将所述消息发布端IP与预设的白名单进行匹配; [0078] The first matching unit 430, according to the Post IP terminal, the IP message publishing side match with a preset white list;

[0079] 所述第二匹配单元440,用于根据所述公钥和数字签名,对所述报文进行验证,当验证成功后,对所述报文进行推送。 [0079] The second matching unit 440, according to the public key and the digital signature to authenticate the message, when the authentication is successful, the packet push.

[0080] 可选地,所述第二匹配单元440具体用于: [0080] Alternatively, the second matching unit 440 is specifically configured to:

[0081] 所述服务器采用哈希算法获取所述报文的报文摘要; [0081] The server uses a hashing algorithm to obtain a message digest of the message;

[0082] 所述服务器采用公钥对所述报文的数字签名进行解密,获取到解密报文摘要; [0082] The server uses the public key digital signature of the message is decrypted, to obtain decrypted message digest;

[0083] 当所述报文摘要和所述解密报文摘要相同时,验证成功。 [0083] When the decrypted message digest and the message digest is the same, the verification succeeds.

[0084] 可选地,所述哈希算法具体为MD2、MD4、MD5或SHA-1中的任意一种。 [0084] Alternatively, the hashing algorithm is specifically MD2, either MD4, MD5 or SHA-1 is.

[0085] 可选地,所述服务器是MQTT代理服务器。 [0085] Alternatively, the server is a proxy server MQTT.

[0086] 采用本发明实施例提供的认证装置,服务器根据所述消息发布端IP,将所述消息发布端IP与预设的白名单进行匹配;当匹配成功后,所述服务器根据所述公钥和数字签名,对所述报文进行验证,当验证成功后,将所述报文推送给消息订阅端,保证了消息发布端到消息订阅端的报文的安全性,完整性,可靠性和不可抵赖性,避免了报文在传输过程中遭到篡改或非法攻击,满足了企业级应用的安全需求,部署简单,节约成本,可扩展性强,同样能够应用到其它系统中。 [0086] The authentication apparatus according to an embodiment of the present invention, according to the message server IP publishing side, the publishing side IP message match with a preset white list; when a match is found, the server according to the well keys and digital signatures to authenticate the message, when the authentication is successful, the message will be pushed to the message subscription ends, to ensure the safety of the news release subscription to-end message packet, integrity, and reliability non-repudiation, to avoid the message has been tampered with during transmission or illegal attack, to meet the security needs of enterprise applications, simple to deploy, cost-effective, scalable, the same can be applied to other systems.

[0087] 图5为本发明实施例三提供的服务器示意图。 [0087] FIG. 5 is a schematic of a server according to a third embodiment of the present invention. 如图5所示,本实施例包括:接收器510,处理器520,存储器530,发送器540。 5, the present embodiment includes: a receiver 510, a processor 520, memory 530, transmitter 540. 其中接收器510,处理器520,存储器530和发送器540通过系统总线(图5中未示出)相连接。 Wherein the receiver 510, a processor 520, a memory 530 and a transmitter 540 coupled through a system bus (not shown in FIG. 5).

[0088] 接收器510,接收消息发布端发送的指令,所述指令用于指示所述处理器生成密钥对,以使所述消息发布端根据所述密钥对中的私钥生成数字签名; [0088] The receiver 510 receives the message sent by issuing instructions, the instructions for instructing the processor to generate a key pair, so that the end of message distribution according to the private key to generate a digital signature key pair ;

[0089] 所述接收器510还用于,接收消息发布端发送的第一消息,所述第一消息包括所述密钥对中的公钥、数字签名、报文和消息发布端IP ; [0089] The receiver 510 is also for receiving a first message sent by release message, the first message comprising the public key pair, a digital signature, the message and the IP message publishing side;

[0090] 处理器520,根据所述消息发布端IP,将所述消息发布端IP与存储器530中预设的白名单进行匹配; [0090] Processor 520, IP terminal according to the release message, the IP terminal 530 and the preset memory whitelist of the release message matching;

[0091] 所述处理器520还用于,当匹配成功后,根据所述公钥和数字签名,对所述报文进行验证。 [0091] The processor 520 is further configured to, when the matching is successful, according to the public key and the digital signature to authenticate the message.

[0092] 发送器540,当验证成功后,对所述报文进行推送。 [0092] The transmitter 540, when the authentication is successful, the packet push.

[0093] 可选地,所述处理器520具体用于: [0093] Alternatively, the processor 520 is specifically configured to:

[0094] 所述处理器采用哈希算法获取所述报文的报文摘要; [0094] The processor uses the hashing algorithm to obtain a message digest of the message;

[0095] 所述处理器采用公钥对所述报文的数字签名进行解密,获取到解密报文摘要; [0095] The processor uses a public key digital signature of the message is decrypted, to obtain decrypted message digest;

[0096] 当所述报文摘要和所述解密报文摘要相同时,验证成功。 [0096] When the decrypted message digest and the message digest is the same, the verification succeeds.

[0097] 服务器可以采用和图3的方法,将报文推送给消息订阅端,此处不再赘述。 [0097] The server may be employed and method of Figure 3, the packet will be pushed to the end message subscription omitted here.

[0098] 专业人员应该还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。 [0098] professionals should also be further appreciated that, as disclosed herein in conjunction with units and algorithm steps described exemplary embodiments, by electronic hardware, computer software, or a combination thereof. In order to clearly illustrate hardware and software interchangeability, in the above description, according to functions generally described compositions and steps of the examples. 这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。 Whether these functions are performed by hardware or software depends upon the particular application and design constraints of the technical solutions. 专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。 Professional technical staff may use different methods for each specific application to implement the described functionality, but such implementation should not be considered outside the scope of the present invention.

[0099] 结合本文中所公开的实施例描述的方法或算法的步骤可以用硬件、处理器执行的软件模块,或者二者的结合来实施。 [0099] The steps of a method or algorithm described in the embodiments disclosed herein may be implemented in hardware, or a combination thereof, in a software module executed by a processor to implement. 软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。 A software module may be placed in a random access memory (RAM), a memory, a read only memory (ROM), electrically programmable ROM, an electrically erasable programmable ROM, a register, a hard disk, a removable disk, CD-ROM, or within the technical field known any other form of storage medium.

[0100] 以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 [0100] The foregoing specific embodiments, objectives, technical solutions, and advantages of the invention will be further described in detail, it should be understood that the above descriptions are merely specific embodiments of the present invention, but not intended to limit the scope of the present invention, all within the spirit and principle of the present invention, any changes made, equivalent substitutions and improvements should be included within the scope of the present invention.

Claims (10)

1. 一种认证方法,其特征在于,所述方法包括: 服务器接收消息发布端发送的指令,所述指令用于指示所述服务器生成密钥对,以使所述消息发布端根据所述密钥对中的私钥生成数字签名; 所述服务器接收消息发布端发送的第一消息,所述第一消息包括所述密钥对中的公钥、数字签名、报文和消息发布端IP ; 所述服务器根据所述消息发布端IP,将所述消息发布端IP与本地预设的白名单进行匹配; 当匹配成功后,所述服务器根据所述公钥和数字签名,对所述报文进行验证,当验证成功后,对所述报文进行推送。 1. An authentication method, characterized in that, said method comprising: a server receiving a message sent by issuing instructions, the instructions for instructing said server to generate a key pair, so that the message encrypted according to the publishing side generating a private key of the digital signature; server receives the release message sent by a first message, the first message comprising the public key pair, a digital signature, the message and the IP message publishing side; the message server according to the IP publishing side, the end of the preset IP and local whitelist of the release message matching; when the matching is successful, the server according to the public key and digital signature, the message to verify, when the authentication is successful, the packet push.
2. 根据权利要求1所述的方法,其特征在于,所述服务器根据所述公钥和数字签名,对所述报文进行验证具体包括: 所述服务器采用哈希算法获取所述报文的报文摘要; 所述服务器采用公钥对所述报文的数字签名进行解密,获取到解密报文摘要; 当所述报文摘要和所述解密报文摘要相同时,验证成功。 2. The method according to claim 1, characterized in that said server based on said public key and digital signature, the authentication packet comprises: acquiring by the server using a hash algorithm of the packet message digest; the server using a digital signature public key to decrypt the message, decrypting the message digest obtained; if the decrypted message digest and the message digest of the same, the authentication is successful.
3. 根据权利要求1或2所述的方法,其特征在于,所述哈希算法具体为消息摘要算法MD2、MD4、MD5和安全散列算法SHA-1中的任意一种。 3. The method of claim 1 or claim 2, wherein the hashing algorithm specific to message digest algorithm MD2, MD4, MD5, and any one of SHA 1-secure hash algorithm.
4. 根据权利要求1所述的方法,其特征在于,所述服务器是消息队列遥测传输MQTT代理服务器。 4. The method according to claim 1, wherein the message queue server is the proxy server MQTT telemetry transmission.
5. -种认证装置,其特征在于,所述装置包括:第一接收单元,第二接收单元,第一匹配单元,第二匹配单元; 所述第一接收单元,用于服务器接收消息发布端发送的指令,所述指令用于指示所述服务器生成密钥对,以使所述消息发布端根据所述密钥对中的私钥生成数字签名; 所述第二接收单元,用于接收消息发布端发送的第一消息,所述第一消息包括所述密钥对中的公钥、数字签名、报文和消息发布端IP ; 所述第一匹配单元,用于根据所述消息发布端IP,将所述消息发布端IP与本地预设的白名单进行匹配; 所述第二匹配单元,用于根据所述公钥和数字签名,对所述报文进行验证,当验证成功后,对所述报文进行推送。 5. - kind of authentication apparatus, wherein, said means comprising: a first receiving unit, a second receiving unit, a first matching unit, a second matching unit; a first receiving means for receiving a message distribution server terminal transmitting instructions, the instructions for instructing said server to generate a key pair, so that the end of message distribution according to the private key to generate a digital signature key pair; the second receiving unit for receiving a message a first message sent by the publishing side, said first message comprising the public key of the key pair, a digital signature, the message and the IP message publishing side; the first matching unit, according to the message for the publishing side IP, the IP message and the publishing side local whitelist preset matching; the second matching means for digital signature based on the public key and, the packet authentication, when authentication is successful, pushing the packet.
6. 根据权利要求5所述的装置,其特征在于,所述第二匹配单元具体用于: 所述服务器采用哈希算法获取所述报文的报文摘要; 所述服务器采用公钥对所述报文的数字签名进行解密,获取到解密报文摘要; 当所述报文摘要和所述解密报文摘要相同时,验证成功。 6. The apparatus as claimed in claim 5, characterized in that the second matching unit is configured to: obtain the server using a hash algorithm of the packet message digest; the server uses the public key digital signature of said message is decrypted, the decrypted message digest obtained; if the decrypted message digest and the message digest of the same, the authentication is successful.
7. 根据权利要求5或6所述的装置,其特征在于,所述哈希算法具体为MD2、MD4、MD5 或SHA-1中的任意一种。 7. The apparatus of claim 5 or claim 6, wherein the hash algorithm specifically MD2, either MD4, MD5 or SHA-1 is.
8. 根据权利要求5所述的装置,其特征在于,所述服务器是MQTT代理服务器。 8. The device as claimed in claim 5, wherein the server is a proxy server MQTT.
9. 一种服务器,其特征在于,所述服务器包括: 接收器,接收消息发布端发送的指令,所述指令用于指示处理器生成密钥对,以使所述消息发布端根据所述密钥对中的私钥生成数字签名; 所述接收器还用于,接收消息发布端发送的第一消息,所述第一消息包括所述密钥对中的公钥、数字签名、报文和消息发布端IP ; 处理器,根据所述消息发布端IP,将所述消息发布端IP与存储器中预设的白名单进行匹配; 所述处理器还用于,当匹配成功后,根据所述公钥和数字签名,对所述报文进行验证。 A server, wherein, said server comprising: a receiver for receiving a message sent by issuing instructions, the instructions for instructing the processor to generate a key pair, so that the message encrypted according to the publishing side key to generate the digital signature private key; the receiver is further configured to receive a first message sent by release message, the first message comprising the public key of the key pair, a digital signature, the message and post IP terminal; processor, according to the publishing side IP message, the IP message and the publishing side whitelist preset memory match; the processor is further configured to, when the matching is successful, according to the a public key and a digital signature to authenticate the message. 发送器,当验证成功后,对所述报文进行推送。 The transmitter, when the authentication is successful, the packet push.
10.根据权利要求9所述的服务器,其特征在于,所述处理器具体用于: 所述处理器采用哈希算法获取所述报文的报文摘要; 所述处理器采用公钥对所述报文的数字签名进行解密,获取到解密报文摘要; 当所述报文摘要和所述解密报文摘要相同时,验证成功。 10. The server of claim 9, wherein the processor is configured to: obtain the hashing algorithm using the processor of the packet message digest; the processor uses the public key digital signature of said message is decrypted, the decrypted message digest obtained; if the decrypted message digest and the message digest of the same, the authentication is successful.
CN 201410421329 2014-08-25 2014-08-25 Authentication method and device as well as server CN104158816A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201410421329 CN104158816A (en) 2014-08-25 2014-08-25 Authentication method and device as well as server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201410421329 CN104158816A (en) 2014-08-25 2014-08-25 Authentication method and device as well as server

Publications (1)

Publication Number Publication Date
CN104158816A true CN104158816A (en) 2014-11-19

Family

ID=51884221

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201410421329 CN104158816A (en) 2014-08-25 2014-08-25 Authentication method and device as well as server

Country Status (1)

Country Link
CN (1) CN104158816A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141636A (en) * 2015-09-24 2015-12-09 网宿科技股份有限公司 HTTP safety communication method and system applicable for CDN value added service platform
CN105245621A (en) * 2015-10-30 2016-01-13 大连大学 Enterprise message push system and message push method based on Message Queuing Telemetry Transport (MQTT)
CN105282143A (en) * 2015-09-09 2016-01-27 民航局空管局技术中心 Message access control method, device and system
CN106385491A (en) * 2016-09-05 2017-02-08 努比亚技术有限公司 System and method for controlling push information, mobile terminal and push server
CN106452721A (en) * 2016-10-14 2017-02-22 牛毅 Method and system for instruction identification of intelligent device based on identification public key
WO2017152767A1 (en) * 2016-03-08 2017-09-14 阿里巴巴集团控股有限公司 Published information processing method and device, and information publishing system
CN107809426A (en) * 2017-10-26 2018-03-16 珠海优特物联科技有限公司 The verification method and system of data message
WO2019127241A1 (en) * 2017-12-28 2019-07-04 Siemens Aktiengesellschaft Message queuing telemetry transport (mqtt) data transmission method, apparatus, and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050122932A1 (en) * 2003-12-06 2005-06-09 Walter Robert C. System for interactive queuing through public communication networks
US7379921B1 (en) * 2004-11-08 2008-05-27 Pisafe, Inc. Method and apparatus for providing authentication
CN103051448A (en) * 2011-10-12 2013-04-17 中兴通讯股份有限公司 Authentication method, device and system for pairing code of business terminal attached to home gateway
CN103079176A (en) * 2012-12-31 2013-05-01 Tcl集团股份有限公司 Method and system for remotely controlling electronic equipment, mobile terminal and electronic equipment
CN103490895A (en) * 2013-09-12 2014-01-01 北京斯庄格科技有限公司 Industrial control identity authentication method and device with state cryptographic algorithms
US20140040628A1 (en) * 2012-08-03 2014-02-06 Vasco Data Security, Inc. User-convenient authentication method and apparatus using a mobile authentication application

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050122932A1 (en) * 2003-12-06 2005-06-09 Walter Robert C. System for interactive queuing through public communication networks
US7379921B1 (en) * 2004-11-08 2008-05-27 Pisafe, Inc. Method and apparatus for providing authentication
CN103051448A (en) * 2011-10-12 2013-04-17 中兴通讯股份有限公司 Authentication method, device and system for pairing code of business terminal attached to home gateway
US20140040628A1 (en) * 2012-08-03 2014-02-06 Vasco Data Security, Inc. User-convenient authentication method and apparatus using a mobile authentication application
CN103079176A (en) * 2012-12-31 2013-05-01 Tcl集团股份有限公司 Method and system for remotely controlling electronic equipment, mobile terminal and electronic equipment
CN103490895A (en) * 2013-09-12 2014-01-01 北京斯庄格科技有限公司 Industrial control identity authentication method and device with state cryptographic algorithms

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105282143A (en) * 2015-09-09 2016-01-27 民航局空管局技术中心 Message access control method, device and system
CN105282143B (en) * 2015-09-09 2018-06-01 北京航空航天大学 message access control method, device and system
CN105141636A (en) * 2015-09-24 2015-12-09 网宿科技股份有限公司 HTTP safety communication method and system applicable for CDN value added service platform
CN105141636B (en) * 2015-09-24 2018-04-17 网宿科技股份有限公司 Suitable for the HTTP safety communicating methods and system of CDN value-added service platforms
CN105245621A (en) * 2015-10-30 2016-01-13 大连大学 Enterprise message push system and message push method based on Message Queuing Telemetry Transport (MQTT)
CN105245621B (en) * 2015-10-30 2018-05-22 大连大学 Enterprise message supplying system and information push method based on MQTT
WO2017152767A1 (en) * 2016-03-08 2017-09-14 阿里巴巴集团控股有限公司 Published information processing method and device, and information publishing system
CN106385491A (en) * 2016-09-05 2017-02-08 努比亚技术有限公司 System and method for controlling push information, mobile terminal and push server
CN106452721A (en) * 2016-10-14 2017-02-22 牛毅 Method and system for instruction identification of intelligent device based on identification public key
CN107809426A (en) * 2017-10-26 2018-03-16 珠海优特物联科技有限公司 The verification method and system of data message
WO2019127241A1 (en) * 2017-12-28 2019-07-04 Siemens Aktiengesellschaft Message queuing telemetry transport (mqtt) data transmission method, apparatus, and system

Similar Documents

Publication Publication Date Title
US7739508B2 (en) Secure instant messaging system
CN101573936B (en) Digital rights management using trusted processing techniques
ES2595105T3 (en) Effective and secure authentication of computer systems
KR101133829B1 (en) Verifying authenticity of webpages
US8826018B2 (en) Stateless human detection for real-time messaging systems
CN1835437B (en) Trusted third party authentication for web services
US9998434B2 (en) Secure dynamic communication network and protocol
KR100576558B1 (en) System and method for processing encoded messages for exchange with a mobile data communication device
US8144874B2 (en) Method for obtaining key for use in secure communications over a network and apparatus for providing same
CN102546607B (en) Providing security services on the cloud
US8214649B2 (en) System and method for secure communications between at least one user device and a network entity
US7890634B2 (en) Scalable session management
US9912644B2 (en) System and method to communicate sensitive information via one or more untrusted intermediate nodes with resilience to disconnected network topology
US20090327714A1 (en) System and Method for End-to-End Electronic Mail-Encryption
US7987359B2 (en) Information communication system, information communication apparatus and method, and computer program
CN103051600B (en) Document access control method and system
US8732462B2 (en) Methods and apparatus for secure data sharing
US20100043065A1 (en) Single sign-on for web applications
CN100388244C (en) Method and system for long-distance changing of communication cipher code
CN102196375B (en) Securing out-of-band messages
US20070258468A1 (en) Intermediate network node supporting packet analysis of encrypted payload
CN102077506B (en) Security architecture for peer-to-peer storage system
KR101786132B1 (en) Low-latency peer session establishment
EP1074131A1 (en) Method and apparatus for using digital signatures to filter packets in a network
US8646104B2 (en) Stateless challenge-response broadcast protocol

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
RJ01