CN106685911B - Data processing method, authentication server and client - Google Patents
Data processing method, authentication server and client Download PDFInfo
- Publication number
- CN106685911B CN106685911B CN201610619349.2A CN201610619349A CN106685911B CN 106685911 B CN106685911 B CN 106685911B CN 201610619349 A CN201610619349 A CN 201610619349A CN 106685911 B CN106685911 B CN 106685911B
- Authority
- CN
- China
- Prior art keywords
- client
- session key
- authentication server
- target
- target session
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
Abstract
The embodiment of the invention discloses a data processing method, which is applied to an authentication server, wherein at least one encrypted data is stored in the authentication server; wherein each of the encrypted data can correspond to at least one client; the method comprises the following steps: the authentication server receives authentication request information sent by at least one client; selecting target encrypted data corresponding to the at least one client from the stored at least one encrypted data; the target encrypted data corresponding to the at least one client side are the same or different; and respectively sending target encryption data corresponding to the at least one client to each client so that each client can encrypt communication data by using the received target encryption data. The embodiment of the invention also provides an authentication server and a client.
Description
Technical Field
The present invention relates to data processing technologies, and in particular, to a data processing method, an authentication server, and a client.
Background
A session key (session key) is a key used for encrypting a communication session process, and the existing session key is usually generated by a client, and the generated session key is carried in authentication request information and sent to an authentication server, so that the authentication server stores the session key. In practical application, in order to facilitate the authentication server to know the corresponding relationship between the session key and the client, the existing authentication server stores the corresponding relationship between the client and the session key, so that the session key corresponding to the client can be found in the subsequent session process, and the session data packet of the client is encrypted and decrypted by using the session key.
Here, since the session keys stored in the authentication server are linearly related to the number of the clients, when there are a large number of users, the storage amount of the authentication server is large, and the maintenance cost is high.
Disclosure of Invention
In order to solve the existing technical problems, embodiments of the present invention provide a data processing method, an authentication server, and a client, which can at least solve the above problems in the prior art.
The technical scheme of the embodiment of the invention is realized as follows:
the first aspect of the embodiments of the present invention provides a data processing method, which is applied to an authentication server, where at least one encrypted data is stored in the authentication server; wherein each of the encrypted data can correspond to at least one client; the method comprises the following steps:
the authentication server receives authentication request information sent by at least one client;
selecting target encrypted data corresponding to the at least one client from the stored at least one encrypted data; the target encrypted data corresponding to the at least one client side are the same or different;
and respectively sending target encryption data corresponding to the at least one client to each client so that each client can encrypt communication data by using the received target encryption data.
A second aspect of the embodiments of the present invention provides a data processing method, which is applied to a target client; the method comprises the following steps:
the target client generates authentication request information and sends the authentication request information to an authentication server;
receiving target encrypted data sent by the authentication server, wherein the target encrypted data is encrypted data which is selected by the authentication server from at least one piece of encrypted data stored by the authentication server and corresponds to the target client; each piece of encrypted data stored in the authentication server can correspond to at least one client;
and encrypting the communication data by using the received target encryption data.
A third aspect of the embodiments of the present invention provides an authentication server, where at least one piece of encrypted data is stored in the authentication server; wherein each of the encrypted data can correspond to at least one client; the authentication server includes:
the first receiving unit is used for receiving authentication request information sent by at least one client;
the first processing unit is used for selecting target encrypted data corresponding to the at least one client from the stored at least one encrypted data; the target encrypted data corresponding to the at least one client side are the same or different;
and the first sending unit is used for sending the target encrypted data corresponding to the at least one client to each client respectively, so that each client can encrypt the communication data by using the received target encrypted data.
A fourth aspect of an embodiment of the present invention provides a target client, including:
an information generating unit for generating authentication request information,
the second sending unit is used for sending the authentication request information to an authentication server;
a second receiving unit, configured to receive target encrypted data sent by the authentication server, where the target encrypted data is encrypted data that is selected by the authentication server from at least one piece of encrypted data stored in the authentication server and corresponds to the target client; each piece of encrypted data stored in the authentication server can correspond to at least one client;
and the second processing unit is used for carrying out encryption processing on communication data by using the received target encryption data.
The data processing method, the authentication server and the client realize the process of distributing the encrypted data to the client by the authentication server, and the target encrypted data distributed to the client by the authentication server can be the same or different, so that the quantity of the encrypted data is greatly reduced. Moreover, the encrypted data described in this embodiment may be set by the authentication server, so the amount of the encrypted data may be controlled by the authentication server, and the problems of a large amount of session keys and a high repetition rate in the existing storage are avoided. Moreover, because the encrypted data described in the embodiment of the present invention is set by the authentication server, and different clients may correspond to the same encrypted data, compared with the feature that the existing stored session key and the number of clients are linearly related, the number of encrypted data described in the embodiment of the present invention and the number of clients may be unrelated, which further reduces the number of encrypted data and increases the flexibility of setting encrypted data.
Drawings
Fig. 1 is a schematic flow chart of an implementation of generating a session key by a conventional client;
FIG. 2 is a schematic flow chart illustrating an implementation of a data processing method according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating an authentication server distributing encrypted data to a plurality of clients according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating an authentication server distributing encrypted data to a target client according to an embodiment of the present invention;
FIG. 5 is an interaction diagram of an authentication server distributing encrypted data to a target client according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an authentication server distributing encrypted data to a plurality of clients through an access server according to an embodiment of the present invention;
FIG. 7 is a diagram illustrating an authentication server distributing encrypted data to a target client via an access server according to an embodiment of the present invention;
FIG. 8 is a flowchart illustrating an authentication server distributing encrypted data to a target client via an access server according to an embodiment of the present invention;
FIG. 9 is a schematic flow chart of an implementation of a second data processing method according to an embodiment of the present invention;
FIG. 10 is a diagram illustrating interaction between an authentication server and a target client in different encryption manners according to an embodiment of the present invention;
FIG. 11 is a flow chart illustrating an implementation of a specific application of the data processing method according to an embodiment of the present invention;
fig. 12 is a schematic flowchart of a session process performed after a target client acquires a session key and a session key identifier according to an embodiment of the present invention;
fig. 13 is a schematic structural diagram of a logic unit of an authentication server according to an embodiment of the present invention;
fig. 14 is a schematic diagram of a hardware structure of an authentication server according to an embodiment of the present invention;
fig. 15 is a schematic structural diagram of a client according to an embodiment of the present invention.
Detailed Description
Fig. 1 is a schematic flow chart of an implementation of generating a session key by a conventional client; specifically, as shown in fig. 1, in the existing process, a client generates a session key and sends the session key to an authentication server through an access server, and the authentication server stores the session key in a session key database corresponding to the authentication server; here, the session key database stores the corresponding relationship between the session key and the client; in practical application, the authentication server and the session key database can be unified into one entity or can be different entities; further, in the subsequent session process, when the authentication server needs to query the session key, the session key corresponding to the client is obtained from the session key database. Thus, since the session key is linearly related to the number of clients, when there are a large number of users, the storage amount becomes large, and the maintenance cost increases accordingly. Moreover, under the existing conditions, the authentication server cannot identify abnormal authentication requests, so that under the condition of suffering from a large number of malicious request attacks, a large number of invalid session keys need to be stored, which causes huge pressure on a session key database and influences normal service sessions.
Here, in practical applications, the access server is configured to receive various requests sent by a client, and determine a specific flow direction of each request according to each request sent by the client, specifically, when the request is an authentication request, the request is sent to the authentication server, and when the request is a service request, the request is sent to the service server, so as to achieve a purpose of allocating the request. Further, in order to facilitate encryption and decryption processing on the session data packet in the session process, the access server also needs to know the corresponding relationship between the client and the session key, so as shown in fig. 1, the session key database synchronizes the corresponding relationship between the session key and the client to the access server through the synchronization server; obviously, when the data volume is large, the operation efficiency of the access server is necessarily affected, and moreover, the cache capacity of the access server also necessarily limits the data of the session key, thereby affecting the normal service session. Moreover, in the existing method, the authentication server and the access server have strong dependence on the session key database, and when the service of the session key database is inaccessible, the authentication process or the encryption and decryption process of the session data packet cannot be performed, which finally affects the behavior of the client
Therefore, in order to solve the above problems, reduce the number and the repetition degree of session keys, reduce unnecessary network communication, and improve service performance, embodiments of the present invention provide a data processing method, an authentication server, and a client. Further, in order to make the invention more comprehensible, its features and technical contents are described in detail below with reference to the accompanying drawings, which are provided for illustration and are not intended to limit the invention.
Example one
The embodiment provides a data processing method, which is applied to an authentication server, wherein at least one encrypted data is stored in the authentication server; each piece of encrypted data can correspond to at least one client so as to distribute the encrypted data to the clients. Of course, in practical applications, the at least one encrypted data may be directly stored in the target database corresponding to the authentication server; the target database can be the same entity as the authentication server or different entities; specifically, the authentication server sets at least one encrypted data and stores the at least one encrypted data to the target database.
When the authentication server is provided with at least one encrypted data, the authentication server can distribute target encrypted data corresponding to the client to different clients by using the at least one encrypted data set by the authentication server.
Specifically, fig. 2 is a schematic flow chart illustrating an implementation of a data processing method according to an embodiment of the present invention; as shown in fig. 2, the method includes:
step 201: the authentication server receives authentication request information sent by at least one client;
in this embodiment, the authentication server may distribute encrypted data to a plurality of clients; specifically, as shown in fig. 3, the authentication server 31 interacts with the plurality of clients 21, and is capable of receiving authentication request information of the plurality of clients 21, and further distributes encrypted data to each client 21 based on the authentication request information of each client 21.
Here, the encrypted data may specifically be a session key; further, the encrypted data may specifically be a session key and a session key identifier, so that after the authentication server allocates the encrypted data to the client, only the session key identifier may be transmitted in a subsequent communication process, thereby reducing the amount of data to be transmitted and reducing network overhead.
Step 202: selecting target encrypted data corresponding to the at least one client from the stored at least one encrypted data; the target encrypted data corresponding to the at least one client side are the same or different;
here, the target encrypted data may specifically be a session key, or may specifically be a session key and a session key identifier, corresponding to the encrypted data.
In this embodiment, since the target encrypted data is distributed by the authentication server to the client, the target encrypted data corresponding to different clients may be the same or different. Further, in practical application, the authentication server may randomly allocate a target encrypted data to the client, or sequentially allocate the target encrypted data to the client based on an encrypted data list stored in the authentication server, which is not limited in this embodiment.
Step 203: and respectively sending target encryption data corresponding to the at least one client to each client so that each client can encrypt communication data by using the received target encryption data.
In a specific embodiment, the embodiment is further described by taking an authentication server as an example for distributing encrypted data to a target client; as shown in fig. 4, the target client sends the authentication request information generated by the target client to the authentication server 31, and the authentication server 31 distributes encrypted data to the target client based on the authentication request information; further, the specific allocation process is as shown in fig. 5, the target client generates authentication request information, and sends the authentication request information to the authentication server; after receiving authentication request information sent by the target client, the authentication server selects target encrypted data corresponding to the target client from at least one encrypted data stored in the authentication server, and sends the target encrypted data corresponding to the target client; and the target client receives the target encryption data sent by the authentication server and encrypts the communication data by using the received target encryption data.
In practical application, the authentication server distributes encrypted data to a plurality of clients through an access server; as shown in fig. 6, the authentication server 31 distributes encrypted data to the plurality of clients 21 through the access server 61. Here, continuing to take the authentication server as an example of distributing the encrypted data to the target client, as shown in fig. 7, the authentication request information generated by the target client is sent to the authentication server 31 through the access server 61, and the authentication server 31 distributes the target encrypted data distributed to the target client through the access server 61. Further, the specific allocation process is as shown in fig. 8, the target client generates authentication request information, sends the authentication request information to the access server, and sends the authentication request information to the authentication server through the access server; after receiving authentication request information, the authentication server selects target encrypted data corresponding to the target client from at least one encrypted data stored in the authentication server, sends the target encrypted data corresponding to the target client to an access server, and sends the target encrypted data to the target client through the access server; and the target client receives the target encrypted data and encrypts the communication data by using the received target encrypted data.
In another embodiment, in order to facilitate the authentication server to identify an abnormal authentication request and avoid being attacked by a malicious request, the authentication server needs to determine the authentication request information; specifically, the authentication request information at least carries user identity information; correspondingly, the authentication server obtains user identity information corresponding to each client based on the authentication request information of the at least one client, and further judges whether the user identity information corresponding to each client meets a preset rule; and when the user identity information corresponding to each client meets the preset rule, selecting target encrypted data corresponding to at least one client from the stored at least one encrypted data. That is, the authentication server only distributes encrypted data to the client corresponding to the authentication request information of which the user identity information meets the preset rule, so that the attack of malicious requests is avoided, and a foundation is laid for normal service session.
The method of the embodiment of the invention realizes the process that the authentication server distributes the encrypted data to the client, and the target encrypted data distributed to the client by the authentication server can be the same or different, thereby greatly reducing the quantity of the encrypted data. Moreover, the encrypted data described in this embodiment may be set by the authentication server, so the amount of the encrypted data may be controlled by the authentication server, and the problems of a large amount of session keys and a high repetition rate in the existing storage are avoided. Moreover, because the encrypted data described in the embodiment of the present invention is set by the authentication server, and different clients may correspond to the same encrypted data, compared with the feature that the existing stored session key and the number of clients are linearly related, the number of encrypted data described in the embodiment of the present invention and the number of clients may be unrelated, which further reduces the number of encrypted data and increases the flexibility of setting encrypted data.
Further, since the amount of the encrypted data described in the embodiment of the present invention is greatly reduced, the amount of the encrypted data acquired by the access server is also greatly reduced, and therefore, the embodiment of the present invention can avoid the problem of limiting the amount of the encrypted data due to the cache capacity of the access server as much as possible, and simultaneously, lays a foundation for increasing the processing speed of the access server.
Furthermore, after the encrypted data is stored in the authentication server, unnecessary network communication can be avoided, for example, a communication process that the authentication server sends the session key generated by the client to the session key database is avoided, so that a foundation is laid for improving the service performance of the client. In addition, the authentication server of the embodiment of the invention can also autonomously control the dynamic updating process of the encrypted data, thereby laying a foundation for improving the service security. In summary, compared with the process shown in the prior fig. 1, the method of the embodiment of the present invention is controllable, simple, stable and safe.
Example two
Based on the method in the first embodiment, in step 203, the target encrypted data sent by the authentication server to the client may specifically be data after encryption processing, so as to improve service security; specifically, the authentication server encrypts the target encrypted data corresponding to the at least one client, and then sends the encrypted target encrypted data corresponding to the at least one client to each client.
Here, continuing to use the authentication server as an example of distributing encrypted data to the target client, as shown in fig. 9, the target client generates authentication request information and sends the authentication request information to the authentication server; after receiving authentication request information sent by the target client, the authentication server selects target encrypted data corresponding to the target client from at least one encrypted data stored in the authentication server, encrypts the target encrypted data corresponding to the target client, and then sends the encrypted target encrypted data to the target client; and after receiving the encrypted target encrypted data sent by the authentication server, the target client decrypts the encrypted target encrypted data to obtain the target encrypted data, and then encrypts communication data by using the decrypted target encrypted data.
Specifically, in practical applications, the authentication server may process the target encrypted data by using the temporary encrypted data; here, the temporary encrypted data is client-generated; and the authentication server encrypts the target encrypted data by using the temporary encrypted data generated by the client and sends the encrypted data to the client. Specifically, the authentication server obtains temporary encrypted data sent by the at least one client, and encrypts target encrypted data corresponding to the at least one client based on the temporary encrypted data sent by the at least one client. That is, the authentication server encrypts the target encrypted data corresponding to each client based on the temporary encrypted data generated by the client.
Correspondingly, taking a target client as an example, after the authentication server encrypts the target encrypted data by using the temporary encrypted data generated by the target client, the target client can decrypt the encrypted target encrypted data by using the temporary encrypted data generated by the target client, so as to obtain the decrypted target encrypted data. In practical application, when the temporary encrypted data is generated for the client, the temporary encrypted data may be carried in authentication request information to be sent to the authentication server, so as to facilitate the authentication server. Specifically, as shown in fig. 10, the target client generates temporary encrypted data, generates authentication request information, and carries the generated temporary encrypted data in the authentication request information to send to an authentication server; the authentication server selects target encrypted data corresponding to the target client from at least one piece of encrypted data stored in the authentication server, encrypts the target encrypted data by using temporary encrypted data carried in the authentication request information, and then sends the encrypted target encrypted data to the target client, and the target client decrypts the encrypted target encrypted data by using the temporary encrypted data generated by the target client to obtain the target encrypted data, and then encrypts communication data by using the decrypted target encrypted data.
In an embodiment, the embodiment of the present invention is further described in detail with reference to fig. 11; as shown in fig. 11, the target client generates a temporary secret key, synchronizes the temporary secret key to the access server through the authentication request information processed by the public key encryption algorithm RSA, and specifically, the target client encrypts the temporary secret key by using the public key and carries the encrypted temporary secret key in the authentication request information to send to the access server, and sends to the authentication server through the access server; the authentication server decrypts the encrypted temporary secret key by using the public key; screening whether the authentication request information is a malicious request, distributing a session key and a session key identifier to the target client when the authentication request information is determined not to be the malicious request, encrypting the distributed session key and session key identifier by using the decrypted temporary key, and then performing authentication response, for example, carrying the encrypted session key and session key identifier in the authentication response to send the authentication response to the target client through the access server; further, the target client decrypts the encrypted session key and the session key identifier by using the temporary key to obtain the session key and the session key identifier distributed by the authentication server, and further encrypts and decrypts the session data packet by using the session key.
Further, fig. 12 is a schematic flowchart of a process of performing a session after a target client acquires a session key and a session key identifier according to an embodiment of the present invention; the target client acquires plaintext data, and encrypts the plaintext data by using a session key to acquire ciphertext data; transmitting the ciphertext data to an access server through a data network; the access server decrypts the ciphertext data by using the session key to obtain the plaintext data, processes the plaintext data, and sends a data packet carrying the plaintext data to a service server, and the service server receives and processes the data packet carrying the plaintext data;
further, when the access server receives the response packet sent by the service server, the response packet is analyzed to obtain plaintext data, and then the access server continues to encrypt the plaintext data corresponding to the response packet by using the session key and transmits the encrypted plaintext data to the target client through a data network; and the target client decrypts the plaintext data corresponding to the encrypted response packet by using the session key to obtain the plaintext data corresponding to the response packet, so as to complete the encryption session process.
EXAMPLE III
The embodiment provides an authentication server, wherein at least one encrypted data is stored in the authentication server; wherein each of the encrypted data can correspond to at least one client; further, as shown in fig. 13, the authentication server includes:
a first receiving unit 1301, configured to receive authentication request information sent by at least one client;
a first processing unit 1302, configured to select target encrypted data corresponding to the at least one client from the stored at least one encrypted data; the target encrypted data corresponding to the at least one client side are the same or different;
a first sending unit 1303, configured to send target encrypted data corresponding to the at least one client to each of the clients, so that each of the clients performs encryption processing on communication data by using the received target encrypted data.
In an embodiment, the first processing unit 1302 is further configured to perform encryption processing on target encrypted data corresponding to the at least one client;
correspondingly, the first sending unit 1303 is further configured to send the encrypted target encrypted data corresponding to the at least one client to each client.
In another embodiment, the first processing unit 1302 is further configured to obtain temporary encrypted data sent by the at least one client, and perform encryption processing on target encrypted data corresponding to the at least one client based on the temporary encrypted data sent by the at least one client.
In one embodiment, the authentication request information at least carries user identity information; accordingly, the method can be used for solving the problems that,
the first processing unit 1302 is further configured to obtain user identity information corresponding to each client based on the authentication request information of the at least one client, and determine whether the user identity information corresponding to each client meets a preset rule; and when the user identity information corresponding to each client meets the preset rule, selecting target encrypted data corresponding to the at least one client from the stored at least one encrypted data.
Here, it should be noted that: the description of the embodiment of the authentication server is similar to the description of the method, and has the same beneficial effects as the embodiment of the method, and therefore, the description thereof is omitted. For technical details not disclosed in the embodiment of the authentication server of the present invention, those skilled in the art should refer to the description of the embodiment of the method of the present invention to understand that, for brevity, detailed description is omitted here.
Further, the present embodiment provides a specific hardware based on the above-mentioned embodiment of the authentication server, as shown in fig. 14, the authentication server includes a receiver 1401, a transmitter 1402, a processor 1403, and a memory 1404; wherein the receiver, the transmitter, the processor and the memory are all connected by a bus. The processor can be a microprocessor, a central processing unit, a digital signal processor, a programmable logic array or other electronic components with processing functions. The storage medium stores computer executable codes, and the codes are used for executing the method corresponding to the authentication server in any one of the first embodiment to the third embodiment.
Example four
The present embodiment provides a target client, as shown in fig. 15, the target client includes:
an information generating unit 1501 for generating authentication request information,
a second sending unit 1502, configured to send the authentication request message to an authentication server;
a second receiving unit 1503, configured to receive target encrypted data sent by the authentication server, where the target encrypted data is encrypted data that is selected by the authentication server from at least one piece of encrypted data stored in the authentication server and corresponds to the target client; each piece of encrypted data stored in the authentication server can correspond to at least one client;
a second processing unit 1504, configured to perform encryption processing on communication data using the received target encryption data.
In an embodiment, the second receiving unit 1503 is further configured to receive the encrypted target encrypted data sent by the authentication server;
the second processing unit 1504 is further configured to decrypt the encrypted target encrypted data to obtain the target encrypted data.
In another embodiment, the second processing unit 1504 is further configured to generate temporary encrypted data, and perform decryption processing on the encrypted target encrypted data by using the temporary encrypted data generated by itself.
Here, the target client described in this embodiment may be installed in any electronic device, and then the foregoing process is implemented by the electronic device. It should be noted that: the description of the above client-side embodiment is similar to the above method description, and has the same beneficial effects as the method embodiment, and therefore, the description thereof is omitted. For technical details that are not disclosed in the embodiment of the client terminal of the present invention, those skilled in the art should refer to the description of the embodiment of the method of the present invention to understand that, for brevity, detailed description is omitted here.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a mobile storage device, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (16)
1. A data processing method is applied to an authentication server, wherein at least one session key is stored in the authentication server; wherein each of the session keys is capable of corresponding to at least one client; the method comprises the following steps:
the authentication server receives authentication request information sent by at least one client, wherein the authentication request information carries a temporary secret key after encryption processing;
selecting a target session key corresponding to the at least one client from the stored at least one session key; the target session keys corresponding to the at least one client are the same or different;
decrypting the encrypted temporary secret key, and encrypting the selected target session secret key by using the decrypted temporary secret key;
respectively sending the encrypted target session key corresponding to the at least one client to each client so as to enable the target session key to be encrypted
Each client side decrypts the encrypted target session key by using the temporary key, and
and encrypting the communication data by using the target session key obtained by decryption.
2. The method according to claim 1, wherein the authentication request information further carries user identity information; correspondingly, the method further comprises the following steps:
obtaining user identity information corresponding to each client based on the authentication request information of the at least one client;
judging whether the user identity information corresponding to each client meets a preset rule or not;
correspondingly, the selecting a target session key corresponding to the at least one client from the stored at least one session key includes:
and when the user identity information corresponding to each client meets the preset rule, selecting a target session key corresponding to at least one client from the stored at least one session key.
3. The method of claim 1, wherein the selecting a target session key corresponding to the at least one client from the stored at least one session key comprises:
the authentication server randomly selects a target session key from at least one session key stored in the authentication server, and simultaneously distributes the target session key to the at least one client;
or, the authentication server sequentially distributes respective corresponding target session keys to the at least one client according to a session key list stored by the authentication server.
4. The method as claimed in claim 1, wherein the receiving, by the authentication server, the authentication request information sent by at least one client comprises:
the authentication server receives authentication request information sent by the at least one client terminal forwarded by the access server;
the sending the encrypted target session key corresponding to the at least one client to each client respectively comprises:
sending the encrypted target session key corresponding to the at least one client to the access server so as to enable the target session key to be encrypted
And the access server respectively sends the encrypted target session key to each client.
5. A data processing method is applied to a target client; the method comprises the following steps:
the target client generates authentication request information and sends the authentication request information to an authentication server, wherein the authentication request information carries the encrypted temporary secret key;
receiving an encrypted target session key sent by the authentication server, wherein the target session key is a session key corresponding to the target client and selected by the authentication server from at least one session key stored by the authentication server; the encryption processing means that the authentication server decrypts the encrypted temporary secret key and encrypts the selected target session secret key by using the decrypted temporary secret key; each session key stored in the authentication server can correspond to at least one client;
and decrypting the received encrypted target session key by using the temporary key, and encrypting the communication data by using the decrypted target session key.
6. The method as claimed in claim 5, wherein the receiving the encrypted target session key sent by the authentication server comprises:
and receiving an encrypted target session key randomly selected by the authentication server from at least one session key stored by the authentication server.
7. The method of claim 5, wherein sending the authentication request message to an authentication server comprises:
and sending the authentication request information to an access server so that the access server sends the authentication request information to the authentication server.
8. An authentication server, wherein at least one session key is stored in the authentication server; wherein each of the session keys is capable of corresponding to at least one client; the authentication server includes:
the first receiving unit is used for receiving authentication request information sent by at least one client, wherein the authentication request information carries a temporary secret key after encryption processing;
the first processing unit is used for selecting a target session key corresponding to the at least one client from at least one stored session key; the target session keys corresponding to the at least one client are the same or different;
the first sending unit is used for decrypting the encrypted temporary secret key and encrypting the selected target session secret key by using the decrypted temporary secret key;
the first sending unit is further configured to send the encrypted target session key corresponding to the at least one client to each client, so that the encrypted target session key is sent to each client, and the clients can use the encrypted target session key to perform encryption processing on the target session key
Each client side decrypts the encrypted target session key by using the temporary key, and
and encrypting the communication data by using the target session key obtained by decryption.
9. The authentication server according to claim 8, wherein the authentication request information carries at least user identity information; accordingly, the method can be used for solving the problems that,
the first processing unit is further configured to obtain user identity information corresponding to each client based on the authentication request information of the at least one client, and determine whether the user identity information corresponding to each client meets a preset rule; and the server is further configured to select a target session key corresponding to the at least one client from the stored at least one session key when the user identity information corresponding to each client satisfies the preset rule.
10. The authentication server of claim 8,
the first processing unit is further configured to randomly select a target session key from the at least one session key, and distribute the target session key to the at least one client at the same time;
or, the session key management module is configured to sequentially allocate respective corresponding target session keys to the at least one client according to the session key list.
11. The authentication server of claim 8,
the first receiving unit is further configured to receive authentication request information sent by the at least one client and forwarded by an access server;
the first sending unit is further configured to send the encrypted target session key corresponding to the at least one client to the access server, so that the encrypted target session key is used to enable the access server to send the encrypted target session key to the access server
And the access server respectively sends the encrypted target session key to each client.
12. A target client, comprising:
the information generating unit is used for generating authentication request information, and the authentication request information carries the encrypted temporary secret key;
the second sending unit is used for sending the authentication request information to an authentication server;
a second receiving unit, configured to receive the encrypted target session key sent by the authentication server, where the target session key is a session key corresponding to the target client and selected by the authentication server from at least one session key stored in the authentication server; the encryption processing means that the authentication server decrypts the encrypted temporary secret key and encrypts the selected target session secret key by using the decrypted temporary secret key; each session key stored in the authentication server can correspond to at least one client;
and the second processing unit is used for decrypting the received encrypted target session key by using the temporary key and encrypting the communication data by using the decrypted target session key.
13. The target client of claim 12,
the second receiving unit is further configured to receive an encrypted target session key randomly selected by the authentication server from at least one session key stored in the authentication server.
14. The target client of claim 12,
the second sending unit is further configured to send the authentication request information generated by the information generating unit to an access server, so that the access server sends the authentication request information to the authentication server.
15. A computer readable storage medium having stored thereon executable instructions, which when executed by a processor implement a data processing method as claimed in any one of claims 1 to 4, or any one of claims 5 to 7.
16. An electronic device, comprising:
a memory for storing executable instructions;
a processor for implementing the data processing method of any of claims 1 to 4, or any of claims 5 to 7 when processing the executable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610619349.2A CN106685911B (en) | 2016-07-29 | 2016-07-29 | Data processing method, authentication server and client |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610619349.2A CN106685911B (en) | 2016-07-29 | 2016-07-29 | Data processing method, authentication server and client |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106685911A CN106685911A (en) | 2017-05-17 |
| CN106685911B true CN106685911B (en) | 2020-12-04 |
Family
ID=58839304
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610619349.2A Active CN106685911B (en) | 2016-07-29 | 2016-07-29 | Data processing method, authentication server and client |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106685911B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1645795A (en) * | 2003-12-30 | 2005-07-27 | 诺基亚公司 | Method and system for authentication using infrastructureless certificates |
| CN101047504A (en) * | 2006-03-29 | 2007-10-03 | 腾讯科技(深圳)有限公司 | Network log-in authorization method and authorization system |
| CN102833253A (en) * | 2012-08-29 | 2012-12-19 | 五八同城信息技术有限公司 | Method and server for establishing safe connection between client and server |
| CN105491093A (en) * | 2014-09-19 | 2016-04-13 | 中国移动通信集团公司 | Terminal authentication method, network access methods, server, wireless access point and terminal |
-
2016
- 2016-07-29 CN CN201610619349.2A patent/CN106685911B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1645795A (en) * | 2003-12-30 | 2005-07-27 | 诺基亚公司 | Method and system for authentication using infrastructureless certificates |
| CN101047504A (en) * | 2006-03-29 | 2007-10-03 | 腾讯科技(深圳)有限公司 | Network log-in authorization method and authorization system |
| CN102833253A (en) * | 2012-08-29 | 2012-12-19 | 五八同城信息技术有限公司 | Method and server for establishing safe connection between client and server |
| CN105491093A (en) * | 2014-09-19 | 2016-04-13 | 中国移动通信集团公司 | Terminal authentication method, network access methods, server, wireless access point and terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106685911A (en) | 2017-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7119040B2 (en) | Data transmission method, device and system | |
| US10581599B2 (en) | Cloud storage method and system | |
| US10785019B2 (en) | Data transmission method and apparatus | |
| US20220006627A1 (en) | Quantum key distribution node apparatus and method for quantum key distribution thereof | |
| US8600063B2 (en) | Key distribution system | |
| CN106790223B (en) | Data transmission method, equipment and system | |
| US8984295B2 (en) | Secure access to electronic devices | |
| CN111737366B (en) | Private data processing method, device, equipment and storage medium of block chain | |
| US20150074393A1 (en) | Method, Apparatus, and System for Implementing Media Data Processing | |
| WO2017147503A1 (en) | Techniques for confidential delivery of random data over a network | |
| CN104052742A (en) | Internet of things communication protocol capable of being encrypted dynamically | |
| US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
| US20210258148A1 (en) | Key management method, security chip, service server and information system | |
| EP2951946B1 (en) | Method and system for protecting data using data passports | |
| KR101952329B1 (en) | Method for generating address information used in transaction of cryptocurrency based on blockchain, electronic apparatus and computer readable recording medium | |
| Chien et al. | Efficient MQTT platform facilitating secure group communication | |
| CN113259722B (en) | Secure video Internet of things key management method, device and system | |
| CN116155491B (en) | Symmetric key synchronization method of security chip and security chip device | |
| CN106487761B (en) | Message transmission method and network equipment | |
| CN116166749A (en) | Data sharing method and device, electronic equipment and storage medium | |
| CN106972928B (en) | Bastion machine private key management method, device and system | |
| CN112966287B (en) | Method, system, device and computer readable medium for acquiring user data | |
| CN106685911B (en) | Data processing method, authentication server and client | |
| CN114417309A (en) | Bidirectional identity authentication method, device, equipment and storage medium | |
| CN112242976B (en) | Identity authentication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |