CN106936798B - Service authentication method and device - Google Patents
Service authentication method and device Download PDFInfo
- Publication number
- CN106936798B CN106936798B CN201511029587.XA CN201511029587A CN106936798B CN 106936798 B CN106936798 B CN 106936798B CN 201511029587 A CN201511029587 A CN 201511029587A CN 106936798 B CN106936798 B CN 106936798B
- Authority
- CN
- China
- Prior art keywords
- terminal
- authentication
- platform
- token
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a service authentication method and a service authentication device, which are used for solving the technical problems of high cost, poor reliability and poor user use perception in the conventional unified authentication mode. The method comprises the following steps: when the terminal is determined to have no authentication token of the service to be authenticated, broadcasting and sending a chairman party detection request message to other terminals which belong to the same local area network as the terminal, wherein the chairman party detection request message comprises a target platform identification of an authentication platform to which the service to be authenticated belongs; if the terminal receives the detection response message aiming at the detection request message of the chairman party and sent by the chairman party terminal within the set time, the service authentication of the service to be authenticated is completed according to the target authentication token carried in the detection response message and corresponding to the target platform identification.
Description
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a service authentication method and a service authentication device.
Background
With the development and popularization of internet broadband, broadband-based services in a home are more and more abundant, and more service terminals are needed. Each service terminal needs authentication, and the service can be used only after passing the authentication, so the authentication of the service terminal is an important link in service development. And as the service grows, the workload of authentication is more and more. The technical schemes of the current authentication are divided into two categories:
the first type: and each service terminal is independently authenticated. Each set of service is self-organized, a self authentication platform is established, a self message interaction flow is defined, each service terminal is mutually independent and interacts with the self service platform to complete authentication and authentication. But each service terminal has the following disadvantages:
1. and (5) repeating construction. Each service needs to independently build an own authentication platform, the functions, the flow and the development process of the authentication platforms are similar, the repeated construction brings the increase of investment, the complexity of maintenance work and the increase of terminal development workload.
2. The authentication time is long. Each service terminal is authenticated independently, a complete flow needs to be taken, interactive messages are more, authentication time is long, and possible fault points are more.
The second type: and (5) uniformly authenticating the service terminals.
Patent application No. 201110443764.4, a method and system for implementing multi-terminal unified authentication, proposes a way for implementing unified authentication, in which two network elements, namely a home gateway and a unified authentication platform, are added. The home gateway contains a customized unified authentication module, interacts with the unified authentication platform, and acquires and stores all service capabilities supported by the user. Each service terminal does not need to independently initiate service authentication, and can acquire the service capability of the user only by interacting with the home gateway message, so that the authentication of the service terminal can be completed.
The second type of authentication method can reduce authentication time and avoid repeated construction through unified authentication, but has the following disadvantages:
1. the reliability is low. The home gateway undertakes the core work of unified authentication, and once the home gateway breaks down, all service terminals cannot authenticate.
2. The investment cost is large. When all the service terminals are issued, home gateways with a unified authentication function must be equipped, the routers purchased by users need to be replaced by the original home gateways, the investment cost is high, and the use threshold is high.
3. It is inconvenient to use. The time for the first authentication is limited by the home gateway products with lower performance (with dominant frequency of about 500 MHz). With the development of the technology, the performance of the service terminal processor (with the dominant frequency of more than 1 GHz) is more and more powerful, and the performance of the home gateway processor is relatively weak. When a user uses a service, the home gateway and the service terminal are powered on at the same time, the service terminal is often started and ready, the home gateway is not started yet, and in addition, the message interaction of the unified authentication of the home gateway, the waiting time of the first service terminal is greatly prolonged, so that the use perception of the user is influenced.
4. The compatibility is poor. For the online service platform which is not built according to the uniform authentication mode, the scheme can not be compatible.
In summary, the unified authentication of the service terminals in the home in the prior art has the technical problems of high cost and poor reliability.
Disclosure of Invention
The embodiment of the invention provides a service authentication method and a service authentication device, which are used for solving the technical problems of high cost and poor reliability of the unified authentication mode of the conventional home service terminal.
The embodiment of the invention provides a service authentication method, which comprises the following steps:
when the terminal is determined to have no authentication token of the service to be authenticated, broadcasting and sending a chairman party detection request message to other terminals which belong to the same local area network as the terminal, wherein the chairman party detection request message comprises a target platform identification of an authentication platform to which the service to be authenticated belongs;
and if a detection response message aiming at the detection request message of the chairman party, which is sent by a chairman party terminal, is received within a set time, and the detection response message carries a target authentication token corresponding to the target platform identifier, finishing the service authentication of the service to be authenticated according to the target authentication token.
An embodiment of the present invention provides a service authentication apparatus, including:
a sending unit, configured to broadcast a chairman party detection request message to other terminals belonging to the same local area network as a terminal when it is determined that an authentication token of a service to be authenticated does not exist in the terminal, where the chairman party detection request message includes a target platform identifier of an authentication platform to which the service to be authenticated belongs;
and the first processing unit is used for completing the service authentication of the service to be authenticated according to the target authentication token if a detection response message aiming at the chairman party detection request message sent by a chairman party terminal is received within a set time, and the detection response message carries the target authentication token corresponding to the target platform identifier.
In the above embodiment, when the terminal authenticates a service to be authenticated and determines that there is no authentication token of the service to be authenticated in the terminal, it determines whether there is a chairman party terminal capable of performing proxy authentication for the service to be authenticated in the home lan by broadcasting a chairman party probe request message to other terminals belonging to the same lan as the terminal, and if a probe response message to the chairman party probe request message sent by the chairman party terminal is received within a set time, service authentication of the service to be authenticated is completed according to a target authentication token corresponding to a target platform identifier in the probe response message, service authentication of the service to be authenticated is completed through the target authentication token corresponding to the target platform identifier on any terminal in the lan, and compared with the prior art that a home gateway or the same authentication platform is relied on to complete the service to be authenticated, the authentication status of the service terminal in the home lan is equal, each terminal can be used as a proxy authentication party, and the method has the characteristics of high efficiency, low cost and good reliability, and further solves the technical problems in the prior art.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a flowchart of a service authentication method according to an embodiment of the present invention;
fig. 2 is a structural diagram of a service authentication system according to an embodiment of the present invention;
fig. 3 is a flowchart of a method for initializing a service terminal to readiness according to an embodiment of the present invention;
fig. 4 is a flowchart of a method for determining a chairman terminal according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a service authentication apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The technical problems of high cost and poor reliability of the existing unified authentication mode of the home service terminal are solved. The embodiment of the invention provides a service authentication method and a device, wherein unified authentication software is loaded in a terminal, and authentication tokens passing authentication are shared in a local area network to which the terminal belongs, so that the authentication status of service terminals in a home local area network is equal, each terminal can be used as a proxy authentication party, and when other terminals in the local area network perform service authentication with a service platform, the service authentication is directly completed according to the shared authentication tokens.
Compared with the traditional scheme, the unified authentication of the embodiment of the invention is not borne by an authentication module of a single network element (home gateway) any more, but is dispersed to all service terminals, and all the service terminals can serve as proxy authentication roles, so that the reliability of the service authentication does not depend on the home gateway any more. According to the embodiment of the invention, a home gateway network element does not need to be customized, unified authentication and proxy authentication can be finished in a local area network formed by wireless routers purchased by a user, the authentication status of service terminals in the home local area network is equal, and each terminal can serve as a proxy authentication party, so that the service authentication system of the embodiment of the invention has strong adaptability. In the embodiment of the invention, the authentication can be completed after the service terminal is started, and the terminal can also perform proxy authentication through the terminal serving as a unified authentication chairman party, so that the authentication time for the first authentication of a certain service authentication platform is not limited by a home gateway product with lower performance.
As shown in fig. 1, a method for service authentication provided in an embodiment of the present invention includes:
The probe response message received in the above method flow step 102 further carries a terminal identifier of the chairman terminal, and after receiving the probe response message for the probe request message, the method further includes: and recording the target platform identification, the target authentication token corresponding to the target platform identification and the terminal identification of the chairman side terminal in a token record file of the terminal.
In the above method flow, the authentication platform to which the service to be authenticated belongs is an independent service authentication platform or a unified service authentication platform, the independent service authentication platform is an authentication platform for one service, and the unified service authentication platform is an authentication platform for a plurality of services, and the plurality of services have the same authentication mode. The embodiment of the invention is suitable for the created unified authentication service platform and the service platform which is not subjected to unified authentication reconstruction, and has better compatibility.
In the above method process, when the terminal authenticates the service to be authenticated and determines that there is no authentication token of the service to be authenticated in the terminal, it determines whether there is a chairman terminal capable of performing proxy authentication for the service to be authenticated in the home lan by broadcasting a chairman probe request message to other terminals belonging to the same lan as the terminal, and if a probe response message aiming at the chairman probe request message sent by the chairman terminal is received within a set time, service authentication of the service to be authenticated is completed according to a target authentication token corresponding to a target platform identifier in the probe response message, and service authentication of the service to be authenticated is completed through the target authentication token corresponding to the target platform identifier on any terminal in the lan, compared with the prior art which completes the service to be authenticated by depending on a home gateway or an authentication platform in a unified manner, the authentication status of the service terminals in the home local area network is equal, each terminal can serve as a proxy authentication party, and the method has the characteristics of high efficiency, low cost and good reliability, and further solves the technical problems in the prior art.
Aiming at the method flow, whether the authentication token of the service to be authenticated exists in the terminal is determined in the following mode: and determining whether a target platform identifier of an authentication platform to which the service to be authenticated belongs exists in a token record file of the terminal, if not, determining that the authentication token of the service to be authenticated does not exist in the terminal, and if so, determining that the target platform identifier of the authentication platform to which the service to be authenticated belongs exists in the token record file of the terminal.
Before step 101, if it is determined that a target platform identifier of an authentication platform to which a service to be authenticated belongs exists in a token record file of the terminal, a target authentication token corresponding to the target platform identifier in the token record file is used to complete service authentication of the service to be authenticated.
After step 102, if the probe response message aiming at the probe request message is not received within the set time, a service authentication request is sent to the authentication platform to which the service to be authenticated belongs, so that the authentication platform completes the service authentication of the service to be authenticated. After a service authentication request is sent, if an authentication success message sent by an authentication platform after the service authentication of the service to be authenticated is passed is received within a set time, the authentication success message carries a target authentication token corresponding to a target platform identifier; and storing the target platform identification and the corresponding relation between the target platform identification and the target authentication token in a token record file of the terminal, and setting the terminal as a chairman party of the authentication platform corresponding to the target platform identification in the token record file.
For example, when receiving a token request message of a service module on the terminal, first checking whether a token set has the service platform (cluster) token, and if so, directly transmitting the token to the service module. If the token does not exist, firstly, sending a chairman token detection message in a broadcasting mode, searching whether other terminals in the local area network already exist the token, setting a waiting timer T2, setting a flag1 to be 1, if T2 is overtime, indicating that other terminals do not exist the token, and needing a unified authentication module to replace a service terminal to initiate authentication to a service platform. If the chairman token probe response message is received before the T2 times out and the received chairman token probe response message includes the token, the token is used to reply, the flag1 is set to 0, and the timer T2 is stopped. Wherein, the flag1 flag is 1, which indicates that the token does not exist in the token set of the terminal, that is, the service module has requested the token and has not responded; flag1 is set to 0, indicating that token exists in the token set of the terminal. After the token request is successfully authenticated, adding the record into the token set, marking the chairman identifier of the terminal as true, replying the token to the service module, setting a flag1 to be 0, and then broadcasting a token detection response message in the local area network to inform other terminals of the token information.
The above method flow further comprises: and if the target authentication token corresponding to the target platform identification in the token record file is used for service authentication of the service to be authenticated and the notification message of authentication failure is received, sending a service authentication request to the authentication platform to which the service to be authenticated belongs so that the authentication platform completes the service authentication of the service to be authenticated.
For example, when a service module initiates authentication using a token but fails authentication, a token invalidation message is sent to the unified authentication module. After receiving the message, the unified authentication module initiates an authentication request token, updates the token set after the request is successful, and informs other terminals in the local area network.
After a service authentication request is sent, if an authentication success message sent by an authentication platform after the service authentication of the service to be authenticated is passed is received within a set time, the authentication success message carries a target authentication token corresponding to a target platform identifier; and storing the target platform identification and the corresponding relation between the target platform identification and the target authentication token in a token record file of the terminal, and setting the terminal as a chairman party of the authentication platform corresponding to the target platform identification in the token record file.
In order to make other terminals obtain the token record on the terminal, the method further comprises the following steps:
the method comprises the steps that the terminal receives a first chairman party detection request message sent by a first terminal which belongs to the same local area network as the terminal, wherein the first chairman party detection request message is sent when the first terminal is initialized; searching whether a token record file with the terminal as a chairman side exists in the terminal; if the terminal exists, broadcasting a first detection response message in a local area network to which the terminal belongs, wherein the first detection response message comprises a first platform identifier taking the terminal as a chairman party, an authentication token corresponding to the first platform identifier and a terminal identifier of the terminal.
For example, after the first terminal is powered on, the unified authentication module set inside the first terminal enters an initial state, and the token set is initialized to null. The unified authentication module firstly broadcasts a chaker party token detection message in the local area network to which the unified authentication module belongs, searches whether the chaker party token exists at present or not, and sets a waiting overtime timer T1. After receiving a chairman token detection message, the terminal searches whether a token record file with the terminal as a chairman exists in the terminal, if the chairman identifier of the terminal is a true token record, the chairman token detection response message is broadcast and sent in a local area network, so that when the first terminal receives the chairman token response message before the timeout of a timer, the chairman token information carried by the message, the terminal ID of the terminal and the platform identifier of a platform (or a platform cluster) to which the terminal belongs are analyzed, a token record is formed and filled in a token set of the first terminal, and meanwhile, the chairman identifier of the first terminal is marked as false.
In order to enable the terminal to update the token set in the terminal, the method further includes:
the terminal receives the detection response message sent by any other terminal (taking the terminal C as an example) which belongs to the same local area network with the terminal; the detection response message comprises a token record corresponding to a platform identifier taking the terminal C as a chairman party, wherein the token record comprises an authentication token corresponding to the platform identifier, the terminal identifier of the terminal C and a timestamp of the token record; judging whether a token record corresponding to the platform identification exists in the terminal; if the token record exists, judging whether the time stamp of the token record of the terminal is earlier than that of the token record of the terminal C, if so, updating the token record corresponding to the platform identification in the terminal according to the token record corresponding to the platform identification in the detection response message; if the platform identification does not exist, the platform identification, the authentication token corresponding to the platform identification and the terminal identification of the terminal C are recorded in a token record file of the terminal according to the information in the detection response message, and the terminal is set in the token record file to be not a chairman party of the authentication platform corresponding to the platform identification.
The above method flow is an information interaction flow when the terminal is in a ready state. The terminal is internally provided with a unified authentication software module and an authentication token set, when the terminal is in a ready state, the authentication token set is empty, or the authentication token set comprises a token record file, and the token record file records information such as a platform identifier of a unified authentication platform to which a service platform identifier or a service platform cluster belongs, an authentication token corresponding to the platform identifier, a chairman party identifier of the token information of the terminal, and a terminal ID of a chairman party terminal to which the chairman party token belongs. The chairman side mark of the token information of the terminal is a token record of true, which indicates that the terminal is the chairman side terminal of the token information, and the chairman side mark of the token information of the terminal is a token record of false, which indicates that the terminal is a non-chairman side terminal of the token information. The token record of the terminal as the chairman party can realize proxy authentication for other services on the terminal and services on other terminals in the home local area network, and the token record of the terminal as the non-chairman party can only be used for service authentication of services to be authenticated on the terminal.
In the above method process, when the terminal authenticates the service to be authenticated and determines that there is no authentication token of the service to be authenticated in the terminal, it determines whether there is a chairman terminal capable of performing proxy authentication for the service to be authenticated in the home lan by broadcasting a chairman probe request message to other terminals belonging to the same lan as the terminal, and if a probe response message aiming at the chairman probe request message sent by the chairman terminal is received within a set time, service authentication of the service to be authenticated is completed according to a target authentication token corresponding to a target platform identifier in the probe response message, and service authentication of the service to be authenticated is completed through the target authentication token corresponding to the target platform identifier on any terminal in the lan, compared with the prior art which completes the service to be authenticated by depending on a home gateway or the same authentication platform, the method has the characteristics of high efficiency, low cost and good reliability, and further solves the technical problems in the prior art.
The following describes an authentication system architecture adapted to the above method flow.
An embodiment of the present invention provides a service authentication system architecture of a home lan, as shown in fig. 2, including: one or more service terminals (such as terminal 1, terminal 2, … and terminal n in fig. 2) are hung on a home local area network formed by a wireless router in a wired or wireless mode, and the wireless router establishes connection between the home local area network and an operator network. Compared with the existing authentication system, the service authentication system of the embodiment of the invention removes the unified authentication module of the home gateway, the home gateway does not need to perform unified authentication any more, the position of the home gateway can be replaced by the wireless router, and the home gateway can be maintained and only is required to realize the routing function.
The operator network side comprises service platforms corresponding to each service, wherein the service platforms are divided into service platforms (C1, C2, … Cn) with independent authentication and service platform clusters with unified authentication. The unified certification platform cluster is classified according to unified certification platforms (P1, P2, … Pn), and the certification modes of all service platforms in one unified certification platform cluster are the same. As shown, unified authentication platform P1 provides unified authentication for service platforms (C11, C12, … C1n) in the unified authentication platform cluster, and unified authentication platform P2 provides unified authentication for service platforms (C21, C22, … C2n) in the unified authentication platform cluster. The service authentication between each service platform and the service terminal which belong to the same unified authentication platform cluster is carried out by the unified authentication platform established for the unified authentication platform cluster, and the service platform of independent authentication independently completes the service authentication with the service terminal.
Each service terminal is internally provided with a unified authentication software module, an authentication token set and a service module. The services accepted by the service module include services (C11, C12, … C1n) which need to be authenticated independently, services (C11, C12, … C1n), (C21, C22, … C2n) which can be authenticated uniformly, and the like. The unified authentication software module can realize proxy authentication for other services on the terminal or services on other service terminals in the local area network. The Token set is used for storing Token information of each service platform, and the Token set is maintained by a unified authentication software module of the terminal.
The token set of the authentication token stores each platform identification and a token record corresponding to the platform identification, the platform identification is a platform identification of an independently authenticated service platform, or a platform identification of a unified authentication platform to which a unified authentication service platform cluster belongs, token information, a chairman side identification of the token information, a terminal ID of a chairman side terminal to which the token belongs, a token record timestamp and other information are recorded in the token record, wherein the token information includes information such as an authentication token and a token validity period, the chairman side identification of the token information is used for marking whether the token is a chairman side, the chairman side token on the terminal can provide unified authentication for other services with the same authentication mode on the terminal or other terminals in a home local area network, and the non-chairman side token on the terminal is only used for authentication of the service on the terminal.
In the service authentication system, the authentication platform to which the service to be authenticated belongs is an independent service authentication platform or a unified service authentication platform, the independent service authentication platform is an authentication platform for one service, and the unified service authentication platform is an authentication platform for a plurality of services, wherein the plurality of services have the same authentication mode. The embodiment of the invention is suitable for the created unified authentication service platform and the service platform which is not subjected to unified authentication reconstruction, and has better compatibility.
The states of the service terminals in the home lan are divided into an initial state and a ready state. The initial state is the state after the service terminal is powered on, the initial state token set is empty, the ready state is the state after the service terminal tries to acquire or establish the token set, the ready state is a stable state, and the token set in the ready state can provide authentication for the service on the terminal or provide proxy authentication for the service on other terminals in the local area network.
Based on the service authentication system, an embodiment of the present invention provides an information interaction process for a terminal to transition from an initialization state to a ready state, as shown in fig. 3, specifically including:
the detection response message comprises a platform identification and a token record corresponding to the platform identification, wherein the token record comprises an authentication token corresponding to the platform identification, a terminal identification of any terminal sending the detection response message, a timestamp of the token record and a chairman identification of the chairman party of the authentication platform corresponding to the platform identification, which is taken as the terminal.
For example, after the service terminal is powered on, the unified authentication module enters an initial state, and the token set is initialized to be null. The unified authentication module firstly broadcasts a chaker party token detection message in the local area network to which the unified authentication module belongs, searches whether the chaker party token exists at present or not, and sets a waiting overtime timer T1. If any chairman token response message is received within the specified time, the chairman token, the terminal ID and the affiliated platform (cluster) carried by the message are analyzed to form a record filling token set, and meanwhile, the chairman identifier of the token record of the terminal is marked as false. The operation is the same as above when a plurality of token response messages are received. If no chairman token response message is received within the specified time, the chairman token does not exist at present, and the token set is kept to be null. When the predetermined time has elapsed (T1 times out), the token response message is stopped from being received and the device enters the ready state.
Based on the service authentication system, in order to ensure that only one chairman terminal of the authentication platform corresponding to the same platform identifier in the same local area network is provided, an embodiment of the present invention further provides a decision flow of the chairman terminal, which, as shown in fig. 4, specifically includes:
For example, when a probe response message or a probe request message is lost in a local area network and the state of a service terminal is abnormal, a plurality of token chairman parties in the same local area network may occur, and this abnormal situation is processed through the following process, and finally one token chairman party is reserved.
In a ready state of the terminal a, if there is a chairman token in the token set of the terminal a and the chairman identifier of the terminal a is marked as true, the terminal a will periodically broadcast a chairman token detection message for the chairman token in the local area network, and will not receive a chairman token response message in a normal condition. And once receiving the chairman token response message, proving that another chairman terminal aiming at the chairman token exists in the local area network, and if the chairman terminal is the terminal B.
Terminal a will make the following decisions: comparing whether the chairman token is originally acquired by the chairman party. If the terminal A originally acquires the chairman party token and sends the chairman party token originally acquired by the terminal A to the terminal B when the terminal B detects a request, judging that the terminal A is the chairman party terminal; if the terminal is not originally acquired, judging whether the recording time stamp of the chairman party token of the terminal B is earlier than that of the chairman party token of the terminal A or not, if so, considering that the token of the terminal B is aged, judging that the terminal A is a chairman terminal, and otherwise, judging that the terminal B is the chairman terminal of the chairman party token.
If the judgment terminal A is the chairman terminal, the judgment result is informed to the terminal B through a message for deactivating the chairman token request, so that the terminal B sets the chairman party identification mark of the token record in the token set to false, records the terminal identification of the chairman terminal A in the token, and updates the record timestamp of the token record.
The terminal, the first terminal and the second terminal in the embodiment of the invention are all any terminals in the same home local area network.
In the above embodiment, when the terminal authenticates a service to be authenticated and determines that there is no authentication token of the service to be authenticated in the terminal, it sends a chairman party detection request message by broadcasting to other terminals belonging to the same lan as the terminal, determines whether there is a chairman party terminal capable of performing proxy authentication for the service to be authenticated in the home lan, and if a detection response message to the chairman party detection request message sent by the chairman party terminal is received within a set time, completes service authentication of the service to be authenticated according to a target authentication token corresponding to a target platform identifier in the detection response message, completes service authentication of the service to be authenticated through the target authentication token corresponding to the target platform identifier on any terminal in the lan, and compared with the prior art which completes the service to be authenticated by depending on a home gateway or a unified authentication platform, the status of the service terminal in the home lan is equal, each terminal can be used as a proxy authentication party, and the method has the characteristics of high efficiency, low cost and good reliability, and further solves the technical problems in the prior art.
For the above method flow, embodiments of the present invention further provide a service authentication apparatus, and specific contents of these apparatuses may be implemented with reference to the above method, which is not described herein again.
As shown in fig. 5, an embodiment of the present invention provides a service authentication apparatus, including:
a sending unit 501, configured to send a chairman party detection request message to other terminals belonging to the same local area network as a terminal when it is determined that an authentication token of a service to be authenticated does not exist in the terminal, where the chairman party detection request message includes a target platform identifier of an authentication platform to which the service to be authenticated belongs;
the first processing unit 502 is configured to, if a probe response message, which is sent by a chairman terminal and is directed to a chairman probe request message, is received within a set time, where the probe response message carries a target authentication token corresponding to a target platform identifier, complete service authentication of a service to be authenticated according to the target authentication token.
Further, the sending unit 501 is further configured to:
and if the detection response message is not received within the set time, sending a service authentication request to an authentication platform to which the service to be authenticated belongs so that the authentication platform completes service authentication of the service to be authenticated.
Further, the device also comprises a receiving unit and a storage unit:
the receiving unit is used for receiving an authentication success message sent by the authentication platform after the service authentication of the service to be authenticated passes, wherein the authentication success message carries a target authentication token corresponding to the target platform identification;
and the storage unit is used for storing the target platform identification and the corresponding relation between the target platform identification and the target authentication token in a token record file of the terminal, and setting the terminal as a chairman party of the authentication platform corresponding to the target platform identification in the token record file.
Further, it is determined that there is no authentication token of the service to be authenticated in the terminal by the following method:
and determining whether a target platform identifier exists in a token record file of the terminal, and if not, determining that an authentication token of the service to be authenticated does not exist in the terminal.
Further, the probe response message also carries a terminal identifier of the chairman terminal, and the storage unit is further configured to:
and recording the target platform identification, the target authentication token corresponding to the target platform identification and the terminal identification of the chairman side terminal in a token record file of the terminal.
Further, the system also comprises a second receiving unit and a second processing unit;
a second receiving unit, configured to receive a first chairman probe request message sent by a first terminal belonging to the same local area network as the terminal, where the first chairman probe request message is sent when the first terminal is initialized;
the second processing unit is used for searching whether a token record file with the terminal as a chairman side exists in the terminal; if the terminal exists, broadcasting a first detection response message in a local area network to which the terminal belongs, wherein the first detection response message comprises a first platform identifier taking the terminal as a chairman party, an authentication token corresponding to the first platform identifier and a terminal identifier of the terminal.
Further, the system also comprises a third receiving unit and a third processing unit:
a third receiving unit configured to:
receiving a second detection response message sent by a second terminal which belongs to the same local area network as the local terminal, wherein the second detection response message is a detection response message of a chairman detection request message sent by any terminal; the second detection response message comprises a token record corresponding to a second platform identifier of which the second terminal serves as a chairman party, and the token record comprises an authentication token corresponding to the second platform identifier, a terminal identifier of the second terminal and a timestamp of the token record;
a third processing unit to:
judging whether a token record corresponding to the second platform identification exists in the terminal;
if the token record of the terminal is the same as the token record of the second terminal, determining whether the time stamp of the token record of the terminal is earlier than the time stamp of the token record of the second terminal, and if so, updating the token record corresponding to the second platform identifier in the terminal according to the token record corresponding to the second platform identifier in the second terminal;
if the authentication token does not exist, according to the information in the second detection response message, recording the second platform identification, the authentication token corresponding to the second platform identification and the terminal identification of the second terminal in a token record file of the terminal, and setting that the terminal is not the chairman party of the authentication platform corresponding to the second platform identification in the token record file.
Further, the third processing unit is further configured to:
if a token record corresponding to the second platform identifier exists in the terminal and the terminal is the chairman party of the authentication platform corresponding to the second platform identifier, judging whether the token record corresponding to the second platform identifier in the terminal is created after the terminal completes authentication with the authentication platform for the first time, and if so, judging that the terminal is the chairman party of the authentication platform corresponding to the second platform identifier;
if the time stamp of the token record of the terminal is not earlier than the time stamp of the token record of the second terminal, the terminal is judged to be the chairman side of the authentication platform corresponding to the second platform identification.
Further, the third processing unit is further configured to:
if the terminal is determined to be the chairman party corresponding to the second platform identification, sending a request message for deactivating the chairman party to the second terminal, wherein the request message comprises the chairman party of which the terminal is the authentication platform corresponding to the second platform identification and the terminal identification of the terminal, so that the terminal identification of the terminal is recorded in a token record corresponding to the second platform identification by the second terminal, and the chairman party of which the second terminal is not the authentication platform corresponding to the second platform identification is set in the token record;
if the terminal is determined not to be the chairman side of the authentication platform corresponding to the second platform identification, recording the terminal identification of the second terminal in the token record of the terminal, and setting the terminal not to be the chairman side of the authentication platform corresponding to the second platform identification.
Furthermore, the authentication platform to which the service to be authenticated belongs is an independent service authentication platform or a unified service authentication platform, the independent service authentication platform is an authentication platform for one service, and the unified service authentication platform is an authentication platform for a plurality of services, wherein the plurality of services have the same authentication mode.
In the above embodiment, when the terminal authenticates a service to be authenticated and determines that there is no authentication token of the service to be authenticated in the terminal, it determines whether there is a chairman party terminal capable of performing proxy authentication for the service to be authenticated in the home lan by broadcasting a chairman party probe request message to other terminals belonging to the same lan as the terminal, and if a probe response message to the chairman party probe request message sent by the chairman party terminal is received within a set time, service authentication of the service to be authenticated is completed according to a target authentication token corresponding to a target platform identifier in the probe response message, service authentication of the service to be authenticated is completed through the target authentication token corresponding to the target platform identifier on any terminal in the lan, and compared with the prior art that a home gateway or the same authentication platform is relied on to complete the service to be authenticated, the authentication status of the service terminal in the home lan is equal, each terminal can be used as a proxy authentication party, and the method has the characteristics of high efficiency, low cost and good reliability, and further solves the technical problems in the prior art.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (20)
1. A method for service authentication, comprising:
when the terminal is determined to have no authentication token of the service to be authenticated, broadcasting and sending a chairman party detection request message to other terminals which belong to the same local area network as the terminal, wherein the chairman party detection request message comprises a target platform identification of an authentication platform to which the service to be authenticated belongs;
and if a detection response message aiming at the detection request message of the chairman party, which is sent by a chairman party terminal, is received within a set time, and the detection response message carries a target authentication token corresponding to the target platform identifier, finishing the service authentication of the service to be authenticated according to the target authentication token.
2. The method according to claim 1, wherein if the probe response message is not received within a set time, a service authentication request is sent to an authentication platform to which the service to be authenticated belongs, so that the authentication platform completes service authentication of the service to be authenticated.
3. The method of claim 2, further comprising:
receiving an authentication success message sent by the authentication platform after the service authentication of the service to be authenticated passes, wherein the authentication success message carries a target authentication token corresponding to the target platform identifier;
and storing the corresponding relation between the target platform identification and the target authentication token in a token record file of the terminal, and setting the terminal as a chairman party of the authentication platform corresponding to the target platform identification in the token record file.
4. The method of claim 3,
determining that the authentication token of the service to be authenticated does not exist in the terminal by the following method:
and determining whether the token record file of the terminal has the target platform identification, and if not, determining that the authentication token of the service to be authenticated does not exist in the terminal.
5. The method of claim 1,
the probe response message also carries a terminal identifier of the chairman terminal, and the method further comprises the following steps:
and recording the target platform identification, the target authentication token corresponding to the target platform identification and the terminal identification of the chairman side terminal in a token record file of the terminal.
6. The method of any of claims 1 to 5, further comprising:
receiving a first chairman party detection request message sent by a first terminal which belongs to the same local area network as the terminal, wherein the first chairman party detection request message is sent when the first terminal is initialized;
searching whether a token record file with the terminal as a chairman side exists in the terminal;
if the terminal exists, broadcasting a first detection response message in a local area network to which the terminal belongs, wherein the first detection response message comprises a first platform identifier taking the terminal as a chairman party, an authentication token corresponding to the first platform identifier and a terminal identifier of the terminal.
7. The method of any of claims 1 to 5, further comprising:
receiving a second detection response message sent by a second terminal which belongs to the same local area network as the terminal, wherein the second detection response message is a detection response message of a chairman detection request message sent by any terminal; the second detection response message comprises a token record corresponding to a second platform identifier of which the second terminal serves as a chairman party, wherein the token record comprises the second platform identifier, an authentication token corresponding to the second platform identifier, a terminal identifier of the second terminal and a timestamp of the token record;
judging whether a token record corresponding to the second platform identification exists in the terminal;
if the token record exists and the terminal in the token record is the chairman side, judging whether the token record corresponding to the second platform identification in the terminal is created after the terminal completes authentication with the authentication platform for the first time; if yes, the terminal is judged to be a chairman side of the authentication platform corresponding to the second platform identification; if not, determining whether the timestamp of the token record of the terminal is earlier than the timestamp of the token record of the second terminal, and if so, updating the token record corresponding to the second platform identifier in the terminal according to the token record corresponding to the second platform identifier in the second terminal;
if the second platform identification does not exist, recording the second platform identification, the authentication token corresponding to the second platform identification and the terminal identification of the second terminal in a token record file of the terminal according to the information in the second detection response message, and setting that the terminal is not a chairman party of the authentication platform corresponding to the second platform identification in the token record file.
8. The method of claim 7, further comprising:
and if the token record corresponding to the second platform identifier in the terminal is not created after the terminal completes authentication for the first time and the timestamp of the token record of the terminal is not earlier than the timestamp of the token record of the second terminal, determining that the second terminal is a chairman party of the authentication platform corresponding to the second platform identifier.
9. The method of claim 8, further comprising:
if the terminal is determined to be the chairman party corresponding to the second platform identifier, sending a request message for deactivating the chairman party to the second terminal, wherein the request message comprises the chairman party of the terminal, which is the authentication platform corresponding to the second platform identifier, and the terminal identifier of the terminal, so that the terminal identifier of the terminal is recorded in a token record corresponding to the second platform identifier by the second terminal, and the chairman party of the authentication platform corresponding to the second platform identifier, which is not set in the token record;
if the terminal is determined not to be the chairman side of the authentication platform corresponding to the second platform identification, recording the terminal identification of the second terminal in the token record of the terminal, and setting the terminal not to be the chairman side of the authentication platform corresponding to the second platform identification.
10. The method of any one of claims 1 to 5,
the authentication platform to which the service to be authenticated belongs is an independent service authentication platform or a unified service authentication platform, the independent service authentication platform is an authentication platform for one service, and the unified service authentication platform is an authentication platform for a plurality of services, wherein the plurality of services have the same authentication mode.
11. A service authentication apparatus, comprising:
a sending unit, configured to broadcast a chairman party detection request message to other terminals belonging to the same local area network as a terminal when it is determined that an authentication token of a service to be authenticated does not exist in the terminal, where the chairman party detection request message includes a target platform identifier of an authentication platform to which the service to be authenticated belongs;
and the first processing unit is used for completing the service authentication of the service to be authenticated according to the target authentication token if a detection response message aiming at the chairman party detection request message sent by a chairman party terminal is received within a set time, and the detection response message carries the target authentication token corresponding to the target platform identifier.
12. The apparatus of claim 11, wherein the sending unit is further configured to:
and if the detection response message is not received within the set time, sending a service authentication request to an authentication platform to which the service to be authenticated belongs so that the authentication platform completes service authentication of the service to be authenticated.
13. The apparatus of claim 12, further comprising a receiving unit and a storage unit:
the receiving unit is configured to receive an authentication success message sent by the authentication platform after the service authentication of the service to be authenticated passes, where the authentication success message carries a target authentication token corresponding to the target platform identifier;
and the storage unit is used for storing the corresponding relation between the target platform identification and the target authentication token in a token record file of the terminal, and setting the terminal as a chairman party of the authentication platform corresponding to the target platform identification in the token record file.
14. The apparatus of claim 13,
determining that the authentication token of the service to be authenticated does not exist in the terminal by the following method:
and determining whether the token record file of the terminal has the target platform identification, and if not, determining that the authentication token of the service to be authenticated does not exist in the terminal.
15. The apparatus of claim 13, wherein the probe response message further carries a terminal identifier of the chairman terminal, and the storage unit is further configured to:
and recording the target platform identification, the target authentication token corresponding to the target platform identification and the terminal identification of the chairman side terminal in a token record file of the terminal.
16. The apparatus according to any of the claims 11 to 15, further comprising a second receiving unit and a second processing unit;
the second receiving unit is configured to receive a first chairman probe request message sent by a first terminal that belongs to the same local area network as the local terminal, where the first chairman probe request message is sent when the first terminal is initialized;
the second processing unit is used for searching whether a token record file with the terminal as a chairman party exists in the terminal; if the terminal exists, broadcasting a first detection response message in a local area network to which the terminal belongs, wherein the first detection response message comprises a first platform identifier taking the terminal as a chairman party, an authentication token corresponding to the first platform identifier and a terminal identifier of the terminal.
17. The apparatus of any of claims 11 to 15, further comprising a third receiving unit and a third processing unit:
the third receiving unit is configured to receive a second probe response message sent by a second terminal that belongs to the same local area network as the terminal, where the second probe response message is a probe response message of a chairman probe request message sent by any terminal; the second detection response message comprises a token record corresponding to a second platform identifier of which the second terminal serves as a chairman party, wherein the token record comprises the second platform identifier, an authentication token corresponding to the second platform identifier, a terminal identifier of the second terminal and a timestamp of the token record;
the third processing unit is configured to determine whether a token record corresponding to the second platform identifier exists in the terminal;
if the token record exists and the terminal in the token record is the chairman side, judging whether the token record corresponding to the second platform identification in the terminal is created after the terminal completes authentication with the authentication platform for the first time; if yes, the terminal is judged to be a chairman side of the authentication platform corresponding to the second platform identification; if not, determining whether the timestamp of the token record of the terminal is earlier than the timestamp of the token record of the second terminal, if so, updating the token record corresponding to the second platform identifier in the terminal according to the token record corresponding to the second platform identifier in the second terminal;
if the second platform identification does not exist, recording the second platform identification, the authentication token corresponding to the second platform identification and the terminal identification of the second terminal in a token record file of the terminal according to the information in the second detection response message, and setting that the terminal is not a chairman party of the authentication platform corresponding to the second platform identification in the token record file.
18. The apparatus as recited in claim 17, said third processing unit to further:
and if the token record corresponding to the second platform identifier in the terminal is not created after the terminal completes authentication for the first time and the timestamp of the token record of the terminal is not earlier than the timestamp of the token record of the second terminal, determining that the second terminal is a chairman party of the authentication platform corresponding to the second platform identifier.
19. The apparatus as recited in claim 18, said third processing unit to further:
if the terminal is determined to be the chairman party corresponding to the second platform identifier, sending a request message for deactivating the chairman party to the second terminal, wherein the request message comprises the chairman party of the terminal, which is the authentication platform corresponding to the second platform identifier, and the terminal identifier of the terminal, so that the terminal identifier of the terminal is recorded in a token record corresponding to the second platform identifier by the second terminal, and the chairman party of the authentication platform corresponding to the second platform identifier, which is not set in the token record;
if the terminal is determined not to be the chairman side of the authentication platform corresponding to the second platform identification, recording the terminal identification of the second terminal in the token record of the terminal, and setting the terminal not to be the chairman side of the authentication platform corresponding to the second platform identification.
20. The apparatus according to any one of claims 11 to 15,
the authentication platform to which the service to be authenticated belongs is an independent service authentication platform or a unified service authentication platform, the independent service authentication platform is an authentication platform for one service, and the unified service authentication platform is an authentication platform for a plurality of services, wherein the plurality of services have the same authentication mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511029587.XA CN106936798B (en) | 2015-12-31 | 2015-12-31 | Service authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511029587.XA CN106936798B (en) | 2015-12-31 | 2015-12-31 | Service authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106936798A CN106936798A (en) | 2017-07-07 |
| CN106936798B true CN106936798B (en) | 2020-06-12 |
Family
ID=59443639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511029587.XA Active CN106936798B (en) | 2015-12-31 | 2015-12-31 | Service authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106936798B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116436905B (en) * | 2023-04-19 | 2023-11-28 | 广州市迪士普音响科技有限公司 | Network broadcast communication method and device, storage medium and computer equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110762A (en) * | 2007-08-22 | 2008-01-23 | 华中科技大学 | Ad hoc network security path method |
| WO2013104143A1 (en) * | 2012-01-13 | 2013-07-18 | 中兴通讯股份有限公司 | Authentication method and system oriented to heterogeneous network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101621801B (en) * | 2009-08-11 | 2012-11-28 | 华为终端有限公司 | Method, system, server and terminal for authenticating wireless local area network |
-
2015
- 2015-12-31 CN CN201511029587.XA patent/CN106936798B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110762A (en) * | 2007-08-22 | 2008-01-23 | 华中科技大学 | Ad hoc network security path method |
| WO2013104143A1 (en) * | 2012-01-13 | 2013-07-18 | 中兴通讯股份有限公司 | Authentication method and system oriented to heterogeneous network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106936798A (en) | 2017-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11096051B2 (en) | Connection establishment method, device, and system | |
| CN112822222B (en) | Login verification method, automatic login verification method, server and client | |
| US10171997B2 (en) | Method and apparatus for interconnection between terminal device and gateway device | |
| CN111629423A (en) | Network distribution method and terminal of household appliance, storage medium and household appliance | |
| CN103874069B (en) | A kind of wireless terminal MAC authentication devices and method | |
| CN103152331A (en) | Method and system for logging in/registering through mobile terminal and cloud server | |
| KR102005998B1 (en) | Method, apparatus, and system for joining nodes to a network | |
| CN110768988A (en) | Method and device for establishing SSL VPN tunnel | |
| CN105208030A (en) | Wireless network roaming method | |
| US20080049607A1 (en) | Method and apparatus for checking maintenance association integrity and method and apparatus for adding maintenance end point | |
| CN108966363B (en) | Connection establishing method and device | |
| CN112202877A (en) | Gateway linkage method, gateway, cloud server and user terminal | |
| CN111901208A (en) | Intelligent equipment control method and device, intelligent control panel and storage medium | |
| CN106936798B (en) | Service authentication method and device | |
| WO2024021791A1 (en) | Dual-cloud-card communication method, and electronic device and machine-readable storage medium | |
| CN113396600B (en) | Information verification method, device, equipment and storage medium | |
| CN111901298A (en) | Method and device for determining cloud short message platform during SSLVPN authentication and electronic equipment | |
| CN107995125B (en) | Traffic scheduling method and device | |
| CN112788738A (en) | Code number processing method and device for public and private network convergence system | |
| CN110572857A (en) | Network connection processing method and device | |
| CN111385324A (en) | Data communication method, device, equipment and storage medium | |
| CN113573384A (en) | Terminal, terminal network distribution method and device, and storage medium | |
| CN112532663A (en) | Gateway login method and device | |
| CN113676985A (en) | Terminal access control method, device, system, terminal and electronic equipment | |
| CN105490816A (en) | Method and device of multiple authentications on the basis of AllJoyn |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |