CN107332862A - A kind of identity identifying method, front end processor and identity authorization system - Google Patents

A kind of identity identifying method, front end processor and identity authorization system Download PDF

Info

Publication number
CN107332862A
CN107332862A CN201710700835.1A CN201710700835A CN107332862A CN 107332862 A CN107332862 A CN 107332862A CN 201710700835 A CN201710700835 A CN 201710700835A CN 107332862 A CN107332862 A CN 107332862A
Authority
CN
China
Prior art keywords
user information
current
end processor
server terminal
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710700835.1A
Other languages
Chinese (zh)
Inventor
田宝文
宗学宝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Software Co Ltd
Original Assignee
Inspur Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Software Co Ltd filed Critical Inspur Software Co Ltd
Priority to CN201710700835.1A priority Critical patent/CN107332862A/en
Publication of CN107332862A publication Critical patent/CN107332862A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Abstract

The invention provides a kind of identity identifying method, front end processor and identity authorization system, identity identifying method includes:Front end processor is set between user terminal and server terminal, and user terminal is connected by wide area network with front end processor, and front end processor is connected by LAN with server terminal, front end processor is performed:Prestore at least one validated user information and the corresponding key of each validated user information;Receive at least one service request that user terminal is sent;For each service request, it is performed both by:A1, obtains the corresponding current user information of current service request;A2, compares current user information and at least one validated user information, when exist target effective user profile it is identical with current user information when, extraction target cipher key corresponding with target effective user profile;A3, target cipher key is sent to server terminal, to carry out authentication.When the technical scheme that the present invention is provided is so that user carries out authentication, it is not necessary to send key to server terminal.

Description

A kind of identity identifying method, front end processor and identity authorization system
Technical field
The present invention relates to network communication field, more particularly to a kind of identity identifying method, front end processor and identity authorization system.
Background technology
With network technology science and technology development, how it is safe and reliable identification certification user identity, can effectively protect The personal interests of user.
Normally, user sends key to server terminal, and server terminal recognizes user identity according to key, and builds Vertical contacting with user.
However, when user sends key to server terminal, criminal can take advantage of the occasion to steal the key of user, and utilize The key login service device terminal of user, so as to compromise the personal interests of user.
The content of the invention
The embodiments of the invention provide a kind of identity identifying method, front end processor and identity authorization system so that user is carried out During authentication, it is not necessary to send key to server terminal.
In a first aspect, the invention provides a kind of identity identifying method, being set between user terminal and server terminal Front end processor, the user terminal is connected by wide area network with the front end processor, and the front end processor passes through LAN and the service Device terminal is connected, and the front end processor is performed:
Prestore at least one validated user information and the corresponding key of each validated user information;
Receive at least one service request that user terminal is sent;
For each service request, it is performed both by:
A1, obtains the corresponding current user information of current service request;
A2, compares the current user information and at least one validated user information, when there is target effective user When information is identical with the current user information, target cipher key corresponding with the target effective user profile is extracted;
A3, the target cipher key is sent to server terminal, to carry out authentication.
Preferably, the validated user information, including:Effective identity information, effective application identities and active block agreement Address;
The current user information, including:Current identity information, current application mark and current network protocol address;
The comparison current user information and at least one validated user information, including:
Detect whether effective identity information is identical with the current identity information, and return to the first testing result;
Detect that effective application identities are identified whether with the current application identical, and return to the second testing result;
Detect whether the active block protocol address is identical with the current network protocol address, and return to the 3rd and detect As a result;
When first testing result, second testing result and the 3rd testing result are identical, it is determined that The user profile to be verified is identical with the validated user information.
Preferably, after the A3, further comprise:
Receive the first authentication result that the server terminal is authenticated obtaining to the target cipher key;
When first authentication result for it is invalid when, it is determined that the server terminal updated the target cipher key it Afterwards, the current user information is compared whether identical with the target effective user profile;
When the current user information is identical with the target effective user profile, updated target cipher key is extracted, And send to the server terminal;
Receive the second authentication result that the server terminal is authenticated obtaining to the updated target cipher key;
When second authentication result is invalid, determine that the current service request is invalid.
Preferably, after the A3, further comprise:
Record the current user information and the final of the corresponding current service request of the current user information is recognized Demonstrate,prove result;
When the final authentication result is that invalid number of times reaches the default number of times upper limit, active user's letter is determined Cease for illegal user information.
Second aspect, the invention provides a kind of front end processor, between user terminal and server terminal, the user Terminal is connected by wide area network with the front end processor, and the front end processor is connected by LAN with the server terminal,
The front end processor includes:Memory module, receiving module and request processing module;
The memory module, for storing at least one validated user information and each validated user information pair The key answered;
The receiving module, at least one service request for receiving user's transmission;
The request processing module, for each service request received for the receiving module, is performed both by:
A1, obtains the corresponding current user information of current service request;
A2, compares the current user information and at least one validated user information, when there is target effective user When information is identical with the current user information, target cipher key corresponding with the target effective user profile is extracted;
A3, the target cipher key is sent to server terminal, to carry out authentication.
Preferably, the validated user information, including:Effective identity information, effective application identities and active block agreement Address;
The current user information, including:Current identity information, current application mark and current network protocol address;
The request processing module, including:First detection unit, the second detection unit, the 3rd detection unit and judgement are single Member;
First detection unit, for detecting whether effective identity information is identical with the current identity information, And return to the first testing result;
Second detection unit, for detecting that it is identical that effective application identities and the current application are identified whether, And return to the second testing result;
3rd detection unit, be for detecting the active block protocol address with the current network protocol address It is no identical, and return to the 3rd testing result;
The judging unit, for when first testing result, second testing result and the 3rd detection knot When fruit is identical, determine that the user profile to be verified is identical with the validated user information.
Preferably, further comprise:Result treatment module;
The result treatment module, for receiving the server terminal is authenticated obtaining to the target cipher key One authentication result;When first authentication result is invalid, it is determined that the server terminal has updated the target cipher key Afterwards, the current user information is compared whether identical with the target effective user profile;When the current user information with When the target effective user profile is identical, updated target cipher key is extracted, and send to the server terminal;Receive institute State the second authentication result that server terminal is authenticated obtaining to the updated target cipher key;Stating the second authentication result is When invalid, determine that the current service request is invalid.
Preferably, further comprise:Logging modle and counting module;
The logging modle, it is corresponding described current for recording the current user information and the current user information The final authentication result of service request;
The counting module, for when the final authentication result be invalid number of times reach the default number of times upper limit when, It is illegal user information to determine the current user information.
The third aspect, the invention provides a kind of identity authorization system, including:Server terminal and at least one second Any front end processor in aspect;
The server terminal, for receiving at least one target cipher key that at least one described front end processor is sent.
Preferably, the server terminal, is further used for being directed to each described target cipher key, certification current goal Whether the corresponding user profile of key is effective, and generates authentication result;According to the identification information of the default front end processor, by institute State authentication result and be sent to the corresponding front end processor.
The embodiments of the invention provide a kind of identity identifying method, front end processor and identity authorization system, user terminal with Front end processor is set between server terminal, and front end processor is connected by LAN with server terminal, compared with wide area network, LAN The transmission range of key can be effectively reduced, is conducive to preventing key from being stolen by hacker;Front end processor passes through wide area network and user Terminal is connected, it is ensured that each user can have access to server terminal.In order to carry out authentication, it is necessary to preposition At least one validated user information and the corresponding key of each validated user information are prestored in machine, this is using preposition Machine replaces user to the precondition of server terminal transmission key.When at least one service for receiving user terminal transmission please When asking, for each service request, obtain the corresponding current user information of current service request, substituted by the above method User sends user name to server terminal.The validated user information of current user information and storage is compared, active user is determined Whether information is validated user information, if it is, the corresponding current user information of explanation current server is correct;Active user After information is by checking, key corresponding with validated user information is exactly the corresponding target cipher key of current user information, is extracted Target cipher key simultaneously sends target cipher key to server terminal instead of user, to carry out authentication.As can be seen here, present invention profit User terminal is bridged with server terminal with the front end processor of setting so that when user carries out authentication, it is not necessary to send out Key is sent to server terminal.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of flow chart for identity identifying method that one embodiment of the invention is provided;
Fig. 2 is the flow chart for another identity identifying method that one embodiment of the invention is provided;
Fig. 3 is the structural representation for the front end processor annexation that one embodiment of the invention is provided;
Fig. 4 is a kind of structural representation for front end processor that one embodiment of the invention is provided;
Fig. 5 is the structural representation for another front end processor that one embodiment of the invention is provided;
Fig. 6 is the structural representation for another front end processor that one embodiment of the invention is provided;
Fig. 7 is the structural representation for another front end processor that one embodiment of the invention is provided;
Fig. 8 is a kind of structural representation for identity authorization system that one embodiment of the invention is provided.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is A part of embodiment of the present invention, rather than whole embodiments, based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
As shown in figure 1, the embodiments of the invention provide a kind of identity identifying method, comprising the following steps:
Step 101, front end processor is set between user terminal and server terminal, the user terminal by wide area network with The front end processor is connected, and the front end processor is connected by LAN with the server terminal.
Step 102, prestore at least one validated user information and each validated user information is corresponding Key.
Step 103, at least one service request that user terminal is sent is received.
Step 104, for each service request, it is performed both by:Obtain the corresponding active user of current service request Information;Compare the current user information and at least one validated user information, when exist target effective user profile with When the current user information is identical, target cipher key corresponding with the target effective user profile is extracted;The target is close Key is sent to server terminal, to carry out authentication.
The embodiments of the invention provide a kind of identity identifying method, set preposition between user terminal and server terminal Machine, front end processor is connected by LAN with server terminal, compared with wide area network, and LAN can effectively reduce the biography of key Defeated scope, is conducive to preventing key from being stolen by hacker;Front end processor is connected by wide area network with user terminal, it is ensured that each user Server terminal can be had access to.In order to carry out authentication, it is necessary to which at least one is prestored in front end processor has User profile and the corresponding key of each validated user information are imitated, this is to replace user to server terminal using front end processor Send the precondition of key.When receiving at least one service request of user terminal transmission, for being serviced with each Request, obtains the corresponding current user information of current service request, and substitute user by the above method sends to server terminal User name.The validated user information of current user information and storage is compared, whether determine current user information is validated user letter Breath, if it is, the corresponding current user information of explanation current server is correct;After current user information is by checking, with The corresponding key of validated user information is exactly the corresponding target cipher key of current user information, extracts target cipher key and replaces user will Target cipher key is sent to server terminal, to carry out authentication.As can be seen here, the present invention utilizes the front end processor set to user Terminal is bridged with server terminal so that when user carries out authentication, it is not necessary to send key to server terminal.
In order to accurately determine certification current user information, in one embodiment of the invention, the validated user letter Breath, including:Effective identity information, effective application identities and active block protocol address;
The current user information, including:Current identity information, current application mark and current network protocol address;
The comparison current user information and at least one validated user information, including:
Detect whether effective identity information is identical with the current identity information, and return to the first testing result;
Detect that effective application identities are identified whether with the current application identical, and return to the second testing result;
Detect whether the active block protocol address is identical with the current network protocol address, and return to the 3rd and detect As a result;
When first testing result, second testing result and the 3rd testing result are identical, it is determined that The user profile to be verified is identical with the validated user information.
Subscriber identity information may be employed to determine the information of user identity, such as cell-phone number, identification card number, validated user Identity information refers to subscriber identity information by certification;Internet protocol address refers to the IP (Internet of user terminal Protocol Internet protocols) address, active block protocol address refers to IP address in the default network segment, and by by recognizing The internet protocol address of card;Application identities can represent concrete application in service terminal, and effectively spy's application identities refer to validated user The application of mandate is obtained.Only three is effectively just to illustrate that user profile is effective, for example, effectively identity information is A, active block protocol address is B, and effectively spy's application identities are C, if current identity information is not A and/or current network association When view address is not B, illustrate to have the people without server mandate to attempt to enter server, therefore authentication can not be passed through.Such as Fruit current application mark is not C, illustrates to attempt to obtain the service exceeded beyond authorization privilege, it may be possible to which user's operation is lost By mistake, authority expires or someone usurps user profile login service device, therefore can not pass through authentication.Only current identity information When being that A, current network protocol address are B and current application mark is C, illustrate that this user can use application through server mandate It is validated user information to identify the corresponding applications of C, i.e. current user information.
Under normal circumstances, key has ageing, i.e., can be failed through key after a period of time.In certification user identity When, if the key of front end processor, which does not upgrade in time, can cause user authentication failure, in order to avoid there is above-mentioned situation, in this hair In bright one embodiment, after the A3, further comprise:
Receive the first authentication result that the server terminal is authenticated obtaining to the target cipher key;
When first authentication result for it is invalid when, it is determined that the server terminal updated the target cipher key it Afterwards, the current user information is compared whether identical with the target effective user profile;
When the current user information is identical with the target effective user profile, updated target cipher key is extracted, And send to the server terminal;
Receive the second authentication result that the server terminal is authenticated obtaining to the updated target cipher key;
When second authentication result is invalid, determine that the current service request is invalid.
Front end processor is sent after target cipher key, and server terminal can be authenticated to target cipher key, and returns to the first certification As a result;If the first authentication result shows that service request is invalid, it may be possible to which front end processor does not upgrade in time key, now server Terminal can be updated according to timestamp to the target cipher key in front end processor, it is ensured that target cipher key it is ageing.Now, front end processor Again contrast user profile and effective information, and extract updated target cipher key, and by updated target cipher key send to Server terminal, if still not over certification, illustrating it is not that the ageing of key causes certification not pass through, so assert The service request is invalid.
For example, service request A the first authentication result is invalid, then server terminal can be asked according to update of time stamp service A target cipher key is sought, now front end processor authentication service can ask whether A user profile is validated user information again, if It is to send the target cipher key after updating to server terminal, carries out second of certification, second can be returned after server terminal certification Authentication result, if the second authentication result is invalid, confirmed service request A is invalid, otherwise effectively.
By the above method, the no longer effective property of key in front end processor can be avoided to cause server terminal to enter to user The correct certification of row.
In order to be further ensured that the rights and interests of user are not encroached on, in one embodiment of the invention, after the A3, Further comprise:
Record the current user information and the final of the corresponding current service request of the current user information is recognized Demonstrate,prove result;
When the final authentication result is that invalid number of times reaches the default number of times upper limit, active user's letter is determined Cease for illegal user information.
By each request results for recording each user, it can be determined that each user sends the number of times of invalidation request, such as Fruit does not reach the default number of times upper limit, and it is probably maloperation to illustrate the user;If meeting or exceeding the default number of times upper limit, say The bright user deliberately may attempt invasion server by various methods, therefore the user is defined as into disabled user, not later The service request of the user is received again.
In order to which the embodiment of the present invention is better described, as shown in Fig. 2 the embodiments of the invention provide another authentication Method, by taking authentication service request A as an example, comprises the following steps:
Step 201, front end processor is set between user terminal and server terminal.
In embodiments of the present invention, front end processor is connected by the way that wide area network and user terminal are logical, passes through LAN and server Terminal is connected.
Step 202, at least one validated user information and the corresponding key of each validated user information are prestored.
In embodiments of the present invention, front end processor is obtained by server terminal and had described in validated user information and each Imitate the corresponding key of user profile.Effective identity information, effective application identities and the active block agreement of validated user information Location corresponds to effective cell-phone number, effective application name and valid ip address respectively.
Step 203, service request A is received.
In embodiments of the present invention, a plurality of service request can be received simultaneously, due to the processing side of each service request Method and step are all identical, so only description receives the situation of a service request.
Step 204, the corresponding current user informations of service request A are obtained.
In embodiments of the present invention, identity information, application identities and network in the corresponding current user informations of service request A Protocol address corresponds to cell-phone number 130********, application name " map inquiry " and IP address 198.**.**.** respectively. For IP address, before acquisition, IP address can be filtered according to the default network segment, such as network segment scope Including 3000 IP address, then front end processor can only obtain at least one in this 3000 IP address.If the corresponding User IPs of A Address is not in this 3000 IP address, then the corresponding IP address of A will not be acquired.
Step 205, at least one effective information and current user information are compared, effective identity information is detected respectively and current Whether identity information, effective application identities and current application mark and active block protocol address and current network protocol address It is identical, and obtain the first testing result, the second testing result and the 3rd testing result.
In embodiments of the present invention, whether detection cell-phone number and effective cell-phone number are identical, obtain the first testing result;Detection Whether " map inquiry " be identical with effective application name, obtains the second testing result;Detect IP address and active block agreement Whether address is identical, obtains the 3rd testing result.
Step 206, judge whether the first testing result, the second testing result and the 3rd testing result are identical, if It is to perform step 207, otherwise, performs step 218.
In embodiments of the present invention, when the effective cell-phone number that there is a validated user information B is 130********, have Effect when valid ip address is 198.**.**.**, illustrates that the effective information is corresponding with service request A with entitled " map inquiry " Current user information it is identical.
Step 207, it is determined that there is target effective user profile, and it is close to extract target corresponding with target effective user profile Key.
In embodiments of the present invention, the corresponding ciphering key of validated user information B is extracted.
Step 208, target cipher key is sent to delivering to server terminal.
In embodiments of the present invention, ciphering key is sent to server terminal, to be authenticated to service request A.
Step 209, the reception server terminal-pair target cipher key is authenticated the first obtained authentication result.
In embodiments of the present invention, the authentication result of the reception server terminal-pair ciphering key.
Step 210, when the first authentication result is that invalid and server terminal has updated target cipher key, compare again current Whether user profile is identical with targeted customer's effective information, if it is, performing step 211;Otherwise, step 215 is performed.
Step 211, updated target cipher key is extracted, and is sent to the server terminal.
In embodiments of the present invention, the authentication result of ciphering key is no, then server terminal, can be according to timestamp by ciphering key It is updated to key D.Compare current user information again and whether validated user information B is identical, if identical extraction key D is concurrent Deliver to server terminal.
Step 212, the updated target cipher key of the reception server terminal-pair is authenticated the second obtained authentication result.
In embodiments of the present invention, the reception server terminal-pair key D authentication result.
Step 213, judge whether second of authentication result be effective, if it is, performing step 214;Otherwise, step is performed 215。
Step 214, determine that service request A is effective.
Step 215, determine that service request A is invalid.
Step 216, record current user information and service request A final authentication result.
Step 217, when the invalid number of times of service request A final authentication result reaches the default number of times upper limit, it is determined that The corresponding current user informations of service request A are illegal user information.
In embodiments of the present invention, if the corresponding current user informations of service request A are confirmed as illegal user information, So front end processor can filter out the corresponding IP address of current user information in the default network segment so that front end processor will not connect The user's request sent by active user.
Step 218, the effective data that can be compared are judged whether, if it is, performing step 205;Otherwise, hold Row step 219.
In embodiments of the present invention, comparing current user information and the termination condition of validated user information has two, one It was found that it is identical with current user information to there is validated user information;Another is to have compared institute's validated user information.
Step 219, determine that active user is invalid, and terminate current process.
As can be seen here, method provided in an embodiment of the present invention by encryption key distribution without, to user, and being stored in front end processor In, key is sent to server terminal therefore, it is possible to substitute user, certification is completed.
As shown in figure 3, the embodiments of the invention provide a kind of front end processor, between user terminal and server terminal, The user terminal is connected by wide area network with the front end processor, and the front end processor passes through LAN and the server terminal phase Even.
As shown in figure 4, the embodiments of the invention provide a kind of front end processor, the front end processor, including:Memory module 401, connect Receive module 402 and request processing module 403;
Memory module 401, for storing at least one validated user information and each validated user information pair The key answered;
Receiving module 402, at least one service request for receiving user's transmission;
Request processing module 403, for each service request received for receiving module 402, is performed both by:
A1, obtains the corresponding current user information of current service request;
A2, compares the current user information and at least one validated user information, when there is target effective user When information is identical with the current user information, target cipher key corresponding with the target effective user profile is extracted;
A3, the target cipher key is sent to server terminal, to carry out authentication.
As shown in figure 5, the embodiments of the invention provide another front end processor, request processing module 403, including:First inspection Survey unit 4031, the second detection unit 4032, the 3rd detection unit 4033 and judging unit 4034;
The validated user information, including:Effective identity information, effective application identities, active block protocol address;
The current user information, including:Current identity information, current application mark, current network protocol address;
First detection unit 4031, for detecting whether effective identity information is identical with the current identity information, And return to the first testing result;
Second detection unit 4032, for detecting that it is identical that effective application identities and the current application are identified whether, And return to the second testing result;
3rd detection unit 4033, be for detecting the active block protocol address with the current network protocol address It is no identical, and return to the 3rd testing result;
Judging unit 4034, for when first testing result, second testing result and the 3rd detection knot When fruit is identical, determine that the user profile to be verified is identical with the validated user information.
As shown in fig. 6, the embodiments of the invention provide another front end processor, further comprising:Result treatment module 601;
Result treatment module 601, for receiving the server terminal is authenticated obtaining to the target cipher key One authentication result;When first authentication result is invalid, it is determined that the server terminal has updated the target cipher key Afterwards, the current user information is compared whether identical with the target effective user profile;When the current user information with When the target effective user profile is identical, updated target cipher key is extracted, and send to the server terminal;Receive institute State the second authentication result that server terminal is authenticated obtaining to the updated target cipher key;When the second certification knot When fruit is invalid, determine that the current service request is invalid.
As shown in fig. 7, the embodiments of the invention provide another front end processor, further comprising:Logging modle 701 and counting Module 702;
Logging modle 701, it is corresponding described current for recording the current user information and the current user information The final authentication result of service request;
Counting module 702, for when the final authentication result be invalid number of times reach the default number of times upper limit when, really The fixed current user information is illegal user information.
The contents such as the information exchange between each unit, implementation procedure in said apparatus, due to implementing with the inventive method Example is based on same design, and particular content can be found in the narration in the inventive method embodiment, and here is omitted.
As shown in figure 8, the embodiments of the invention provide a kind of identity authorization system, server terminal 801 and at least one Front end processor 802 in individual any of the above-described embodiment;
Server terminal 801, for receiving at least one target cipher key that at least one described front end processor is sent.
In one embodiment of the invention, the server terminal, is further used for being directed to each described target Whether key, the corresponding user profile of certification current goal key is effective, and generates authentication result;According to default described preposition The identification information of machine, the corresponding front end processor is sent to by the authentication result.
The embodiments of the invention provide a kind of computer-readable recording medium, including execute instruction, when the computing device of storage control During the execute instruction, the storage control performs the identity identifying method provided in any one embodiment of the invention.
The embodiments of the invention provide a kind of storage control, including:Processor, memory and bus;
The memory is used to store execute instruction, and the processor is connected with the memory by the bus, when During the storage control operation, the execute instruction of memory storage described in the computing device, so that the storage Controller performs the identity identifying method provided in any one embodiment of the invention.
In summary, each embodiment of the invention at least has the advantages that:
1st, in one embodiment of the invention, front end processor is set between user terminal and server terminal, front end processor passes through LAN is connected with server terminal, compared with wide area network, and LAN can effectively reduce the transmission range of key, be conducive to Prevent key from being stolen by hacker;Front end processor is connected by wide area network with user terminal, it is ensured that each user can have access to Server terminal.In order to carry out authentication, it is necessary to prestored in front end processor at least one validated user information with And the corresponding key of each validated user information, this replaces user to be sent to server terminal before key using front end processor Put forward condition.When receiving at least one service request of user terminal transmission, for each service request, obtain current The corresponding current user information of service request, user is substituted to server terminal transmission user name by the above method.Compare and work as Preceding user profile and the validated user information of storage, whether be validated user information, if it is, saying if determining current user information The corresponding current user information of bright current server is correct;After current user information is by checking, with validated user information pair The key answered is exactly the corresponding target cipher key of current user information, extract target cipher key and replace user by target cipher key send to Server terminal, to carry out authentication.As can be seen here, the present invention is whole to user terminal and server using the front end processor set End is bridged so that when user carries out authentication, it is not necessary to send key to server terminal.
2nd, in one embodiment of the invention, by detecting whether effective identity information is identical with current identity information, effectively Application identities identify whether whether identical and active block protocol address is identical with current network protocol address with current application, The degree of accuracy of authenticating user identification can be improved.
3rd, in one embodiment of the invention, set up re-authentication mechanism, it is to avoid the no longer effective property of key in front end processor and Caused certification be able to can not pass through, and improve the degree of accuracy to service requiring authentication.
4th, in one embodiment of the invention, by the final authentication result of record each time, each user letter can be monitored The invalid authentication number of times of corresponding service request is ceased, when invalid authentication number of times reaches the default number of times upper limit, the user is believed Breath is defined as illegal user information, criminal's intrusion server terminal probability is reduced, so as to ensure that the rights and interests of user.
It should be noted that herein, such as first and second etc relational terms are used merely to an entity Or operation makes a distinction with another entity or operation, and not necessarily require or imply exist between these entities or operation Any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant be intended to it is non- It is exclusive to include, so that process, method, article or equipment including a series of key elements not only include those key elements, But also other key elements including being not expressly set out, or also include solid by this process, method, article or equipment Some key elements.In the absence of more restrictions, the key element limited by sentence " including one ", is not arranged Except also there is other identical factor in the process including the key element, method, article or equipment.
It is last it should be noted that:Presently preferred embodiments of the present invention is the foregoing is only, the skill of the present invention is merely to illustrate Art scheme, is not intended to limit the scope of the present invention.Any modification for being made within the spirit and principles of the invention, Equivalent substitution, improvement etc., are all contained in protection scope of the present invention.

Claims (10)

1. a kind of identity identifying method, it is characterised in that front end processor, the use are set between user terminal and server terminal Family terminal is connected by wide area network with the front end processor, and the front end processor is connected by LAN with the server terminal, institute State front end processor execution:
Prestore at least one validated user information and the corresponding key of each validated user information;
Receive at least one service request that user terminal is sent;
For each service request, it is performed both by:
A1, obtains the corresponding current user information of current service request;
A2, compares the current user information and at least one validated user information, when there is target effective user profile When identical with the current user information, target cipher key corresponding with the target effective user profile is extracted;
A3, the target cipher key is sent to server terminal, to carry out authentication.
2. according to the method described in claim 1, it is characterised in that
The validated user information, including:Effective identity information, effective application identities and active block protocol address;
The current user information, including:Current identity information, current application mark and current network protocol address;
The comparison current user information and at least one validated user information, including:
Detect whether effective identity information is identical with the current identity information, and return to the first testing result;
Detect that effective application identities are identified whether with the current application identical, and return to the second testing result;
Detect whether the active block protocol address is identical with the current network protocol address, and return to the 3rd detection knot Really;
When first testing result, second testing result and the 3rd testing result are identical, it is determined that described User profile to be verified is identical with the validated user information.
3. according to the method described in claim 1, it is characterised in that
After the A3, further comprise:
Receive the first authentication result that the server terminal is authenticated obtaining to the target cipher key;
When first authentication result for it is invalid when, after it is determined that the server terminal updated the target cipher key, than It is whether identical with the target effective user profile to the current user information;
When the current user information is identical with the target effective user profile, updated target cipher key is extracted, concurrently Deliver to the server terminal;
Receive the second authentication result that the server terminal is authenticated obtaining to the updated target cipher key;
When second authentication result is invalid, determine that the current service request is invalid.
4. method according to claim 3, it is characterised in that
After the A3, further comprise:
Record the final authentication knot of the current user information and the corresponding current service request of the current user information Really;
When the final authentication result is that invalid number of times reaches the default number of times upper limit, determine that the current user information is Illegal user information.
5. a kind of front end processor, it is characterised in that between user terminal and server terminal, the user terminal passes through wide area Net is connected with the front end processor, and the front end processor is connected by LAN with the server terminal, the front end processor, including: Memory module, receiving module and request processing module;
The memory module, it is corresponding for storing at least one validated user information and each validated user information Key;
The receiving module, at least one service request for receiving user's transmission;
The request processing module, for each service request received for the receiving module, is performed both by:
A1, obtains the corresponding current user information of current service request;
A2, compares the current user information and at least one validated user information, when there is target effective user profile When identical with the current user information, target cipher key corresponding with the target effective user profile is extracted;
A3, the target cipher key is sent to server terminal, to carry out authentication.
6. front end processor according to claim 5, it is characterised in that
The validated user information, including:Effective identity information, effective application identities and active block protocol address;
The current user information, including:Current identity information, current application mark and current network protocol address;
The request processing module, including:First detection unit, the second detection unit, the 3rd detection unit and judging unit;
First detection unit, for detecting whether effective identity information is identical with the current identity information, and is returned Return the first testing result;
Second detection unit, for detecting that it is identical that effective application identities and the current application are identified whether, and is returned Return the second testing result;
3rd detection unit, for detect the active block protocol address and the current network protocol address whether phase Together, and return the 3rd testing result;
The judging unit, for when first testing result, second testing result and the 3rd testing result it is equal For it is identical when, determine that the user profile to be verified is identical with the validated user information.
7. front end processor according to claim 5, it is characterised in that
Further comprise:Result treatment module;
The result treatment module, recognizes for receiving the server terminal is authenticated obtaining to the target cipher key first Demonstrate,prove result;When first authentication result for it is invalid when, after it is determined that the server terminal updated the target cipher key, Compare the current user information whether identical with the target effective user profile;When the current user information and the mesh When mark validated user information is identical, updated target cipher key is extracted, and send to the server terminal;Receive the service Updated target cipher key described in device terminal-pair is authenticated the second obtained authentication result;It is invalid to state the second authentication result When, determine that the current service request is invalid.
8. front end processor according to claim 7, it is characterised in that
Further comprise:Logging modle and counting module;
The logging modle, for recording the current user information and the corresponding current service of the current user information The final authentication result of request;
The counting module, for when the final authentication result be invalid number of times reach the default number of times upper limit when, it is determined that The current user information is illegal user information.
9. a kind of identity authorization system, it is characterised in that including:Appoint in server terminal and at least one claim 5 to 8 Front end processor described in one;
The server terminal, for receiving at least one target cipher key that at least one described front end processor is sent.
10. system according to claim 9, it is characterised in that
The server terminal, is further used for being directed to each described target cipher key, certification current goal key is corresponding Whether user profile is effective, and generates authentication result;According to the identification information of the default front end processor, by the authentication result It is sent to the corresponding front end processor.
CN201710700835.1A 2017-08-16 2017-08-16 A kind of identity identifying method, front end processor and identity authorization system Pending CN107332862A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710700835.1A CN107332862A (en) 2017-08-16 2017-08-16 A kind of identity identifying method, front end processor and identity authorization system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710700835.1A CN107332862A (en) 2017-08-16 2017-08-16 A kind of identity identifying method, front end processor and identity authorization system

Publications (1)

Publication Number Publication Date
CN107332862A true CN107332862A (en) 2017-11-07

Family

ID=60200961

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710700835.1A Pending CN107332862A (en) 2017-08-16 2017-08-16 A kind of identity identifying method, front end processor and identity authorization system

Country Status (1)

Country Link
CN (1) CN107332862A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474592A (en) * 2018-11-08 2019-03-15 蓝信移动(北京)科技有限公司 Public key binding method and system
CN113325746A (en) * 2021-04-30 2021-08-31 北京戴纳实验科技有限公司 Unified management control method and system for laboratory equipment
CN116260582A (en) * 2023-05-16 2023-06-13 中汽智联技术有限公司 Identity authentication and encryption communication method for network-connected vehicle

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145233A (en) * 2006-09-12 2008-03-19 中国农业银行 Data ciphered-mortgage transaction system, teller identification system, trans-center transaction system and method
US20100095113A1 (en) * 2008-10-11 2010-04-15 Blankenbeckler David L Secure Content Distribution System
CN101764808A (en) * 2009-12-22 2010-06-30 中国联合网络通信集团有限公司 Authentication processing method and system for automatic login as well as server
CN102204307A (en) * 2011-06-15 2011-09-28 华为技术有限公司 Wlan authentication method based on MAC address and device thereof
CN104052616A (en) * 2013-03-15 2014-09-17 深圳市腾讯计算机系统有限公司 Method and system for managing services in Internet data center
CN104486346A (en) * 2014-12-19 2015-04-01 北京奇艺世纪科技有限公司 Stepping stone system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145233A (en) * 2006-09-12 2008-03-19 中国农业银行 Data ciphered-mortgage transaction system, teller identification system, trans-center transaction system and method
US20100095113A1 (en) * 2008-10-11 2010-04-15 Blankenbeckler David L Secure Content Distribution System
CN101764808A (en) * 2009-12-22 2010-06-30 中国联合网络通信集团有限公司 Authentication processing method and system for automatic login as well as server
CN102204307A (en) * 2011-06-15 2011-09-28 华为技术有限公司 Wlan authentication method based on MAC address and device thereof
CN104052616A (en) * 2013-03-15 2014-09-17 深圳市腾讯计算机系统有限公司 Method and system for managing services in Internet data center
CN104486346A (en) * 2014-12-19 2015-04-01 北京奇艺世纪科技有限公司 Stepping stone system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王崇霞,朱艳琴: "一种动态口令身份认证协议的设计与研究", 《计算机工程与应用》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474592A (en) * 2018-11-08 2019-03-15 蓝信移动(北京)科技有限公司 Public key binding method and system
CN113325746A (en) * 2021-04-30 2021-08-31 北京戴纳实验科技有限公司 Unified management control method and system for laboratory equipment
CN116260582A (en) * 2023-05-16 2023-06-13 中汽智联技术有限公司 Identity authentication and encryption communication method for network-connected vehicle
CN116260582B (en) * 2023-05-16 2023-08-15 中汽智联技术有限公司 Identity authentication and encryption communication method for network-connected vehicle

Similar Documents

Publication Publication Date Title
US10826684B1 (en) System and method of validating Internet of Things (IOT) devices
US20170221068A1 (en) Personal authentication
US7447910B2 (en) Method, arrangement and secure medium for authentication of a user
CN104301302B (en) Go beyond one's commission attack detection method and device
US8508338B1 (en) Method and system for defeat of replay attacks against biometric authentication systems
US20110270969A1 (en) Virtual server and method for identifying zombie, and sinkhole server and method for integratedly managing zombie information
CN105939326A (en) Message processing method and device
US20140020067A1 (en) Apparatus and method for controlling traffic based on captcha
CN114598540B (en) Access control system, method, device and storage medium
WO2007017878A2 (en) Extended one-time password method and apparatus
JP4120997B2 (en) Unauthorized access determination device and method
CN112583607A (en) Equipment access management method, device, system and storage medium
CN107332862A (en) A kind of identity identifying method, front end processor and identity authorization system
CN106330828A (en) Method for network secure access, terminal device and authentication server
CN107948287B (en) Medical services authenticity verification methods based on Internet of Things
US10243961B2 (en) Enhanced security using wearable device with authentication system
CN111131303A (en) Request data verification system and method
CN113221180A (en) Database security access system and method
KR101468798B1 (en) Apparatus for tracking and preventing pharming or phishing, method using the same
CN107864146A (en) A kind of safe cloud storage system
CN105141642B (en) A kind of method and device preventing illegal user's behavior
CN115118442B (en) Port protection method and device under software defined boundary framework
CN108282443A (en) A kind of reptile Activity recognition method and apparatus
CN110430213A (en) Service request processing method, apparatus and system
JP2004070814A (en) Server security management method, device and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171107

RJ01 Rejection of invention patent application after publication