CN107395566B - Authentication method and device - Google Patents

Authentication method and device Download PDF

Info

Publication number
CN107395566B
CN107395566B CN201710459145.1A CN201710459145A CN107395566B CN 107395566 B CN107395566 B CN 107395566B CN 201710459145 A CN201710459145 A CN 201710459145A CN 107395566 B CN107395566 B CN 107395566B
Authority
CN
China
Prior art keywords
authentication
account
server
authentication information
application server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710459145.1A
Other languages
Chinese (zh)
Other versions
CN107395566A (en
Inventor
徐会生
王树圆
赵铁壮
汪仲伟
邱钺
浮强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xiaomi Mobile Software Co Ltd
Original Assignee
Beijing Xiaomi Mobile Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xiaomi Mobile Software Co Ltd filed Critical Beijing Xiaomi Mobile Software Co Ltd
Priority to CN201710459145.1A priority Critical patent/CN107395566B/en
Publication of CN107395566A publication Critical patent/CN107395566A/en
Application granted granted Critical
Publication of CN107395566B publication Critical patent/CN107395566B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The disclosure relates to an authentication method and apparatus. The method comprises the following steps: intercepting a first authentication request sent by a commercial application server to an account authentication server; the first authentication request comprises an account and authentication information; acquiring target authentication information corresponding to the account from a third-party server; and responding to the first authentication request according to the authentication information and the target authentication information. According to the technical scheme, account authentication based on a third party can be realized, and the risk of password leakage is reduced.

Description

Authentication method and device
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to an authentication method and apparatus.
Background
Single Sign On (SSO) refers to that a user can access all mutually trusted application systems only by logging On once in an environment where multiple application systems coexist. The areas of SSO involvement can be roughly divided into three categories: SSO between social network sites, department SSO, enterprise-level SSO, wherein: SSO between social network stations mainly relates to the problem of account information openness, and whether the implementation is successful mainly depends on whether the account management of each network station follows the same standard protocol; department level SSO is simple, is suitable for scenes with few related systems, and can be realized by technicians in a programming mode; many enterprise-level SSO systems are involved, including client/server (C/S) structure systems, enterprise management software systems, or non-web login modes (such as windows domain login), and the security requirements of enterprise-level SSO are higher than those of SSO and department SSO between social network stations, such as the requirement of sharing effective login time and the like. Enterprise-level SSO is one of the business integration solutions commonly used by enterprises.
Microsoft's series of commercial products are widely applied to the mail server in the enterprise because of easy construction and complete functions; users want to support microsoft's Outlook Web application (OWA, Outlook Web App) also in enterprise-level SSO. However, due to the closeness of microsoft business products, the OWA mail server based on microsoft is difficult to integrate the client software Outlook with the single sign-on service and the two-stage authentication service, and the Outlook is difficult to access the SSO service; this has the following problems: a) the user needs to input an account and a password when logging in the system every time, so that the user experience is poor; b) mail service is exposed in an external network environment, and hackers can scan weak passwords of internal accounts of a company in a brute force cracking mode under the condition of knowing a system login protocol, so that internal network security loopholes are caused. Although microsoft has also introduced a microsoft commercial single sign-on scheme, the microsoft commercial single sign-on scheme supports a limited protocol and cannot meet the complex requirement of internal enterprise informatization, for example, the microsoft commercial single sign-on scheme may not support two-phase authentication required by a user.
In order to support microsoft OWA in enterprise-level SSO, Outlook is accessed to SSO Service, so that an Authentication manner based on two-stage Authentication is supported when a user accesses an OWA mail server, and a related technology generally adopts an access management (ClearPass) technology of a Centralized Authentication Service (CAS), which specifically includes: the method comprises the steps that the corresponding relation between a user account and a password is stored in a single sign-on server, when a user accesses the OWA mail server, the user is not required to input the password repeatedly, and the user logs in the OWA mail server automatically directly through the stored password in the single sign-on mode.
Disclosure of Invention
To overcome the problems in the related art, embodiments of the present disclosure provide an authentication method and apparatus.
The technical scheme is as follows:
according to a first aspect of the embodiments of the present disclosure, there is provided an authentication method applied to a proxy server, the method including:
intercepting a first authentication request sent by a commercial application server to an account authentication server; the first authentication request comprises an account and authentication information;
acquiring target authentication information corresponding to the account from a third-party server;
and responding to the first authentication request according to the authentication information and the target authentication information.
The technical scheme provided by the embodiment of the disclosure can have the following beneficial effects: according to the technical scheme, the business application server can carry authentication information corresponding to the account number without carrying an account password when initiating the authentication request, the authentication request sent to the account number authentication server by the business application server is intercepted based on the proxy server, the account number authentication based on a third party is realized, the account number authentication process can not carry a password original text, brute force cracking can be prevented, the security risk of password leakage is reduced, and therefore user experience can be improved.
In one embodiment, the responding to the first authentication request according to the authentication information and the target authentication information includes:
when the authentication information is matched with the target authentication information, sending an authentication success response to the commercial application server; alternatively, the first and second electrodes may be,
and when the authentication information does not match the target authentication information, sending an authentication failure response to the commercial application server.
In one embodiment, intercepting a first authentication request sent by a business application server to an account authentication server comprises:
receiving a first authentication request sent by a commercial application server to an account authentication server;
and intercepting the first authentication request when the type of the authentication information is matched with a preset type.
In one embodiment, the authentication information includes:
a ticket or a first password, the ticket obtained by the business application server from a single sign-on server; the first password corresponds to the account and the business application server and is only used for authentication when the account is used for accessing the business application server.
In one embodiment, the authentication information includes a second password and a dynamic token, and the second password is used for authentication when the account number is used for accessing more than one application server; the obtaining target authentication information corresponding to the account from a third-party server, and responding to the first authentication request according to the authentication information and the target authentication information includes:
acquiring a target dynamic token corresponding to the account from a third-party server;
when the dynamic token is matched with the target dynamic token, sending a second authentication request to the account authentication server; wherein the second authentication request comprises the account number and a second password;
and when a second authentication success response returned by the account authentication server is received, sending an authentication success response to the business application server.
According to a second aspect of the embodiments of the present disclosure, there is provided an authentication apparatus including:
the intercepting module is used for intercepting a first authentication request sent by the commercial application server to the account authentication server; the first authentication request comprises an account and authentication information;
the acquisition module is used for acquiring target authentication information corresponding to the account from a third-party server;
and the judging module is used for responding to the first authentication request according to the authentication information and the target authentication information.
In one embodiment, the response module sends an authentication success response to the business application server when the authentication information matches the target authentication information; or when the authentication information does not match the target authentication information, sending an authentication failure response to the business application server.
In one embodiment, an interception module, comprising:
the first receiving submodule is used for receiving a first authentication request sent by the commercial application server to the account authentication server;
and the interception submodule is used for intercepting the first authentication request when the type of the authentication information is matched with a preset type.
In one embodiment, the authentication information includes a second password and a dynamic token, and the second password is used for authentication when the account number is used for accessing more than one application server;
the acquisition module is used for acquiring a target dynamic token corresponding to the account from a third-party server;
the response module is used for sending a second authentication request to the account authentication server when the dynamic token is matched with the target dynamic token; wherein the second authentication request comprises the account number and a second password; and when a second authentication success response returned by the account authentication server is received, sending an authentication success response to the business application server.
According to a third aspect of the embodiments of the present disclosure, there is provided an authentication apparatus including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
intercepting a first authentication request sent by a commercial application server to an account authentication server; the first authentication request comprises an account and authentication information;
acquiring target authentication information corresponding to the account from a third-party server;
and responding to the first authentication request according to the authentication information and the target authentication information.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a diagram illustrating an application scenario of an authentication method according to an exemplary embodiment.
Fig. 2 is a flow diagram illustrating an authentication method according to an example embodiment.
Fig. 3 is a flow diagram illustrating an authentication method according to an example embodiment.
Fig. 4 is a flow diagram illustrating an authentication method according to an example embodiment.
Fig. 5 is a block diagram illustrating an authentication device according to an example embodiment.
Fig. 6 is a block diagram illustrating an authentication device according to an example embodiment.
Fig. 7 is a block diagram illustrating an authentication device according to an example embodiment.
Fig. 8 is a block diagram illustrating an authentication device according to an example embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
Enterprise-level SSO is one of the common business integration solutions for enterprises, and users want to access Outlook to SSO services, but because of the closed nature of microsoft business products, Outlook is difficult to access to SSO services based on microsoft OWA mail servers; this has the following problems: a) the user needs to input an account and a password when logging in the system every time, so that the user experience is poor; b) mail service is exposed in an external network environment, and hackers can scan weak passwords of internal accounts of a company in a brute force cracking mode under the condition of knowing a system login protocol, so that internal network security loopholes are caused.
In the related art, the access of Outlook to the SSO service by using the ClearPass technology of CAS specifically includes: the single sign-on server stores the corresponding relation between the user account and the password, and when the user accesses the OWA mail server, the user is not required to input the password repeatedly, and the user can directly log in the OWA mail server through the stored password in the single sign-on mode. However, the related art has the following problems: 1) the single sign-on server can store the original text of the user password, and even if the original text is encrypted, the risk of leakage of all account passwords caused by loss of an encryption algorithm and a secret key exists; 2) after the user modifies the password in other ways, the password cannot be fed back to the single sign-on server immediately, and the single sign-on server may still record the password before modification, which leads to failure of subsequent authentication; in addition, the account authentication process needs to carry the password original text, so that the risk of password leakage caused by brute force cracking of the password exists; as such, the user experience may be affected.
In order to solve the above problem, an embodiment of the present disclosure provides an authentication method, including: intercepting a first authentication request sent by a commercial application server to an account authentication server; the first authentication request comprises an account and authentication information; acquiring target authentication information corresponding to the account from a third-party server; and responding to the first authentication request according to the authentication information and the target authentication information. The technical scheme provided by the embodiment of the disclosure can be used for realizing account authentication based on a third party, and the account authentication process can be carried out without password original text, so that brute force cracking can be prevented, and the security risk of password leakage is reduced; the technical scheme relates to a proxy server, a business application server and a third party server, wherein the business application server is an OWA mail server of Microsoft.
Referring to fig. 1, fig. 1 exemplarily illustrates an application scenario including: a client 110, a business application server 120, a proxy server 130, a third party server 140, and an account authentication server 150, where the business application server 120 is, for example, a microsoft OWA mail server, and these devices communicate via a wireless or wired network; it should be noted that the application scenario shown in fig. 1 may include one or more different types of business application servers. In practice, the application scenario illustrated in fig. 1 may also include a single sign-on server connected to the business application server 120 and the third party server 140, respectively. Specifically, the client 110 requests the commercial application server 120 to authenticate the user's account; the business application server 120 sends a first authentication request carrying an account and authentication information to the account authentication server 150; the proxy server 130 intercepts the first authentication request, acquires target authentication information corresponding to the account from the third-party server 140, responds to the first authentication request according to the authentication information and the target authentication information, and sends an authentication result to the business application service 120, and the business application service 120 informs the client 110 of the authentication result; therefore, account authentication based on a third party is realized, the original password text can not be carried in the account authentication process, brute force cracking can be prevented, and the security risk of password leakage is reduced.
Fig. 2 is a flowchart illustrating an authentication method according to an exemplary embodiment, where an execution subject of the method may be a proxy server, as shown in fig. 2, the method includes the following steps 201 and 203:
in step 201, a first authentication request sent by a business application server to an account authentication server is intercepted;
in this embodiment, the first authentication request includes an account and authentication information corresponding to the account. For example, the authentication information may not be an account password corresponding to the account number, for example, the authentication information may be a ticket or a first password; the ticket is a unique hash, the validity period of the ticket is a preset time, for example, the ticket is set to be expired every day, and the security risk caused by leakage is reduced; the first password corresponds to the account and the business application server, is only used for authentication when the account is used for accessing the business application server, is a special password set for the business application supported by the business application server, can only log in the business application server, and cannot endanger other systems even if the password is leaked. The authentication information may further include a second password for authentication when accessing more than one application server using the account number and a dynamic token.
For example, a specific implementation manner of intercepting the first authentication request sent by the business application server to the account authentication server may include: the method comprises the steps that a proxy server receives a first authentication request sent by a commercial application server to an account authentication server; analyzing the first authentication request to acquire authentication information; and intercepting a first authentication request when the type of the authentication information is matched with a preset type. The preset type may be a ticket, a first password, or a dynamic token.
In step 202, target authentication information corresponding to the account is acquired from a third-party server;
illustratively, the third-party server stores authentication information corresponding to the account; the third-party server may also generate target authentication information corresponding to the account according to a preset requirement.
The method comprises the steps that after a first authentication request sent to an account authentication server by a commercial application server is intercepted, a proxy server sends a query request to a third-party server; and the third-party server returns target authentication information corresponding to the account to the proxy server.
In step 203, the first authentication request is responded according to the authentication information and the target authentication information.
For example, the proxy server determines whether the authentication information matches the target authentication information: when the authentication information is matched with the target authentication information, the proxy server sends an authentication success response to the commercial application server; the business application server informs the client that the authentication is successful. When the authentication information does not match the target authentication information, the proxy server sends an authentication failure response to the business application server; the business application server informs the client of the authentication failure.
According to the technical scheme provided by the embodiment of the disclosure, the business application server can carry authentication information corresponding to the account number without carrying an account password when initiating the authentication request, the authentication request sent to the account number authentication server by the business application server is intercepted through the proxy server, the account number authentication based on a third party is realized, the account number authentication process can not carry a password original text, brute force cracking can be prevented, the security risk of password leakage is reduced, and therefore, the user experience can be improved.
Fig. 3 is a flowchart illustrating an authentication method according to an exemplary embodiment, where the authentication method is a ticket-based authentication method. As shown in fig. 3, the method comprises the steps of:
in step 301, the client sends a first authentication request for an account of a user to a commercial application server;
in step 302, the business application server sends a ticket request to the single sign-on server;
in step 303, the single sign-on server obtains a bill corresponding to the account from the third-party server; illustratively, the single sign-on server sends a request to a third party server; the third-party server returns a bill corresponding to the account to the single sign-on server;
in step 304, the single sign-on server returns the ticket to the business application server;
for example, the ticket is a unique hash, and the validity period of the ticket is a preset time, for example, the ticket is set to expire every day, so that the security risk caused by leakage is reduced.
In step 305, the business application server sends a first authentication request carrying an account and a ticket to an account authentication server;
illustratively, a proxy server intercepts a first authentication request sent by a commercial application server to an account authentication server; the specific implementation manner may include: the method comprises the steps that a proxy server receives a first authentication request sent by a commercial application server to an account authentication server; analyzing the first authentication request to obtain a bill; and intercepting the first authentication request when the preset type is the bill.
In step 306, the proxy server acquires a target bill corresponding to the account from the third-party server according to the account;
illustratively, a proxy server sends an authentication information request carrying an account to a third-party server; the third-party server returns a target bill corresponding to the account number to the proxy server;
in step 307, the proxy server checks the ticket by using the target ticket to obtain an authentication result; illustratively, when the ticket matches the target ticket, an authentication success response is sent to the business application server; when the ticket does not match the target ticket, an authentication failure response is sent to the business application server.
In step 308, sending the authentication result to the business application server;
in step 309, the business application server feeds back the authentication result to the client.
According to the technical scheme provided by the embodiment of the disclosure, a user only needs to input a user account and does not need to input a password when logging in a business application server for the first time, the business application server obtains a bill corresponding to the user account from a third-party server through a single sign-on server, the business application server does not carry the password but carries the bill corresponding to the account when initiating an authentication request to an account authentication server, a proxy server intercepts the authentication request sent by the business application server to the account authentication server, obtains a target bill corresponding to the user account from the third-party server and performs matching verification, and sends an authentication success response to the business application server when the bill is matched with the target bill; when the ticket is not matched with the target ticket, sending an authentication failure response to the business application server; therefore, account authentication based on a third party is realized, and a user does not need to input a password every time when accessing the commercial application server, so that the user can use the system conveniently; the account authentication process does not carry the password original text, so that brute force cracking can be prevented, the security risk of password leakage is reduced, and the user experience can be improved.
Fig. 4 is a flow chart illustrating a method of authentication, as shown in fig. 4, according to an example embodiment, including the steps of:
in step 401, the client sends a first authentication request for an account of a user to a business application server;
illustratively, the first authentication request includes an account number and authentication information; the authentication information includes: a first password, or a second password and a dynamic token; the first password corresponds to the account and the business application server and is only used for authentication when the account is used for accessing the business application server; the second password is used for authentication when the account is used for accessing more than one application server.
In step 402, the business application server sends a first authentication request carrying an account and authentication information to an account authentication server;
in step 403, the proxy server intercepts a first authentication request sent by the business application server to the account authentication server;
for example, a specific implementation manner of the proxy server intercepting the first authentication request sent by the business application server to the account authentication server may include: the method comprises the steps that a proxy server receives a first authentication request sent by a commercial application server to an account authentication server; acquiring authentication information by analyzing the first authentication request; and intercepting the first authentication request when the authentication information is a first password and the preset type is a special password, or intercepting the first authentication request when the authentication information is a second password and a dynamic token and the preset type is a dynamic token.
In step 404, the proxy server determines an authentication mode adopted by the first authentication request according to the authentication information; when the authentication information is the second password and the dynamic token, determining that the first authentication request adopts a third-party-based two-stage authentication mode, and turning to step 405; when the first authentication request adopts a password authentication mode, turning to step 406; when the authentication information is the first password, determining that the first authentication request adopts a first password authentication mode based on a third party, and turning to step 407;
in step 405, the proxy server obtains a target dynamic token corresponding to the account from the third-party server according to the account; go to step 408;
for example, the obtaining, by the proxy server, the target dynamic token corresponding to the account from the third-party server according to the account includes: the proxy server sends an authentication information request carrying an account number to a third-party server (such as a dynamic token server); and the third-party server returns the target dynamic token corresponding to the account number to the proxy server. The authentication information of the two-stage authentication includes: the second password (original text of the account password of the user) and the dynamic token, and the account password is authenticated after the dynamic token passes the verification, so that brute force cracking can be prevented.
In step 406, the proxy server passes through the first authentication request to the account authentication server; go to step 411;
in step 407, the proxy server obtains a target first password corresponding to the account from the third-party server according to the account; go to step 410;
for example, the third-party-based first password authentication method is to set a first password for an application supported by a business application server, where the first password is only used for logging in the business application server, such as an OWA server, and even if the first password is leaked, the security of other application systems in the enterprise network is not compromised.
In step 408, the proxy server determines whether the dynamic token matches the target dynamic token; when the dynamic token is judged to be matched with the target dynamic token, the step 409 is carried out; otherwise go to step 413;
in step 409, the proxy server requests the account authentication server for password authentication using the second password, for example, the proxy server sends a second authentication request carrying the second password to the account authentication server; go to step 411;
in step 410, the proxy server determines whether the first password matches the target first password; when the first password is determined to match the target first password, go to step 412; otherwise go to step 413;
in step 411, it is determined whether the password authentication is successful; when a password authentication success message sent by the account authentication server is received, go to step 412; when receiving the password authentication failure message sent by the account authentication server, go to step 413;
in step 412, when receiving the password authentication success message sent by the account authentication server, sending an authentication success response to the business application server;
in step 413, when receiving the password authentication failure message sent by the account authentication server, sending an authentication failure response to the business application server.
The technical scheme provided by the embodiment of the disclosure supports a second-stage authentication mode based on a third party, a first password authentication mode and the like, can prevent brute force from being cracked, reduces the security risk of password leakage, and improves the system security and the user experience.
As a possible embodiment, a device authentication scheme based on request interception of an enterprise intranet is provided, in which a scheme realizes authentication service modification for an OWA mail server in a non-invasive proxy manner, supports a manner that a user uses two-stage authentication and special account authentication provided by a third party, improves user experience, improves system security, and avoids OWA becoming a system security vulnerability, and the scheme includes: and when the authentication request is transmitted to the background by the OWA, the proxy layer extracts a dynamic token or a first password required by two-stage authentication from a third-party service according to the authenticated account number and performs corresponding verification, if the authentication is successful, a response of the imitation background service is returned to corresponding information, and if the authentication is failed, corresponding failure information is returned. Intercepting an authentication request between the OWA mail server and the background application server in an agent mode, and realizing security reinforcement on services which are difficult to support single sign-on and third-party two-stage authentication through an interception agent.
The authentication service handled here will contain two specific operating schemes: in the first case, the authentication request of the OWA is completely intercepted, no request is sent to the authentication server in the case, and the proxy layer completely imitates the authentication server to perform authentication service; in the second situation, when the background application server provides an authentication service, and also provides a plurality of subsequent operations such as session service, state service, interface service, and the like, the authentication operation needs to be actually performed, which is more complicated, and the background application server needs to be customized according to the requirements of the background application server, so as to realize the authentication function by cooperating with the auxiliary functions such as the first password and the device binding.
The technical scheme provided by the embodiment of the disclosure avoids the problem that business servers such as an OWA mail server and the like are difficult to realize function modification by modifying source codes or interfaces in a non-invasive proxy mode. After the agent layer is introduced, the use habit of the user is not influenced, the two-stage authentication of a third party can be supported, and the security level of the OWA can be obviously improved.
The following are embodiments of the disclosed apparatus that may be used to perform embodiments of the disclosed methods.
FIG. 5 is a block diagram illustrating an authentication device in accordance with an exemplary embodiment; the apparatus may be implemented in various ways, for example, all components of the apparatus are implemented in a proxy server, or the components in the apparatus are implemented in a coupled manner on the proxy server side; the device may implement the method related to the present disclosure through software, hardware, or a combination of the two, as shown in fig. 5, the authentication device includes: an interception module 501, an acquisition module 502 and a response module 503, wherein:
the intercepting module 501 is configured to intercept a first authentication request sent by a business application server to an account authentication server; the first authentication request comprises an account and authentication information;
the obtaining module 502 is configured to obtain target authentication information corresponding to an account from a third-party server according to the account;
the response module 503 is configured to respond to the first authentication request according to the authentication information and the target authentication information.
According to the authentication device provided by the embodiment of the disclosure, a first authentication request sent by a commercial application server to an account authentication server is intercepted through a configuration interception module 501, and an acquisition module 502 acquires target authentication information corresponding to an account from a third-party server; the response module 503 responds to the first authentication request according to the authentication information and the target authentication information, so as to implement account authentication based on a third party, and the account authentication process may not carry a password plaintext, so as to prevent brute force from cracking and reduce the security risk of password leakage, thereby improving user experience.
In a possible implementation, the response module 503 sends an authentication success response to the business application server when the authentication information matches the target authentication information; or when the authentication information does not match the target authentication information, sending an authentication failure response to the business application server.
In a possible implementation, as shown in fig. 6, the authentication apparatus shown in fig. 5 may further include a configuration module 501 configured to include: a first receiving sub-module 601 and an intercepting sub-module 602, wherein:
the first receiving submodule 601 is configured to receive a first authentication request sent by the business application server to the account authentication server;
the intercepting submodule 602 is configured to intercept the first authentication request when the type of the authentication information matches a preset type.
In one possible embodiment, the authentication information includes a second password and a dynamic token, and the second password is used for authentication when the account is used for accessing more than one application server. The obtaining module 502 obtains a target dynamic token corresponding to the account from the third-party server; the response module 503 is configured to send a second authentication request to the account authentication server when the dynamic token matches the target dynamic token; wherein the second authentication request comprises the account number and a second password; and when a second authentication success response returned by the account authentication server is received, sending an authentication success response to the business application server.
Fig. 7 is a block diagram illustrating an authentication apparatus 700 according to an exemplary embodiment, where the authentication apparatus 700 may be implemented in various ways, such as implementing all components of the apparatus in a proxy server or implementing the components in the apparatus in a coupled manner on the proxy server side; the authentication device 700 includes:
a processor 701;
a memory 702 for storing processor-executable instructions;
wherein the processor 701 is configured to: intercepting an authentication request sent by a commercial application server to an account authentication server; the authentication request comprises an account and authentication information; acquiring target authentication information corresponding to the account from a third-party server; and responding to the first authentication request according to the authentication information and the target authentication information.
In one embodiment, the processor 701 may be further configured to: when the authentication information is matched with the target authentication information, sending an authentication success response to the commercial application server; or when the authentication information does not match the target authentication information, sending an authentication failure response to the business application server.
In one embodiment, the processor 701 may be further configured to: receiving a first authentication request sent by a commercial application server to an account authentication server; and intercepting the first authentication request when the type of the authentication information is matched with a preset type.
In one embodiment, the processor 701 may be further configured to: acquiring a target dynamic token corresponding to the account from a third-party server; when the dynamic token is matched with the target dynamic token, sending a second authentication request to the account authentication server; the second authentication request comprises an account and a second password; when a second authentication success response returned by the account authentication server is received, sending an authentication success response to the business application server; the authentication information comprises a second password and a dynamic token, and the second password is used for authentication when the account is used for accessing more than one application server.
The authentication device provided by the embodiment of the disclosure intercepts the authentication request sent by the commercial application server to the account authentication server, realizes account authentication based on a third party, can prevent brute force cracking by not carrying password original text in the account authentication process, reduces the security risk of password leakage, and thus can improve user experience.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Fig. 8 is a block diagram illustrating an authentication device according to an example embodiment. For example, the authentication apparatus 800 may be provided as a dedicated server. The authentication device 800 comprises a processing component 802 that further comprises one or more processors, and memory resources, represented by memory 803, for storing instructions, such as application programs, that are executable by the processing component 802. The application programs stored in the memory 803 may include one or more modules that each correspond to a set of instructions. Further, the processing component 802 is configured to execute instructions to perform the above-described methods.
Authentication device 800 may also include a power component 806 configured to perform power management of authentication device 800, a wired or wireless network interface 805 configured to connect authentication device 800 to a network, and an input/output (I/O) interface 808. The authentication device 800 may operate based on an operating system stored in memory 803, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, or the like.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (7)

1. An authentication method applied to a proxy server, the method comprising:
intercepting a first authentication request sent by a commercial application server to an account authentication server; the first authentication request comprises an account and authentication information; the authentication information includes: a ticket or a first password, the ticket obtained by the business application server from a single sign-on server; the first password corresponds to the account and the business application server and is only used for authentication when the account is used for accessing the business application server; or the authentication information comprises a second password and a dynamic token, wherein the second password is used for authentication when the account is used for accessing more than one application server;
acquiring target authentication information corresponding to the account from a third-party server;
responding to the first authentication request according to the authentication information and the target authentication information;
the intercepting a first authentication request sent by a business application server to an account authentication server comprises the following steps:
receiving a first authentication request sent by a commercial application server to an account authentication server;
and intercepting the first authentication request when the type of the authentication information is matched with a preset type.
2. The method of claim 1, wherein responding to the first authentication request according to the authentication information and the target authentication information comprises:
when the authentication information is matched with the target authentication information, sending an authentication success response to the commercial application server; alternatively, the first and second electrodes may be,
and when the authentication information does not match the target authentication information, sending an authentication failure response to the commercial application server.
3. The method of claim 1, wherein the obtaining target authentication information corresponding to the account from a third-party server, and responding to the first authentication request according to the authentication information and the target authentication information comprises:
acquiring a target dynamic token corresponding to the account from a third-party server;
when the dynamic token is matched with the target dynamic token, sending a second authentication request to the account authentication server; wherein the second authentication request comprises the account number and a second password;
and when a second authentication success response returned by the account authentication server is received, sending a first authentication success response to the business application server.
4. An authentication apparatus applied to a proxy server, comprising:
the intercepting module is used for intercepting a first authentication request sent by the commercial application server to the account authentication server; the first authentication request comprises an account and authentication information; the authentication information includes: a ticket or a first password, the ticket obtained by the business application server from a single sign-on server; the first password corresponds to the account and the business application server and is only used for authentication when the account is used for accessing the business application server; or, the authentication information includes: a second password and a dynamic token, wherein the second password is used for authentication when the account number is used for accessing more than one application server;
the acquisition module is used for acquiring target authentication information corresponding to the account from a third-party server;
the response module is used for responding to the first authentication request according to the authentication information and the target authentication information;
the interception module comprises:
the first receiving submodule is used for receiving a first authentication request sent by the commercial application server to the account authentication server;
and the interception submodule is used for intercepting the first authentication request when the type of the authentication information is matched with a preset type.
5. The apparatus of claim 4, wherein the response module is to send an authentication success response to the commerce application server when the authentication information matches the target authentication information; or when the authentication information does not match the target authentication information, sending an authentication failure response to the business application server.
6. The apparatus of claim 4, wherein the obtaining module obtains a target dynamic token corresponding to the account from a third-party server;
the response module is used for sending a second authentication request to the account authentication server when the dynamic token is matched with the target dynamic token; wherein the second authentication request comprises the account number and a second password; and when a second authentication success response returned by the account authentication server is received, sending an authentication success response to the business application server.
7. An authentication apparatus applied to a proxy server, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
intercepting a first authentication request sent by a commercial application server to an account authentication server; the first authentication request comprises an account and authentication information; the authentication information includes: a ticket or a first password, the ticket obtained by the business application server from a single sign-on server; the first password corresponds to the account and the business application server and is only used for authentication when the account is used for accessing the business application server; or the authentication information comprises a second password and a dynamic token, wherein the second password is used for authentication when the account is used for accessing more than one application server;
acquiring target authentication information corresponding to the account from a third-party server;
responding to the first authentication request according to the authentication information and the target authentication information;
the processor is further configured to:
the intercepting a first authentication request sent by a business application server to an account authentication server comprises the following steps:
receiving a first authentication request sent by a commercial application server to an account authentication server;
and intercepting the first authentication request when the type of the authentication information is matched with a preset type.
CN201710459145.1A 2017-06-16 2017-06-16 Authentication method and device Active CN107395566B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710459145.1A CN107395566B (en) 2017-06-16 2017-06-16 Authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710459145.1A CN107395566B (en) 2017-06-16 2017-06-16 Authentication method and device

Publications (2)

Publication Number Publication Date
CN107395566A CN107395566A (en) 2017-11-24
CN107395566B true CN107395566B (en) 2020-10-23

Family

ID=60332356

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710459145.1A Active CN107395566B (en) 2017-06-16 2017-06-16 Authentication method and device

Country Status (1)

Country Link
CN (1) CN107395566B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108566367B (en) * 2018-02-07 2020-09-25 海信集团有限公司 Terminal authentication method and device
CN108712398B (en) * 2018-04-28 2021-07-16 北京东土军悦科技有限公司 Port authentication method of authentication server, switch and storage medium
CN110381084A (en) * 2019-08-07 2019-10-25 北京三快在线科技有限公司 Single-node login system and method, storage medium and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104683327A (en) * 2015-01-29 2015-06-03 中国科学院信息工程研究所 Method for detecting safety of user login interface of Android software
CN106685998A (en) * 2017-02-24 2017-05-17 浙江仟和网络科技有限公司 SSO authentication method based on CAS unified authentication service middleware

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719238B (en) * 2009-11-30 2013-09-18 中国建设银行股份有限公司 Method and system for managing, authenticating and authorizing unified identities
CN102984169A (en) * 2012-12-11 2013-03-20 中广核工程有限公司 Single sign-on method, equipment and system
CN103051630B (en) * 2012-12-21 2016-01-27 微梦创科网络科技(中国)有限公司 Method, the Apparatus and system of third-party application mandate is realized based on open platform
CN103220344B (en) * 2013-03-29 2016-08-31 新浪技术(中国)有限公司 Microblogging licenses method and system
JP6071847B2 (en) * 2013-11-06 2017-02-01 株式会社東芝 Authentication system, method and program
US9413756B1 (en) * 2014-12-09 2016-08-09 Google Inc. Systems and methods using short-lived proxy token values obfuscating a stable long-lived token value

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104683327A (en) * 2015-01-29 2015-06-03 中国科学院信息工程研究所 Method for detecting safety of user login interface of Android software
CN106685998A (en) * 2017-02-24 2017-05-17 浙江仟和网络科技有限公司 SSO authentication method based on CAS unified authentication service middleware

Also Published As

Publication number Publication date
CN107395566A (en) 2017-11-24

Similar Documents

Publication Publication Date Title
CN109981561B (en) User authentication method for migrating single-body architecture system to micro-service architecture
US11281762B2 (en) Method and apparatus for facilitating the login of an account
US5586260A (en) Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms
US8832787B1 (en) Implementing single sign-on across a heterogeneous collection of client/server and web-based applications
US6490679B1 (en) Seamless integration of application programs with security key infrastructure
US8196193B2 (en) Method for retrofitting password enabled computer software with a redirection user authentication method
US11841959B1 (en) Systems and methods for requiring cryptographic data protection as a precondition of system access
US10320771B2 (en) Single sign-on framework for browser-based applications and native applications
US8191123B2 (en) Provisioning a network appliance
US8468359B2 (en) Credentials for blinded intended audiences
US20060288230A1 (en) One time password integration with Kerberos
US20160381001A1 (en) Method and apparatus for identity authentication between systems
CN110365684B (en) Access control method and device for application cluster and electronic equipment
US8191122B2 (en) Provisioning a network appliance
CN113347206A (en) Network access method and device
US20180375648A1 (en) Systems and methods for data encryption for cloud services
US10958630B2 (en) System and method for securely exchanging data between devices
CN111447220B (en) Authentication information management method, server of application system and computer storage medium
CN113922982B (en) Login method, electronic equipment and computer readable storage medium
CN107395566B (en) Authentication method and device
US7917941B2 (en) System and method for providing physical web security using IP addresses
KR20230145009A (en) Single sign on authentication method and system based on terminal using dynamic token generation agent
US11095460B2 (en) Certificate application operations
US11611541B2 (en) Secure method to replicate on-premise secrets in a cloud environment
CN109598114B (en) Cross-platform unified user account management method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant