Disclosure of Invention
In order to overcome the defects of the prior art, the present invention provides a secure user interaction authentication method, device and system, which can ensure the security of the transmission of user authentication information in an open network environment without the intervention of a trusted third party.
In order to achieve the purpose, the technical scheme provided by the invention is as follows:
a user interaction authentication method comprises the following steps:
step one, a server side obtains a user account transmitted by a client;
the server side obtains a user password according to the user account, generates an authentication passing authorization bill and a verification password, combines the verification password and the authentication passing authorization bill, encrypts the verification password and the authentication passing authorization bill by using the obtained user password, and transmits encrypted information to the client;
step three, the server receives user authentication information which is transmitted by the client and contains a verification string encrypted by the verification password, a bill passing the authentication and the interactive information;
and step four, the server side processes the authentication of the user according to the received user authentication information.
Further, the second step comprises:
the server side inquires out a user password according to the user account and resolves out a sender IP according to a sender address in a transmission protocol packet in the network;
the server side makes part or all of the client user name, the client IP, the validity period and the time stamp form a string, a server side password is used for encryption, and a generated ciphertext is used as the authentication passing credit bill;
the server end forms a string with a verification password and the certification passing credit bill, encrypts the user password by using the inquired user password and transmits the encrypted information to the client.
Further, the server-side password is a randomly generated random character string.
Further, the verification password is a password randomly generated by the server side.
Further, the fourth step includes:
step S1, whether the user authentication information has the authentication passing credit bill is verified, if yes, the step S2 is executed, otherwise the authentication fails;
step S2, the verification string in the user authentication information is decrypted by using the verification password, whether the user authentication information is legal and effective is verified, if so, the step S3 is executed, otherwise, the authentication fails;
step S3 is performed to process the mutual information in the user authentication information.
Further, the user authentication information is obtained by:
the client decrypts the encrypted information by using the user password to obtain a verification password and a credit authorization bill;
when the client communicates with the server, generating verification information, encrypting by using the verification password to obtain a verification string, and sending the verification string, the authentication pass authorization ticket and the interactive information to the server as the user authentication information.
Further, the authentication information includes a client user name, a client IP address, a time stamp, a part of or all of a validity period based on the time stamp.
In order to achieve the above object, the present invention further provides a user interaction authentication device, which is applied to a server side, and includes:
the user account acquisition unit is used for acquiring a user account transmitted by a client;
an encrypted information generating unit for obtaining a user password according to the user account, generating an authentication passing credit ticket and a verification password, combining the verification password and the authentication passing credit ticket, encrypting the same by using the obtained user password, and transmitting the encrypted information to the client
A user authentication information receiving unit for receiving user authentication information which is transmitted by the client and contains a verification string encrypted by the verification password, a verification passing credit granting bill and interactive information;
and the authentication processing unit is used for processing the authentication of the user according to the received user authentication information.
In order to achieve the above object, the present invention further provides a user interaction authentication system, including:
the client machine transmits the user account to the user interaction authentication equipment when obtaining the user account, receives the encrypted information transmitted by the user interaction authentication equipment, decrypts the encrypted information by using the user password to obtain a verification password and an authentication passing authorization bill, generates verification information and encrypts by using the verification password to obtain a verification string when the client machine is communicated with the user interaction authentication equipment, and transmits the verification string, the authentication passing authorization bill and the interaction information to the user interaction authentication equipment as user authentication information
The user interactive authentication equipment is applied to a server and used for acquiring a user account transmitted by the client, acquiring a user password according to the user account, generating an authentication passing authorization bill and an authentication password, combining the authentication password and the authentication passing authorization bill, encrypting the user password by using the acquired user password, transmitting the encrypted information to the client, receiving a verification string which is transmitted by the client and contains the authentication passing authorization bill and the interactive information encrypted by using the authentication password, and processing the authentication of the user according to the received user authentication information.
Further, the client includes:
the user account acquisition and transmission unit is used for acquiring a user account and a password input by a user and transmitting the user account to the user interaction authentication equipment;
the encrypted information acquisition and processing unit is used for receiving the encrypted information transmitted by the user interaction equipment, decrypting the encrypted information by using the user password and acquiring a verification password and an authentication passing credit bill;
and the user authentication information generating unit generates verification information and obtains a verification string by utilizing the verification password to encrypt when the client communicates with the user interaction authentication equipment, and sends the verification string, the authentication passing authorization ticket and the interaction information as user authentication information to the user interaction authentication equipment.
Compared with the prior art, the safe user interaction authentication method, equipment and system have the advantages that:
the invention relates to a safe user interactive authentication method, equipment and a system, which obtains a user account transmitted by a client through a server, obtains a user password according to the user account, generates an authentication passing credit granting bill and a verification password, combines the verification password and the authentication passing credit granting bill, encrypts the user password by using the obtained user password, transmits the encrypted information to the client, receives user authentication information which is transmitted by the client and comprises a verification string encrypted by using the verification password, the authentication passing credit granting bill and interactive information by using the server, and processes the authentication of a user according to the received user authentication information, so that the aim of ensuring the transmission safety of the user authentication information under an open network environment without the intervention of a credible third party is fulfilled.
Detailed Description
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following description will be made with reference to the accompanying drawings. It is obvious that the drawings in the following description are only some examples of the invention, and that for a person skilled in the art, other drawings and embodiments can be derived from them without inventive effort.
For the sake of simplicity, the drawings only schematically show the parts relevant to the present invention, and they do not represent the actual structure as a product. In addition, in order to make the drawings concise and understandable, components having the same structure or function in some of the drawings are only schematically illustrated or only labeled. In this document, "one" means not only "only one" but also a case of "more than one".
In an embodiment of the present invention, as shown in fig. 1, a secure user interaction authentication method of the present invention includes the following steps:
step 101, a server side obtains a user account transmitted by a client. When a user wants to perform security authentication through a client, the user inputs a user name and a password on the client, the client temporarily stores the user name and the password of the user in a local memory, and meanwhile, the client transmits an account number of the user to a server through an open network.
And 102, the server side obtains a user password according to the user account, generates an authentication passing authorization bill and a verification password, combines the verification password and the authentication passing authorization bill, encrypts the user password by using the obtained user password and transmits the encrypted information to the client.
Specifically, step 102 further comprises:
step S21, the server inquires out the user password according to the user account, and resolves out the sender IP according to the sender address in the transmission protocol packet in the network;
step S22, the server generates a random character string as the password of the server, the client user name, the client IP, the validity period and the time stamp form a string, the password of the server is used for encryption, and the generated ciphertext is used as the certification passing credit bill;
step S23, the server generates a random verification password, and forms a string with the verification password and the authentication passing ticket, encrypts the string with the queried user password, and transmits the encrypted information to the client.
And 103, receiving user authentication information which comprises a verification string encrypted by a verification password, a verification passing credit bill and interactive information and is transmitted by the client by the server. Specifically, after receiving the encrypted information sent by the server, the client decrypts the encrypted information by using the user password temporarily stored therein to obtain a verification password and a verification passing authorization ticket, and when the client communicates with the server, generates verification information and encrypts by using the verification password to obtain a verification string, and sends the verification string, the verification passing authorization ticket, and the interaction information as user authentication information to the server.
And 104, the server side processes the authentication of the user according to the received user authentication information. Specifically, step 104 further includes:
step S41, whether the user authentication information has the authentication passing credit bill is verified, if yes, the step S42 is executed, otherwise the authentication fails;
step S42, decrypting the verification string in the user authentication information by using the verification password, verifying whether the user authentication information is valid, if so, entering step S43, otherwise, failing to authenticate, in the specific embodiment of the present invention, judging whether the user authentication information is valid according to the timestamp in the verification string and the validity period based on the timestamp, and assuming that the validity period based on the timestamp is two minutes, determining whether the current user authentication information is valid according to the time of the timestamp and the validity period of two minutes.
Step S43, the mutual information in the user authentication information is processed.
In another embodiment of the present invention, as shown in fig. 2, a secure user interaction authentication device of the present invention is applied to a server, and includes: a user account acquisition unit 201, an encrypted information generation unit 202, a user authentication information reception unit 203, and an authentication processing unit 204.
The user account obtaining unit 201 is configured to obtain a user account transmitted by a client. That is, when a user wants to perform security authentication through a client, the user needs to input a user name and a password on the client, the client temporarily stores the user name and the password of the user in a local memory, and the client transmits an account number of the user to a server through an open network.
The encrypted information generating unit 202 is used for obtaining a user password according to the user account, generating an authentication passing credit ticket and a verification password, combining the verification password and the authentication passing credit ticket, encrypting the user password by using the obtained user password, and transmitting the encrypted information to the client.
Specifically, as shown in fig. 3, the encrypted information generation unit 202 further includes:
the protocol analysis unit 2021 is configured to query a user password according to the user account, and analyze a sender IP according to a sender address in a transport protocol packet in the network;
the credit granting bill generating unit 2022 is configured to generate a random character string as a server-side password, combine a client username, a client IP, an expiration date, and a timestamp into a string, encrypt the string using the server-side password, and use a generated ciphertext as an authentication passing credit granting bill;
the encryption transmission unit 2023 is configured to generate a random verification password, form a string of the verification password and the authentication passing ticket, encrypt the verification password and the authentication passing ticket by using the queried user password, and transmit the encrypted information to the client.
And a user authentication information receiving unit 203 for receiving user authentication information transmitted by the client, the user authentication information including a verification string encrypted by the verification password, a verification passing credit ticket, and the interactive information. Specifically, after receiving the encrypted information sent by the server, the client decrypts the encrypted information by using the user password temporarily stored therein to obtain a verification password and a verification passing authorization ticket, and when the client communicates with the server, generates verification information and encrypts by using the verification password to obtain a verification string, and sends the verification string, the verification passing authorization ticket, and the interaction information as user authentication information to the server.
An authentication processing unit 204, configured to process authentication of the user according to the received user authentication information. Specifically, as shown in fig. 4, the authentication processing unit 204 further includes:
a credit authorization bill verification unit 2041, configured to verify whether a credit authorization bill passing authentication exists in the user authentication information, if yes, start a verification string verification unit 2042, and otherwise, fail to authenticate;
the verification string verification unit 2042 is configured to decrypt a verification string in the user authentication information with a verification password, verify whether the user authentication information is valid or not, if so, enter the interactive information processing unit 2043, otherwise, the authentication fails.
The mutual information processing unit 2043 is configured to process the mutual information in the user authentication information.
In another embodiment of the present invention, as shown in FIG. 5, the present invention is a secure user interaction authentication system, which comprises a client 50 and a user interaction authentication device 51
The client 50, when obtaining the user account, transmits the user account to the user interaction authentication device, receives the encrypted information transmitted by the user interaction authentication device, decrypts the encrypted information by using the user password, obtains the verification password and the authentication passing authorization ticket, when the client communicates 51 with the user interaction authentication device, generates the verification information and encrypts by using the verification password to obtain the verification string, and transmits the verification string, the authentication passing authorization ticket and the interaction information as the user authentication information to the user interaction authentication device 51.
The user interactive authentication device 51 is applied to a server side and used for acquiring a user account transmitted by a client, acquiring a user password according to the user account, generating an authentication passing authorization bill and an authentication password, combining the authentication password and the authentication passing authorization bill, encrypting the user password by using the acquired user password, transmitting the encrypted information to the client, receiving a verification string which is transmitted by the client and contains the authentication passing authorization bill and the interactive information encrypted by using the authentication password, and processing the authentication of the user according to the received user authentication information.
Specifically, as shown in fig. 6, the client 50 further includes: a user account acquisition and transmission unit 501, an encrypted information acquisition and processing unit 502, and a user authentication information generation unit 503.
The user account obtaining and transmitting unit 501 is configured to obtain a user account and a password input by a user, and transmit the user account to the user interaction authentication device. That is, when a user wants to perform security authentication through a client, the user needs to input a user name (user account) and a password on the client, the client temporarily stores the user name and the password of the user in a local memory, and simultaneously the client transmits the user account to user interaction authentication equipment (i.e., a server) through an open network;
an encrypted information obtaining and processing unit 502, configured to receive encrypted information sent by a user interaction device, and decrypt the encrypted information by using a user password to obtain a verification password and an authentication passing credit ticket;
the user authentication information generating unit 503 generates a verification information and encrypts the verification information with the verification password to obtain a verification string when the client communicates with the user interactive authentication device, and sends the verification string, the authentication pass authorization ticket and the interactive information as the user authentication information to the user interactive authentication device.
The invention will be further illustrated by the following specific examples:
1. the user inputs the user name and the password on the client computer, and the client computer temporarily stores the user name and the password of the user in the local memory.
2. The client transmits the account number (user name) of the user to the server side on the open network.
3. The server inquires out the user password through the account number of the user, and simultaneously analyzes the IP of the sender according to the address of the sender in the transmission protocol packet in the network.
4. The server generates a random character string as a server password, a client user name, a client IP, a validity period and a time stamp are combined into a string, the server password is used for encryption, and a generated ciphertext is used as an authentication passing credit granting bill.
5. The server side generates a random verification password, the verification password and the authentication passing credit bill form a string, the user password which is inquired is used for encrypting, and the encrypted information is transmitted to the client.
6. After receiving the encrypted information, the client uses the user password in the memory to decrypt and obtain the verification password and the bill passing the credit for authentication.
7. When the client communicates with the server, information consisting of a user name, an IP address, a timestamp and a two-minute validity period based on the timestamp is encrypted by using a verification password to obtain a verification string, and the verification string, a credit-passing bill for authentication and interaction information are transmitted to the server together.
8. After receiving the interactive information, the server side firstly needs to verify whether the bill passing the trust of the authentication exists or not, and if so, then utilizes the verification password, decrypts the verification string, verifies whether the user authentication is legal and effective or not, and finally processes the interactive information.
In summary, the present invention provides a secure user interactive authentication method, device and system, which obtains a user account transmitted by a client through a server, obtains a user password according to the user account, generates an authentication passing authorization ticket and a verification password, combines the verification password and the authentication passing authorization ticket, encrypts the user password by using the obtained user password, transmits the encrypted information to the client, receives, by the server, user authentication information including a verification string encrypted by using the verification password, an authentication passing authorization ticket and interaction information transmitted by the client, and processes user authentication according to the received user authentication information, so as to achieve the purpose of ensuring the security of user authentication information transmitted in an open network environment without intervention of a trusted third party.
It should be noted that the above embodiments can be freely combined as necessary. The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.