CN107517178B - Authentication method, device and system - Google Patents
Authentication method, device and system Download PDFInfo
- Publication number
- CN107517178B CN107517178B CN201610425439.8A CN201610425439A CN107517178B CN 107517178 B CN107517178 B CN 107517178B CN 201610425439 A CN201610425439 A CN 201610425439A CN 107517178 B CN107517178 B CN 107517178B
- Authority
- CN
- China
- Prior art keywords
- server
- authentication information
- authentication
- configuration center
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses an authentication method, an authentication device and an authentication system, wherein authentication information of an object originally stored in a local disk of a server is uniformly stored in a configuration center, the server calls the authentication center when needed, and when the server acquires an authentication request, the server can request the configuration center for acquiring the authentication information of the object through a determined identifier of the object, so that the acquired authentication information can be sent to access equipment to finish authentication. The unified storage and calling of the authentication information in the configuration center enable the server to have no need of storing the authentication information in a local disk, the storage pressure of the server is relieved, and the processing capacity of the server is improved.
Description
Technical Field
The present invention relates to the field of data processing, and in particular, to an authentication method, apparatus, and system.
Background
Servers in the network store objects, such as data, files, and the like. If an access device wishes to access an object stored on a server, the server may service the access of the access device.
Before an access device accesses an object, it needs to establish a connection with a server storing the object. In the process of establishing the connection, the access device needs to complete validity authentication with the server providing the access service, that is, the access device needs to confirm whether the server is a valid server providing the access service for the object. In this authentication process, authentication information for proving legitimacy needs to be provided to the access device by the server.
Different objects have different authentication information, and the server typically stores a large number of objects that will bring a large amount of authentication information. Conventionally, the server would store this authentication information on a local disk and provide the required authentication information to the access device when authentication is required. However, storing these authentication information imposes a significant storage pressure on the server, and affects the processing capacity of the server.
Disclosure of Invention
In order to solve the technical problem, the invention provides an authentication method, an authentication device and an authentication system, which relieve the storage pressure of the server and improve the processing capacity of the server.
The embodiment of the invention discloses the following technical scheme:
an authentication system, the system comprising an access device, a server and a configuration center:
the configuration center stores authentication information of an object;
the access device is used for sending an authentication request to the server, wherein the authentication request is used for requesting to authenticate whether the server is a legal server for providing the object access service;
the server is used for acquiring an authentication request sent by the access equipment; determining the identification of the object according to the authentication request; requesting a configuration center to acquire authentication information of the object according to the identifier; acquiring the authentication information from the configuration center; and sending the authentication information to the access device.
A method of authentication, the method comprising:
the method comprises the steps that a server obtains an authentication request sent by access equipment, wherein the authentication request is used for requesting to authenticate whether the server is a legal server for providing object access service;
the server determines the identification of the object according to the authentication request;
the server requests a configuration center to acquire the authentication information of the object according to the identification;
the server acquires the authentication information from the configuration center;
the server sends the authentication information to the access device.
Optionally, the configuration center is further configured to store a key of the object, and the server requests the configuration center to obtain the authentication information of the object according to the identifier, further including:
the server requests the configuration center to acquire the secret key according to the identifier;
the server obtains the key from the configuration center.
Optionally, after the server obtains the authentication information from the configuration center, the method further includes:
the server caches the authentication information in a memory;
and the server judges whether the authentication information is removed from the memory according to the use condition of the authentication information.
Optionally, before the server requests the configuration center to acquire the authentication information of the object according to the identifier, the method further includes:
the server judges whether the authentication information is cached in the memory or not according to the identification;
if the authentication information is cached in the memory, the server calls the authentication information from the memory and sends the authentication information to the access equipment;
and if the authentication information is not cached in the memory, executing the step that the server requests a configuration center to acquire the authentication information of the object according to the identification.
Optionally, after the server requests the configuration center to acquire the authentication information of the object according to the identifier, the method further includes:
establishing a secure connection between the server and the configuration center;
the server acquires the authentication information from the configuration center, and the authentication information comprises the following steps:
and the server acquires the authentication information from the configuration center through the secure connection.
Optionally, the determining, by the server, the identifier of the object according to the authentication request includes:
the server searches the SNI from the authentication request;
and the server extracts the identification according to the SNI.
An authentication apparatus, the apparatus comprising:
a first obtaining unit, configured to obtain an authentication request sent by an access device, where the authentication request is used to request to authenticate whether the server is a valid server providing an object access service;
a determining unit, configured to determine an identifier of the object according to the authentication request;
the request unit is used for requesting a configuration center to acquire the authentication information of the object according to the identification;
a second obtaining unit, configured to obtain the authentication information from the configuration center;
a sending unit, configured to send the authentication information to the access device.
Optionally, the configuration center is further configured to store a key of the object, and the request unit is further configured to request the configuration center to obtain the key according to the identifier;
the second obtaining unit is further configured to obtain the key from the configuration center.
Optionally, the system further includes a cache unit and a removal unit:
the cache unit is configured to cache the authentication information in a memory after the second obtaining unit is triggered;
and the removing unit is used for judging whether the authentication information is removed from the memory according to the using condition of the authentication information.
Optionally, the method further includes:
the judging unit is used for judging whether the authentication information is cached in the memory or not according to the identifier before the request unit is triggered;
if the judgment result is that the authentication information is cached in the memory, the judgment unit calls the authentication information from the memory and triggers the sending unit;
and if the judgment result is that the authentication information is not cached in the memory, triggering the request unit.
Optionally, the method further includes the establishing unit:
the establishing unit is used for establishing a secure connection with the configuration center after the request unit is triggered;
the second obtaining unit is specifically configured to obtain the authentication information from the configuration center through the secure connection.
Optionally, the determining unit is specifically configured to search for the SNI from the authentication request; and extracting the identification according to the SNI.
According to the technical scheme, the authentication information of the object originally stored in the local disk of the server is uniformly stored in the configuration center, the server calls the authentication information when needed, and when the server acquires the authentication request, the server can request the configuration center for acquiring the authentication information of the object through the determined identifier of the object, so that the acquired authentication information can be sent to the access equipment, and the authentication is completed. The unified storage and calling of the authentication information in the configuration center enable the server to have no need of storing the authentication information in a local disk, the storage pressure of the server is relieved, and the processing capacity of the server is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1a is a system structure diagram of an authentication system according to an embodiment of the present invention;
fig. 1 is a flowchart of an authentication method according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for dynamically caching authentication information according to an embodiment of the present invention;
fig. 3 is a device structure diagram of an authentication device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The server stores an object, where the object may be content under a domain name, for example, part of data under www.taobao.com, and the domain name may be a domain name under a Secure hypertext transfer Protocol (HTTPS). If the user wishes to access this portion of the content, this may be achieved by accessing the server through an access device.
In order to ensure the security of access, for example, to avoid the occurrence of access to a phishing website, authentication needs to be completed before the access device accesses the object. The authentication in the embodiment of the invention is mainly the identity authentication of the access device to the server, namely the access device needs to confirm whether the server is a legal server for providing the object access service. In this authentication process, authentication information for proving legitimacy needs to be provided to the access device by the server.
Each object has authentication information for authenticating the legitimacy of the server and may be different from one object to another, requiring separate storage by the server. The number of objects stored in the server is generally large, and especially in a scene to which a virtual host technology is applied or in an application scene of a Content Delivery Network (english: Content Delivery Network, abbreviated as CDN). The problem caused by the massive objects is that the server needs to store massive authentication information in a local disk, which causes a small storage pressure.
Therefore, the embodiment of the invention provides an authentication method, an authentication device and an authentication system, wherein authentication information of an object originally stored in a local disk of a server is uniformly stored in a configuration center, and is called by the server when needed, and when the server acquires an authentication request, the server can request the configuration center for acquiring the authentication information of the object through the determined identifier of the object, so that the acquired authentication information can be sent to the access equipment to finish authentication. The unified storage and calling of the authentication information in the configuration center enable the server to have no need of storing the authentication information in a local disk, the storage pressure of the server is relieved, and the processing capacity of the server is improved.
Before describing the authentication method of the present invention, a system structure of the authentication system provided in the embodiment of the present invention needs to be described.
In an embodiment of the invention, an identification system is provided comprising an access device 10, a server 20 and a configuration center 30. For example, as shown in fig. 1a, the access device 10 is configured to send an authentication request to the server 20, where the authentication request is used to request to authenticate whether the server 20 is a legal server providing an object access service. The server 20 is configured to obtain an authentication request sent by the access device 10; determining the identification of the object according to the authentication request; requesting the configuration center 30 to acquire the authentication information of the object according to the identifier; acquiring the authentication information from the configuration center 30; the authentication information is sent to the access device 10.
For example, according to the number of servers connected to the configuration center, the configuration center may store authentication information for an object in one server, or may store authentication information for objects in a plurality of servers (e.g., one server cluster). In the case of a plurality of servers, since there is a possibility that the content under one domain name may be stored in a plurality of servers, respectively, for example, the content a under the domain name a is stored in the server a, and the content b under the domain name a is stored in the server b. The authentication information corresponding to these contents may be the same, for example, in the above example, the content a and the content b are both contents under the domain name a, and then the authentication information of the content a and the content b may be actually understood as both certificates of the domain name a. That is, in the conventional manner, the same authentication information may need to be stored in the local disks of multiple servers, for example, server a and server b need to store the certificate of domain name a in the local disks. If the authentication information is stored in the configuration center in a unified manner, only one authentication information needs to be stored in the configuration center, so that the situation that the same authentication information is stored repeatedly is avoided, and the storage efficiency is improved.
Moreover, since the authentication information is used for security authentication, the authentication information belongs to sensitive information, and needs to be protected from being stolen easily. Conventionally, since the authentication information is stored in a large number of servers, each server needs additional security protection for the stored authentication information to prevent theft. These additional security measures provided on each server can increase the storage cost of storing authentication information, especially when the number of servers is large. In the embodiment of the invention, because the authentication information is uniformly stored in the configuration center, the security protection of the authentication information can be mainly arranged on the configuration center and does not need to be arranged on other servers, thereby reducing the storage cost.
Next, an authentication method provided by an embodiment of the present invention will be explained from the perspective of a server.
Fig. 1 is a method mileage chart of an authentication method according to an embodiment of the present invention, where the method includes:
s101: the server acquires an authentication request sent by the access device, wherein the authentication request is used for requesting to authenticate whether the server is a legal server for providing object access service.
For example, if the authentication is enabled, the server may be a legal server that stores the object and provides access service for the object. If the authentication cannot be passed, the server may be a server deployed with a phishing website, or a server that does not store the object, or a server that cannot provide the target object access service.
The access device may be a network device, a mobile terminal, a local computer, or the like capable of connecting to a network, and a client for accessing, such as an opal APP or a browser, may be deployed in the access device.
The authentication request may be understood as a valid server for verifying whether the server is a valid server providing an access service for the object, and may also be used for verifying validity of the access device, for example, whether the access device has a right to access the object. The authentication request may be embodied in a Secure socket Layer (SSL, abbreviation) protocol handshake process of a Transport Layer Security (TLS). The authentication request mainly carries an identifier of an object to be accessed (i.e., an identifier of the object), and a specific format of the authentication request may be a Client Hello message in the SSL/TLS protocol handshaking process.
S102: and the server determines the identification of the object according to the authentication request.
For example, the identifier may be a specific domain name, or an identifier, and the like, and may be directly carried in the authentication request, or may be obtained from information carried in the authentication request. Optionally, an embodiment of the present invention provides a manner of obtaining the identifier, where the server may search, from the authentication request, whether an indication of a Server Name (SNI) is carried, and if the indication of the server name is carried, the server may further extract the identifier according to the SNI.
S103: and the server requests a configuration center to acquire the authentication information of the object according to the identification.
For example, the authentication information described herein may be a certificate, such as a certificate for a domain name.
It should be noted that, in a conventional manner, the authentication information of the object and the key of the object are generally stored in the local disk in a pair, and the key may also be applied in, for example, an SSL/TLS protocol handshake process, where the key may specifically be a private key and/or a public key. Although the size of the key is small relative to the authentication information, the keys of different objects are generally not the same, so when the number of storage objects of the server is large, a large number of keys are required to be stored, and in this case, storage pressure is also exerted on the server. Therefore, optionally, in the embodiment of the present invention, the configuration center may further be configured to unify the keys of the storage objects, so that the server does not have a need to store the keys in the local disk any more, thereby further reducing the storage pressure.
Then, when the server requests the configuration center to acquire the authentication information according to the identifier, the server may also request the configuration center to acquire the key according to the identifier. Correspondingly, when the server acquires the authentication information, the server may further acquire the key from the configuration center.
S104: and the server acquires the authentication information from the configuration center.
In order to ensure the security of the authentication information, when the server requests the configuration center to acquire the authentication information, the data connection for transmitting the authentication information needs to ensure the security, that is, optionally, a secure connection for transmitting the authentication information may be established between the server and the configuration center. Correspondingly, the server obtains the authentication information from the configuration center, including:
and the server acquires the authentication information from the configuration center through the secure connection.
S105: the server sends the authentication information to the access device.
The access device may determine, through the authentication information, whether the server is a legitimate server that provides the access service of the object.
It can be seen that the authentication information of the object originally stored in the local disk of the server is uniformly stored in the configuration center, and is called by the server when needed, and when the server acquires an authentication request, the server can request the configuration center to acquire the authentication information of the object through the determined identifier of the object, so that the acquired authentication information can be sent to the access device to complete authentication. The unified storage and calling of the authentication information in the configuration center enable the server to have no need of storing the authentication information in a local disk, the storage pressure of the server is relieved, and the processing capacity of the server is improved.
The inventor finds that, in the conventional method, the server needs to store all the authentication information of stored objects in the local disk, and in the actual operation process, due to the locality principle, the server may need to load all the authentication information into the memory so as to send the corresponding authentication information to the access device during authentication, and the full loading manner of the authentication information may cause a huge pressure on the memory of the server.
Therefore, the embodiment of the invention provides a dynamic loading mode for the memory, so as to relieve the huge pressure of the memory in the traditional mode. Optionally, on the basis of the embodiment corresponding to fig. 1, after performing S104, as shown in fig. 2:
s201: and the server caches the acquired authentication information in a memory.
For example, when the user access amount is large, the number of times of the authentication request received by the server is large, and thus, it is possible that multiple authentication requests are all the authentication requests for the object in a short time. And if the server does not cache the authentication information in the memory any more, requesting the configuration center to acquire the authentication information each time an authentication request for the object is received. According to the improvement of the embodiment corresponding to fig. 2, the authentication information may be cached in the memory, which brings an advantage that after the authentication information is cached in the memory, if an authentication request that requires authentication of the object is received, the authentication information may be directly called from the memory for authentication, thereby reducing the number of interactions between the server and the configuration center.
Optionally, a manner of directly calling the authentication information from the memory may be as follows, where before executing S104, before the server requests the configuration center to acquire the authentication information of the object according to the identifier, the method further includes:
and the server judges whether the authentication information is cached in the memory or not according to the identification.
And if the authentication information is cached in the memory, the server calls the authentication information from the memory and sends the authentication information to the access equipment.
And if the authentication information is not cached in the memory, executing the step that the server requests a configuration center to acquire the authentication information of the object according to the identification.
For example, if the authentication information is cached in the memory, it may be understood that the server has performed authentication on the object before. If the authentication information is not cached in the memory, it may be understood that the server has not previously performed authentication on the object, or it may be understood that the server has previously performed authentication on the object, but the authentication information cached in the memory may have been removed due to a long time or the like.
Next, the reason why the authentication information needs to be removed from the memory and how to remove the authentication information from the memory will be described by the S202 section.
S202: and the server judges whether the authentication information is removed from the memory according to the use condition of the authentication information.
Before describing the embodiment corresponding to fig. 2, it has been mentioned that the inventors have found technical problems in the conventional manner: the internal memory pressure is large. However, the way of caching the authentication information in the memory can also reduce the number of interactions between the server and the configuration center to a certain extent. Therefore, in this step, whether the authentication information is stored in the memory or not is dynamically determined according to the use condition of the authentication information. The use condition of the authentication information may be the number of times of calling, and for example, the authentication information may be removed from the memory if the number of times of calling the authentication information from the memory per unit time is less than m times. Or, in combination with a Least Recently Used (LRU) algorithm, whether to remove the authentication information from the memory may be determined according to the usage of the authentication information. Of course, other modes are possible, and are not described in detail here.
Therefore, whether the authentication information is removed from the memory or not is dynamically judged, the effect of dynamically adjusting the authentication information needing to be cached in the memory can be achieved, the memory loading efficiency is improved, and the memory loading pressure is reduced.
Fig. 3 is a device structure diagram of an authentication device according to an embodiment of the present invention, where the device includes:
a first obtaining unit 301, configured to obtain an authentication request sent by an access device, where the authentication request is used to request to authenticate whether the server is a legitimate server providing an object access service.
A determining unit 302, configured to determine the identifier of the object according to the authentication request.
A requesting unit 303, configured to request, according to the identifier, a configuration center to obtain the authentication information of the object.
A second obtaining unit 304, configured to obtain the authentication information from the configuration center.
A sending unit 305, configured to send the authentication information to the access device.
Optionally, the configuration center is further configured to store a key of the object, and the request unit is further configured to request the configuration center to obtain the key according to the identifier;
the second obtaining unit is further configured to obtain the key from the configuration center.
Optionally, the system further includes a cache unit and a removal unit:
the cache unit is configured to cache the authentication information in a memory after the second obtaining unit is triggered;
and the removing unit is used for judging whether the authentication information is removed from the memory according to the using condition of the authentication information.
Optionally, the method further includes:
the judging unit is used for judging whether the authentication information is cached in the memory or not according to the identifier before the request unit is triggered;
if the judgment result is that the authentication information is cached in the memory, the judgment unit calls the authentication information from the memory and triggers the sending unit;
and if the judgment result is that the authentication information is not cached in the memory, triggering the request unit.
Optionally, the method further includes the establishing unit:
the establishing unit is used for establishing a secure connection with the configuration center after the request unit is triggered;
the second obtaining unit is specifically configured to obtain the authentication information from the configuration center through the secure connection.
Optionally, the determining unit is specifically configured to search for a server name indication SNI from the authentication request; and extracting the identification according to the SNI.
It can be seen that the authentication information of the object originally stored in the local disk of the server is uniformly stored in the configuration center, and is called by the server when needed, and when the server acquires an authentication request, the server can request the configuration center to acquire the authentication information of the object through the determined identifier of the object, so that the acquired authentication information can be sent to the access device to complete authentication. The unified storage and calling of the authentication information in the configuration center enable the server to have no need of storing the authentication information in a local disk, the storage pressure of the server is relieved, and the processing capacity of the server is improved.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium may be at least one of the following media: various media that can store program codes, such as read-only memory (ROM), RAM, magnetic disk, or optical disk.
It should be noted that, in the present specification, all the embodiments are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (13)
1. An authentication system, characterized in that the system comprises an access device, a server and a configuration center:
the configuration center stores authentication information of an object;
the access device is used for sending an authentication request to the server, wherein the authentication request is used for requesting to authenticate whether the server is a legal server for providing the object access service;
the server is used for acquiring an authentication request sent by the access equipment; determining the identification of the object according to the authentication request; requesting a configuration center to acquire authentication information of the object according to the identifier; acquiring the authentication information from the configuration center; and sending the authentication information to the access device.
2. An authentication method, the method comprising:
the method comprises the steps that a server obtains an authentication request sent by access equipment, wherein the authentication request is used for requesting to authenticate whether the server is a legal server for providing object access service;
the server determines the identification of the object according to the authentication request;
the server requests a configuration center to acquire the authentication information of the object according to the identification;
the server acquires the authentication information from the configuration center;
the server sends the authentication information to the access device.
3. The method of claim 2, wherein the configuration center is further configured to store a key of the object, and the server requests the configuration center for authentication information of the object according to the identifier, further comprising:
the server requests the configuration center to acquire the secret key according to the identifier;
the server obtains the key from the configuration center.
4. The method of claim 2, after the server obtains the authentication information from the configuration center, further comprising:
the server caches the authentication information in a memory;
and the server judges whether the authentication information is removed from the memory according to the use condition of the authentication information.
5. The method according to any one of claims 2 to 4, before the server requests a configuration center to acquire the authentication information of the object according to the identifier, further comprising:
the server judges whether the authentication information is cached in the memory or not according to the identification;
if the authentication information is cached in the memory, the server calls the authentication information from the memory and sends the authentication information to the access equipment;
and if the authentication information is not cached in the memory, executing the step that the server requests a configuration center to acquire the authentication information of the object according to the identification.
6. The method of claim 2, wherein after the server requests a configuration center to obtain the authentication information of the object according to the identifier, the method further comprises:
establishing a secure connection between the server and the configuration center;
the server acquires the authentication information from the configuration center, and the authentication information comprises the following steps:
and the server acquires the authentication information from the configuration center through the secure connection.
7. The method of claim 2, wherein the server determining the identity of the object based on the authentication request comprises:
the server searches the Server Name Indication (SNI) from the authentication request;
and the server extracts the identification according to the SNI.
8. An authentication apparatus, characterized in that the apparatus comprises:
a first obtaining unit, configured to obtain an authentication request sent by an access device, where the authentication request is used to request whether an authentication server is a valid server that provides an object access service;
a determining unit, configured to determine an identifier of the object according to the authentication request;
the request unit is used for requesting a configuration center to acquire the authentication information of the object according to the identification;
a second obtaining unit, configured to obtain the authentication information from the configuration center;
a sending unit, configured to send the authentication information to the access device.
9. The apparatus according to claim 8, wherein the configuration center is further configured to store a key of the object, and the requesting unit is further configured to request the configuration center to obtain the key according to the identifier;
the second obtaining unit is further configured to obtain the key from the configuration center.
10. The apparatus of claim 8, further comprising a buffering unit and a removing unit:
the cache unit is configured to cache the authentication information in a memory after the second obtaining unit is triggered;
and the removing unit is used for judging whether the authentication information is removed from the memory according to the using condition of the authentication information.
11. The apparatus according to any one of claims 8 to 10, further comprising a judging unit:
the judging unit is used for judging whether the authentication information is cached in the memory or not according to the identifier before the request unit is triggered;
if the judgment result is that the authentication information is cached in the memory, the judgment unit calls the authentication information from the memory and triggers the sending unit;
and if the judgment result is that the authentication information is not cached in the memory, triggering the request unit.
12. The apparatus of claim 8, further comprising a setup unit:
the establishing unit is used for establishing a secure connection with the configuration center after the request unit is triggered;
the second obtaining unit is specifically configured to obtain the authentication information from the configuration center through the secure connection.
13. The apparatus according to claim 8, wherein the determining unit is specifically configured to look up a server name indication SNI from the authentication request; and extracting the identification according to the SNI.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610425439.8A CN107517178B (en) | 2016-06-15 | 2016-06-15 | Authentication method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610425439.8A CN107517178B (en) | 2016-06-15 | 2016-06-15 | Authentication method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107517178A CN107517178A (en) | 2017-12-26 |
| CN107517178B true CN107517178B (en) | 2020-10-20 |
Family
ID=60720821
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610425439.8A Active CN107517178B (en) | 2016-06-15 | 2016-06-15 | Authentication method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107517178B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102377617A (en) * | 2010-08-14 | 2012-03-14 | 尼尔森(美国)有限公司 | Systems, methods, and apparatus to monitor and authenticate mobile internet activity |
| CN102394896A (en) * | 2011-12-13 | 2012-03-28 | 甘肃农业大学 | Privacy-protection fingerprint authentication method and system based on token |
| CN103167497A (en) * | 2011-12-19 | 2013-06-19 | 卓望数码技术(深圳)有限公司 | Authentication processing method and authentication processing system |
| CN103685283A (en) * | 2013-12-18 | 2014-03-26 | 烽火通信科技股份有限公司 | Communication network management certificate authority system and method |
| US8935751B1 (en) * | 2006-09-29 | 2015-01-13 | Emc Corporation | Method for extending the fragment mapping protocol to prevent malicious access to virtualized storage |
-
2016
- 2016-06-15 CN CN201610425439.8A patent/CN107517178B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8935751B1 (en) * | 2006-09-29 | 2015-01-13 | Emc Corporation | Method for extending the fragment mapping protocol to prevent malicious access to virtualized storage |
| CN102377617A (en) * | 2010-08-14 | 2012-03-14 | 尼尔森(美国)有限公司 | Systems, methods, and apparatus to monitor and authenticate mobile internet activity |
| CN102394896A (en) * | 2011-12-13 | 2012-03-28 | 甘肃农业大学 | Privacy-protection fingerprint authentication method and system based on token |
| CN103167497A (en) * | 2011-12-19 | 2013-06-19 | 卓望数码技术(深圳)有限公司 | Authentication processing method and authentication processing system |
| CN103685283A (en) * | 2013-12-18 | 2014-03-26 | 烽火通信科技股份有限公司 | Communication network management certificate authority system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107517178A (en) | 2017-12-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA3008705C (en) | System for issuing public certificate on basis of block chain, and method for issuing public certificate on basis of block chain by using same | |
| CN107517179B (en) | Authentication method, device and system | |
| US10326730B2 (en) | Verification of server name in a proxy device for connection requests made using domain names | |
| US20220394026A1 (en) | Network identity protection method and device, and electronic equipment and storage medium | |
| US11303431B2 (en) | Method and system for performing SSL handshake | |
| CN109756337B (en) | Secure access method and device for service interface | |
| JP7421771B2 (en) | Methods, application servers, IOT devices and media for implementing IOT services | |
| CN107046544B (en) | Method and device for identifying illegal access request to website | |
| CN108880821B (en) | Authentication method and equipment of digital certificate | |
| CN112688773A (en) | Token generation and verification method and device | |
| CN112823503B (en) | Data access method, data access device and mobile terminal | |
| CN109474600B (en) | Account binding method, system, device and equipment | |
| CN107786515B (en) | Certificate authentication method and equipment | |
| US20170070486A1 (en) | Server public key pinning by url | |
| CN111786996B (en) | Cross-domain synchronous login state method and device and cross-domain synchronous login system | |
| CN111988262B (en) | Authentication method, authentication device, server and storage medium | |
| CN115037552A (en) | Authentication method, device, equipment and storage medium | |
| CN109842616B (en) | Account binding method and device and server | |
| CN108900595B (en) | Method, device and equipment for accessing data of cloud storage server and computing medium | |
| CN112968910B (en) | Replay attack prevention method and device | |
| CN110035035B (en) | Secondary authentication method and system for single sign-on | |
| CN108055299B (en) | Portal page pushing method, network access server and Portal authentication system | |
| CN111049789A (en) | Domain name access method and device | |
| CN107517178B (en) | Authentication method, device and system | |
| CN112738005A (en) | Access processing method, device, system, first authentication server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |