CN107888548A - A kind of Information Authentication method and device - Google Patents

A kind of Information Authentication method and device Download PDF

Info

Publication number
CN107888548A
CN107888548A CN201610874669.2A CN201610874669A CN107888548A CN 107888548 A CN107888548 A CN 107888548A CN 201610874669 A CN201610874669 A CN 201610874669A CN 107888548 A CN107888548 A CN 107888548A
Authority
CN
China
Prior art keywords
information
target
client
digest value
access key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610874669.2A
Other languages
Chinese (zh)
Inventor
王博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Beijing Kingsoft Cloud Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Beijing Kingsoft Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd, Beijing Kingsoft Cloud Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN201610874669.2A priority Critical patent/CN107888548A/en
Publication of CN107888548A publication Critical patent/CN107888548A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a kind of Information Authentication method and device, applied to server, methods described includes:The target information that client is sent is received, wherein, the target information includes:Original text, at least one attribute information of the original text, the target access authorization code of the client, the first digest value of the access key determination being locally stored according to the attribute information and the client;According to the access authorization code pre-saved and the corresponding relation for accessing key, target access key corresponding to the target access authorization code is obtained from the access key of server local storage;According to the attribute information and the target access key, the second digest value is determined;Judge whether first digest value and second digest value are identical;If it is, judge that the target information is verified, otherwise, it is determined that target information checking does not pass through.Using the embodiment of the present invention, spurious information can be identified, improves Information Security.

Description

A kind of Information Authentication method and device
Technical field
The present invention relates to field of information security technology, more particularly to a kind of Information Authentication method and device.
Background technology
OpenAPI is opening API (Application Programming Interface, application programming interfaces), also referred to as Open platform, it is a kind of new model of Internet service development, the side (referring to service end down) for referring to provide service is using conventional Data Transport Protocol (such as:HTTP (HyperText Transfer Protocol, HTTP)) will service with The form of api interface is provided, and calling is accessed for the consumer (referring to client down) of service.
Generally, OpenAPI service end is needed to provide service under disclosed internet environment, and client is needed in public affairs Service is accessed under the internet environment opened, therefore in communication process, reliable, safety the communication technology is to provide OpenAPI clothes The service end of business especially needs what is considered.In the category of secure communication, service end is in the visit for receiving client and sending Ask during request, it is necessary to distinguish that the request is transmitted by real client (for example being the client being authorized to), or by Between people kidnap and distort after by go-between send, that is, need verify client identity.
In the prior art, Session (session holding) is a kind of conventional identity validation technology.Client needs first to log in Service end, service end are issued a Token (token) to client, this time stepped on exiting after checking client logins successfully Before record, client, which is sent in each access request of service end, to be required for carrying the Token, and service end is according to above-mentioned visit Ask the identity of the Token identification clients carried in request.But in actual applications, go-between is intercepting and capturing the access of client After request, the Toekn carried in the access request can be separated and forge access request using the Token.For service For end, the identity of client is only verified according to the Token information carried in access request, due to the access request of forgery In carry identical Token, therefore even if what is received is the access request that go-between forges, can not also judge the access Request is from the client for being presented to Token or from go-between.That is, existing identity validation technology can not be distinguished What whether the information not received forged, Information Security is not high.
The content of the invention
The purpose of the embodiment of the present invention is to provide a kind of Information Authentication method and device, to identify spurious information, carried High Information Security.
To reach above-mentioned purpose, the embodiment of the invention discloses a kind of Information Authentication method, applied to server, the side Method includes:
The target information that client is sent is received, wherein, the target information includes:At least the one of original text, the original text Individual attribute information, the client target access authorization code, be locally stored according to the attribute information and the client Access the first digest value that key determines;
According to the access authorization code pre-saved and the corresponding relation for accessing key, from the visit of server local storage Ask and target access key corresponding to the target access authorization code is obtained in key;
According to the attribute information and the target access key, the second digest value is determined;
Judge whether first digest value and second digest value are identical;
If it is, judge that the target information is verified, otherwise, it is determined that target information checking does not pass through.
Optionally, after the target information that the reception client is sent, in addition to:
Judge whether the server local has pre-saved the target access authorization code;
If not, to the invalid message of target access authorization code described in the client feedback;
If it is, the corresponding relation of access authorization code and access key that the basis pre-saves is performed, from the clothes The step of target access key corresponding to the target access authorization code being obtained in the access key that business device is locally stored.
Optionally, it is described according to the attribute information and the target access key, the second digest value is determined, including:
According to the attribute information and the target access key, using presupposed information digest algorithm, the second summary is determined Value.
Optionally, at least one attribute information includes:The client sends the very first time of the target information Stamp;
Described according to the attribute information and the target access key, before determining the second digest value, in addition to:
Judge whether the difference between the second timestamp and very first time stamp is not more than predetermined threshold value, wherein, it is described At the time of second timestamp is that the server receives the target information;
If it is, performing described according to the attribute information and the target access key, the step of the second digest value is determined Suddenly.
Optionally, methods described also includes:
The access key of the server local storage is changed, and the access key after replacing is sent to the client End, so that the access key being locally stored is replaced by the access key after the replacing by the client.
Optionally, methods described also includes:
The target information checking not in the case of, to the first digest value described in the client feedback with it is described The message that second digest value differs.
It is described applied to server the embodiment of the invention also discloses a kind of Information Authentication device to reach above-mentioned purpose Device includes:
Receiving module, for receiving the target information of client transmission, wherein, the target information includes:It is original text, described At least one attribute information of original text, the target access authorization code of the client, according to the attribute information and the client Hold the first digest value for accessing key and determining being locally stored;
Module is obtained, for the corresponding relation according to the access authorization code pre-saved and access key, from the service Target access key corresponding to the target access authorization code is obtained in the access key that device is locally stored;
Determining module, for according to the attribute information and the target access key, determining the second digest value;
First judge module, for judging whether first digest value and second digest value are identical;If it is, touch The first determination module is sent out, otherwise, triggers the second determination module;
First determination module, for judging that the target information is verified;
Second determination module, for judging that the target information checking does not pass through.
Optionally, described device also includes:
Second judge module, for the receiving module receive client send target information after, described in judgement Whether server local has pre-saved the target access authorization code;If not, the first feedback module of triggering;If it is, touch Send out acquisition module described;
First feedback module, for the invalid message of target access authorization code described in the client feedback.
Optionally, the determining module, is used for:
According to the attribute information and the target access key, using presupposed information digest algorithm, the second summary is determined Value.
Optionally, included at least one attribute information:When the client sends the first of the target information Between stab;
Described device also includes:
3rd judge module, in the determining module according to the attribute information and the target access key, really Before fixed second digest value, judge whether the difference between the second timestamp and very first time stamp is not more than predetermined threshold value, Wherein, at the time of second timestamp is that the server receives the target information;If it is, trigger the determination mould Block.
Optionally, described device also includes:
Sending module is changed, for changing the access key of the server local storage, and the access after replacing is close Key is sent to the client, so that the access that the access key being locally stored is replaced by after the replacing by the client is close Key.
Optionally, described device also includes:
Second feedback module, for being verified in the target information not in the case of, to the client feedback institute State the message that the first digest value differs with second digest value.
As seen from the above, in the scheme that the embodiment of the present invention is provided, server includes the first digest value receiving Target information after, according to obtaining, the target access corresponding with the target access authorization code in target information that is locally stored is close Key, attribute information and target access key in target information determine the second digest value, judge the first digest value and second Whether digest value is identical;If it is, target information is verified, otherwise, target information checking does not pass through.
Compared with prior art, digest value is that the attribute information based on target information determines with key is accessed, and is accessed Key be server and client side it is exclusive, go-between can not obtain access key, therefore even if go-between obtains target Information is simultaneously forged, the first digest value of the information match after also can not constructing and forge, and server is receiving After information after to forgery, can by the second digest value of the information match that target access cipher key calculation goes out and receives, Because the first digest value and the second digest value are inconsistent, then it is to forge that server, which is easy to identify the information, and then is improved The security of information;Further, when the second digest value of server calculating is identical with the first digest value in target information When, it is that the client being authorized to is sent that can prove the target information, and the client can not deny that the target information is not What itself sent, so as to reach the anti-purpose denied of client;Further, information is caused in message transmitting procedure not When complete, the second digest value and the first digest value in target information that server calculates are also inconsistent, therefore the program also may be used Using as judging the whether complete foundation of information.
Certainly, any product or method for implementing the present invention must be not necessarily required to reach all the above excellent simultaneously Point.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the first schematic flow sheet of Information Authentication method provided in an embodiment of the present invention;
Fig. 2 is second of schematic flow sheet of Information Authentication method provided in an embodiment of the present invention;
Fig. 3 is the third schematic flow sheet of Information Authentication method provided in an embodiment of the present invention;
Fig. 4 is the first structural representation of Information Authentication device provided in an embodiment of the present invention;
Fig. 5 is second of structural representation of Information Authentication device provided in an embodiment of the present invention;
Fig. 6 is the third structural representation of Information Authentication device provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of creative work is not made Embodiment, belong to the scope of protection of the invention.
First the technical terms being related in present specification is simply introduced below.
User sends information by client to service end, in existing information security technology, in order to ensure service end Can recognize that by the information that go-between kidnaps and forges, service end to it is each authorize with having issued access authorization code per family (AccessKey, abbreviation AK) and access key (AccessSecretKey, abbreviation SK) corresponding with the access authorization code.Service Only one is issued when issuing AccessKey and corresponding SecretKey to the user each authorized by fixed channel in end It is secondary, to reduce the probability that AccessKey and SecretKey divulge a secret.AccessKey and SecretKey length should long enough, So, after digest value is calculated using default message digest algorithm, according to the theory of current computer science and technology, Wu Fagen Original text is deduced out according to digest value.
Client locally saves the access authorization code of the user corresponding to the client and corresponding with the access authorization code Access key, service end (i.e. server) locally preserve access authorization code corresponding to each user authorized and with the visit Ask and key is accessed corresponding to authorization code.Wherein, access authorization code is that it is that service end is issued to access key for distinguishing user identity The code for being used for calculating informative abstract value of client is issued, the access key only has service end and the side of client two to hold, and not It can leak.
Message digest algorithm, also referred to as Message Digest 5 (Message Digest), it is the one-way hash function letter using safety Number, the initial data of random length is exported to the digest value of regular length after calculating.Message digest algorithm has uniqueness, It is different i.e. according to the digest value calculated of different information;Also there is unforgeable simultaneously, that is, be unlikely to find Another information, make its digest value identical with the digest value of existing information;Also there is irreversibility, i.e., can not be according to plucking It is worth any information of reduction initial data.
SSL (Secure Sockets Layer, SSL) agreement, and its successor TLS (Transport Layer Security, Transport Layer Security) agreement is one kind safety association that safety and data integrity are provided for network service View.Network connection is encrypted in transport layer with ssl protocol for tls protocol, for Logistics networks data transmission security, utilizes number According to encryption technology, it is ensured that data will not be intercepted and eavesdrop in network transmission process.Ssl protocol turns into globalization standard, The browser and WEB server program of all main flows all support ssl protocol, can activate ssl protocol by installing SSL certificate.SSL Certificate is exactly the server digital certificate in accordance with ssl protocol, by the certification authority CA (Certification of trust Authority) issued after authentication server identity, deployment on the server, has website authentication and encrypted transmission dual Function.
PKI (Public Key Infrastructure, public key infrastructure) technology is a set of Internet safety Solution, one group of architecture being made up of hardware, software, participant, management policy and flow, its object is to create, Management, distribution, use, storage and revocation digital certificate.PKI architectures access key using digital certificate management, pass through Certification authority CA bundles the access key of user and other identification informations of user, is tested in Internet The identity of user is demonstrate,proved, ensures confidentiality, the integrality of online data.
To solve prior art problem, the embodiments of the invention provide a kind of Information Authentication method and device.It is right first below A kind of Information Authentication method that the embodiment of the present invention is provided is described in detail.
It should be noted that Information Authentication method provided in an embodiment of the present invention can apply to be based on ssl protocol or PKI The server of framework, can also be applied to other kinds of server, and the application is not limited the type of server.
Fig. 1 is the first schematic flow sheet of Information Authentication method provided in an embodiment of the present invention, and this method can include:
S101, receive the target information that client is sent.
Wherein, target information includes:Original text, at least one attribute information of original text, client target access authorization code, The first digest value for accessing key and determining being locally stored according to attribute information and client.
In practical application, the original text of user end to server request service is included in target information.Client is to service Before device sends information, attribute information corresponding to original text is can determine whether, the attribute information can be that client sends target information Timestamp, the client to be accessed the identification information of data center, the identification information of service to be accessed, etc., certainly, Other kinds of attribute information can also be included in target information, the application is not limited this.
The first digest value included in target information is that the access key being locally stored according to attribute information and client is true Fixed, specifically, in client the first digest value can be calculated using default message digest algorithm.In practical application, in advance If message digest algorithm can be hash algorithm Hash, generally can be with the higher HMAC-sha256 of safety in utilization Algorithm, to calculate the first digest value of target information.
For example, the first digest value AuthInfo1 calculation formula can be:AuthInfo1=Hash (P, SK), wherein, P For at least one attribute information corresponding to original text, Hash () is default hash function.
Enter it should be understood that the binary value of random length can be mapped as the two of shorter regular length by hash algorithm Value processed, the binary value of this random length are the input of hash algorithm, and this small binary value is referred to as cryptographic Hash, that is, Digest value corresponding to the binary value of the random length.Cryptographic Hash is that the unique and extremely compact numerical value of one piece of data represents shape Formula.If the binary value of the random length is changed and even only have changed a byte, then using hash algorithm all Different cryptographic Hash will be calculated.It is computationally not that is, to find two different inputs of cryptographic Hash identical It is possible, so the cryptographic Hash of data can be with the integrality of inspection data.
Therefore hash algorithm can be used to determine the digest value of information, when the digest value and client of server end determination are true During fixed digest value difference, it is possible to determine that the information that client is sent is different from the information that server receives, i.e., information is imperfect Or changed.
In one embodiment of the invention, Information Authentication method provided in an embodiment of the present invention can also be shown in Fig. 1 Increase step S107 and S108 on the basis of embodiment.
As shown in Fig. 2 after the target information (S101) that client is sent is received, this method can also include:
S107, judges whether server local has pre-saved the target access authorization code;If it is, S102 is performed, such as Fruit is no, performs S108.
S108, the message invalid to client feedback target access authorization code.
It should be understood that server local preserve each user authorized corresponding to access authorization code, receiving After target information, the target access authorization code in target information is obtained, it can be determined that whether server local preserves the target Authorization code, if it is, explanation target information is that the user authorized is sent by client, target can now be believed Breath carries out follow-up checking.
If server local does not preserve the target authorization code, it can inform that client should to client feedback information Target access authorization code is invalid, in order to which client resends the target information for including effective access authorization code, ensures visitor Normally communicated between family end and server, improve the security of information.
S102, according to the access authorization code pre-saved and the corresponding relation for accessing key, from server local storage Access and target access key corresponding to target access authorization code is obtained in key.
As seen from the above description, server local pre-save access authorization code corresponding to each user authorized and It is corresponding with the access authorization code to access key.Therefore server is according to the access authorization code pre-saved and pair for accessing key It should be related to, target access key corresponding to target access authorization code can be obtained from the access key being locally stored.
S103, according to attribute information and target access key, determine the second digest value.
Specifically, server can according to attribute information and target access key, using presupposed information digest algorithm, it is determined that Second digest value.
It should be understood that the form for the digest value that different message digest algorithms is calculated is different, such as using The digest value that MD5 algorithms determine has 128 bits, and the digest value determined with SHA-1 algorithms has 160 bits.Therefore, it is It is easy to intuitively to judge whether the first digest value and the second digest value are consistent, can uses with determining the first digest value identical Algorithm determines the second digest value.
In practical application, server determines that the default message digest algorithm of the second digest value can be hash algorithm Hash, generally the second digest value of target information can be calculated with safety in utilization higher HMAC-sha256 algorithms.
For example, the second digest value AuthInfo2 calculation formula can be:AuthInfo2=Hash (P, SK), wherein, P For at least one attribute information included in target information, Hash () is default hash function.
It should be noted that due to not including target access key in target information, and according to message digest algorithm not The characteristics of reversible, even if go-between has intercepted target information, it can not be deduced out according to the first summary info and attribute information Target access key, that is to say, that go-between can not obtain target access key, therefore also can not just change target letter Breath.Even if go-between have modified target information, correct first digest value can not be constructed because target access key is not known, Server is after target information is received, after the correct digest value of target access cipher key calculation second, and in target information The first digest value differ, then the provable target information be forge.If the second digest value and mesh that server calculates The first digest value marked in information is identical, then it is that the client authorized is sent to illustrate the target information.Pass through such side Formula, protect the normal authorization of client not forged by go-between and access, also ensure that service end after resource is accessed not by Client is denied.
In one embodiment of the invention, at least one attribute information of original text, attribute letter are included in target information Breath can include:Client sends the very first time stamp of target information;Information Authentication method provided in an embodiment of the present invention may be used also To increase step S109 on the basis of embodiment illustrated in fig. 1.
As shown in figure 3, according to attribute information and target access key, before determining the second digest value (S103), may be used also With including:
S109, judges whether the difference between the second timestamp and very first time stamp is not more than predetermined threshold value, wherein, second At the time of timestamp is that server receives target information;If it is, perform S103.
It should be understood that at the time of can determining to send target information when client is sending target information, and should Timestamp corresponding to moment is added in target information as an attribute information, can when server receives target information Corresponding timestamp at the time of to determine to receive target information.
When the difference between two timestamps is more than predetermined threshold value, then the target information kidnaps the general of forgery by go-between Rate is larger, therefore in order to ensure the security of information, can not carry out subsequent authentication to the target information and direct refusal respond Access request corresponding to the target information., then can be to target when the difference between two timestamps is not more than predetermined threshold value Information carries out follow-up checking.
S104, judge whether the first digest value and the second digest value are identical;If it is, performing S105, S106 is otherwise performed.
S105, judge that target information is verified.
S106, judge that target information checking does not pass through.
When the first digest value in target information is identical with the second digest value that server determines, illustrate that target information is The user authorized is sent by client, then target information is verified;When the first digest value in target information and clothes During the second digest value difference that device determines of being engaged in, illustrate that the target information that receives and the target information that client is sent are inconsistent, Then target information checking does not pass through.
It should be noted that in actual applications, target information is verified not by may be caused by two kinds of situations:
First, because client and service end have largely used internet in communication process, and internet is one and opened The network environment put, third party go-between may be intercepted and captured the target information that client is sent and carried out by other technologies means Forge, correct first digest value can not be constructed because go-between does not know target access key so that server is receiving The second digest value calculated after to target information and the first digest value in target information are inconsistent.
Second, there may be all multiple network equipments among the communicating pair of internet, target information in transmitting procedure by The incomplete situation of information occurs in factors such as networks, such as lost part byte or byte order are changed so that service Device is inconsistent in the second digest value calculated after receiving target information and the first digest value in target information.
, can also be to client feedback in target information checking not in the case of in a kind of embodiment The message that first digest value and the second digest value differ, in order to which client resends target information, ensure client with Normally communicated between server, improve the security of information.
In actual applications, in order to ensure the security of access key, the access that can change server local storage is close Key, and the access key after replacing is sent to client, so that the access key being locally stored is replaced by replacing by client Access key afterwards.Specifically, server can periodically change access key, and client is sent to key will be accessed When, sent once by fixed channel, to reduce the probability for accessing key and divulging a secret.
As seen from the above, in the scheme that the embodiment of the present invention is provided, server includes the first digest value receiving Target information after, according to obtaining, the target access corresponding with the target access authorization code in target information that is locally stored is close Key, attribute information and target access key in target information determine the second digest value, judge the first digest value and second Whether digest value is identical;If it is, target information is verified, otherwise, target information checking does not pass through.
Compared with prior art, digest value is that the attribute information based on target information determines with key is accessed, and is accessed Key be server and client side it is exclusive, go-between can not obtain access key, therefore even if go-between obtains target Information is simultaneously forged, the first digest value of the information match after also can not constructing and forge, and server is receiving After information after to forgery, can by the second digest value of the information match that target access cipher key calculation goes out and receives, Because the first digest value and the second digest value are inconsistent, then it is to forge that server, which is easy to identify the information, and then is improved The security of information;Further, when the second digest value of server calculating is identical with the first digest value in target information When, it is that the client being authorized to is sent that can prove the target information, and the client can not deny that the target information is not What itself sent, so as to reach the anti-purpose denied of client;Further, information is caused in message transmitting procedure not When complete, the second digest value and the first digest value in target information that server calculates are also inconsistent, therefore the program also may be used Using as judging the whether complete foundation of information.
Corresponding with above-mentioned Information Authentication method, the embodiment of the present invention additionally provides a kind of Information Authentication device.
Corresponding with the embodiment of the method shown in Fig. 1, Fig. 4 is the first of Information Authentication device provided in an embodiment of the present invention Kind structural representation, the device are applied to server, can included:
Receiving module 401, for receiving the target information of client transmission, wherein, the target information includes:Original text, At least one attribute information of the original text, the target access authorization code of the client, according to the attribute information and described The first digest value for accessing key and determining that client is locally stored;
Module 402 is obtained, for the corresponding relation according to the access authorization code pre-saved and access key, from the clothes Target access key corresponding to the target access authorization code is obtained in the access key that business device is locally stored;
Determining module 403, for according to the attribute information and the target access key, determining the second digest value;
First judge module 404, for judging whether first digest value and second digest value are identical;If It is to trigger the first determination module 405, otherwise, triggers the second determination module 406;
First determination module 405, for judging that the target information is verified;
Second determination module 406, for judging that the target information checking does not pass through.
In practical application, second of structural representation of Information Authentication device as shown in Figure 5, the device can also wrap Include:
Second judge module 407, for after the target information of the reception client transmission of receiving module 401, judging institute State whether server local has pre-saved the target access authorization code;If not, the first feedback module 408 of triggering;If It is to trigger the acquisition module 402;
First feedback module 408, for the invalid message of target access authorization code described in the client feedback.
In practical application, the determining module 403, it is specifically used for:
According to the attribute information and the target access key, using presupposed information digest algorithm, the second summary is determined Value.
In practical application, included at least one attribute information:The client sends the of the target information One timestamp;
The third structural representation of Information Authentication device as shown in Figure 6, the device can also include:
3rd judge module 409, for close according to the attribute information and the target access in the determining module 403 Key, before determining the second digest value, judge the difference between the second timestamp and very first time stamp whether no more than default Threshold value, wherein, at the time of second timestamp is that the server receives the target information;If it is, triggering is described really Cover half block 403.
In practical application, the device can also include:
Sending module (not shown) is changed, for changing the access key of the server local storage, and will more Access key after changing is sent to the client so that the client by the access key being locally stored be replaced by it is described more Access key after changing.
In practical application, the device can also include:
Second feedback module (not shown), in target information checking not in the case of, to described The message that first digest value described in client feedback differs with second digest value.
As seen from the above, in the scheme that the embodiment of the present invention is provided, server includes the first digest value receiving Target information after, according to obtaining, the target access corresponding with the target access authorization code in target information that is locally stored is close Key, attribute information and target access key in target information determine the second digest value, judge the first digest value and second Whether digest value is identical;If it is, target information is verified, otherwise, target information checking does not pass through.
Compared with prior art, digest value is that the attribute information based on target information determines with key is accessed, and is accessed Key be server and client side it is exclusive, go-between can not obtain access key, therefore even if go-between obtains target Information is simultaneously forged, the first digest value of the information match after also can not constructing and forge, and server is receiving After information after to forgery, can by the second digest value of the information match that target access cipher key calculation goes out and receives, Because the first digest value and the second digest value are inconsistent, then it is to forge that server, which is easy to identify the information, and then is improved The security of information;Further, when the second digest value of server calculating is identical with the first digest value in target information When, it is that the client being authorized to is sent that can prove the target information, and the client can not deny that the target information is not What itself sent, so as to reach the anti-purpose denied of client;Further, information is caused in message transmitting procedure not When complete, the second digest value and the first digest value in target information that server calculates are also inconsistent, therefore the program also may be used Using as judging the whether complete foundation of information.
It should be noted that herein, such as first and second or the like relational terms are used merely to a reality Body or operation make a distinction with another entity or operation, and not necessarily require or imply and deposited between these entities or operation In any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to Nonexcludability includes, so that process, method, article or equipment including a series of elements not only will including those Element, but also the other element including being not expressly set out, or it is this process, method, article or equipment also to include Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that Other identical element also be present in process, method, article or equipment including the key element.
Each embodiment in this specification is described by the way of related, identical similar portion between each embodiment Divide mutually referring to what each embodiment stressed is the difference with other embodiment.It is real especially for device For applying example, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to embodiment of the method Part explanation.
Can one of ordinary skill in the art will appreciate that realizing that all or part of step in above method embodiment is To instruct the hardware of correlation to complete by program, described program can be stored in computer read/write memory medium, The storage medium designated herein obtained, such as:ROM/RAM, magnetic disc, CD etc..
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Any modification, equivalent substitution and improvements made within the spirit and principles in the present invention etc., are all contained in protection scope of the present invention It is interior.

Claims (12)

  1. A kind of 1. Information Authentication method, it is characterised in that applied to server, methods described includes:
    The target information that client is sent is received, wherein, the target information includes:At least one category of original text, the original text Property information, the target access authorization code of the client, the access that is locally stored according to the attribute information and the client The first digest value that key determines;
    It is close from the access of server local storage according to the access authorization code pre-saved and the corresponding relation for accessing key Target access key corresponding to the target access authorization code is obtained in key;
    According to the attribute information and the target access key, the second digest value is determined;
    Judge whether first digest value and second digest value are identical;
    If it is, judge that the target information is verified, otherwise, it is determined that target information checking does not pass through.
  2. 2. according to the method for claim 1, it is characterised in that after the target information that the reception client is sent, Also include:
    Judge whether the server local has pre-saved the target access authorization code;
    If not, to the invalid message of target access authorization code described in the client feedback;
    If it is, the corresponding relation of access authorization code and access key that the basis pre-saves is performed, from the server The step of target access key corresponding to the target access authorization code is obtained in the access key being locally stored.
  3. 3. according to the method for claim 1, it is characterised in that described close according to the attribute information and the target access Key, the second digest value is determined, including:
    According to the attribute information and the target access key, using presupposed information digest algorithm, the second digest value is determined.
  4. 4. according to the method for claim 1, it is characterised in that at least one attribute information includes:The client Send the very first time stamp of the target information;
    Described according to the attribute information and the target access key, before determining the second digest value, in addition to:
    Judge whether the difference between the second timestamp and very first time stamp is not more than predetermined threshold value, wherein, described second At the time of timestamp is that the server receives the target information;
    If it is, perform described according to the attribute information and the target access key, the step of determining the second digest value.
  5. 5. according to the method for claim 1, it is characterised in that methods described also includes:
    The access key of the server local storage is changed, and the access key after replacing is sent to the client, with Make the client that the access key being locally stored is replaced by into the access key after the replacing.
  6. 6. according to the method for claim 1, it is characterised in that methods described also includes:
    In target information checking not in the case of, to the first digest value described in the client feedback and described second The message that digest value differs.
  7. 7. a kind of Information Authentication device, it is characterised in that applied to server, described device includes:
    Receiving module, for receiving the target information of client transmission, wherein, the target information includes:Original text, the original text At least one attribute information, the client target access authorization code, according to the attribute information and the client sheet The first digest value for accessing key and determining of ground storage;
    Module is obtained, for the corresponding relation according to the access authorization code pre-saved and access key, from the server sheet Target access key corresponding to the target access authorization code is obtained in the access key of ground storage;
    Determining module, for according to the attribute information and the target access key, determining the second digest value;
    First judge module, for judging whether first digest value and second digest value are identical;If it is, triggering the One determination module, otherwise, trigger the second determination module;
    First determination module, for judging that the target information is verified;
    Second determination module, for judging that the target information checking does not pass through.
  8. 8. device according to claim 7, it is characterised in that described device also includes:
    Second judge module, for after the target information of receiving module reception client transmission, judging the service Whether device has locally pre-saved the target access authorization code;If not, the first feedback module of triggering;If it is, triggering institute State acquisition module;
    First feedback module, for the invalid message of target access authorization code described in the client feedback.
  9. 9. device according to claim 7, it is characterised in that the determining module, be used for:
    According to the attribute information and the target access key, using presupposed information digest algorithm, the second digest value is determined.
  10. 10. device according to claim 7, it is characterised in that included at least one attribute information:The client End sends the very first time stamp of the target information;
    Described device also includes:
    3rd judge module, for, according to the attribute information and the target access key, determining in the determining module Before two digest value, judge whether the difference between the second timestamp and very first time stamp is not more than predetermined threshold value, wherein, At the time of second timestamp is that the server receives the target information;If it is, trigger the determining module.
  11. 11. device according to claim 7, it is characterised in that described device also includes:
    Sending module is changed, for changing the access key of the server local storage, and the access key after replacing is sent out The client is given, so that the access key being locally stored is replaced by the access key after the replacing by the client.
  12. 12. device according to claim 7, it is characterised in that described device also includes:
    Second feedback module, in target information checking not in the case of, to described in the client feedback the The message that one digest value differs with second digest value.
CN201610874669.2A 2016-09-30 2016-09-30 A kind of Information Authentication method and device Pending CN107888548A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610874669.2A CN107888548A (en) 2016-09-30 2016-09-30 A kind of Information Authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610874669.2A CN107888548A (en) 2016-09-30 2016-09-30 A kind of Information Authentication method and device

Publications (1)

Publication Number Publication Date
CN107888548A true CN107888548A (en) 2018-04-06

Family

ID=61770205

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610874669.2A Pending CN107888548A (en) 2016-09-30 2016-09-30 A kind of Information Authentication method and device

Country Status (1)

Country Link
CN (1) CN107888548A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833080A (en) * 2018-06-05 2018-11-16 中国联合网络通信集团有限公司 A kind of data transmission method, device and network system
CN110213229A (en) * 2019-04-25 2019-09-06 平安科技(深圳)有限公司 Identity identifying method, system, computer equipment and storage medium
CN110661817A (en) * 2019-10-25 2020-01-07 新华三大数据技术有限公司 Resource access method and device and service gateway
WO2021205257A1 (en) * 2020-04-09 2021-10-14 International Business Machines Corporation Key attribute verification

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101499904A (en) * 2008-02-01 2009-08-05 华为技术有限公司 Method, apparatus and system for safe interface call
CN102291418A (en) * 2011-09-23 2011-12-21 胡祥义 Method for realizing cloud computing security architecture
CN102624740A (en) * 2012-03-30 2012-08-01 奇智软件(北京)有限公司 Data interaction method, client and server
EP2517400A2 (en) * 2009-12-21 2012-10-31 Intel Corporation Wireless device and method for rekeying with reduced packet loss for high-throughput wireless communications
CN103199996A (en) * 2013-03-27 2013-07-10 四川长虹电器股份有限公司 Data interface authentication method
CN105681470A (en) * 2012-03-29 2016-06-15 北京奇虎科技有限公司 Communication method, server and terminal based on hypertext transfer protocol

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101499904A (en) * 2008-02-01 2009-08-05 华为技术有限公司 Method, apparatus and system for safe interface call
EP2517400A2 (en) * 2009-12-21 2012-10-31 Intel Corporation Wireless device and method for rekeying with reduced packet loss for high-throughput wireless communications
CN102291418A (en) * 2011-09-23 2011-12-21 胡祥义 Method for realizing cloud computing security architecture
CN105681470A (en) * 2012-03-29 2016-06-15 北京奇虎科技有限公司 Communication method, server and terminal based on hypertext transfer protocol
CN102624740A (en) * 2012-03-30 2012-08-01 奇智软件(北京)有限公司 Data interaction method, client and server
CN103199996A (en) * 2013-03-27 2013-07-10 四川长虹电器股份有限公司 Data interface authentication method

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833080A (en) * 2018-06-05 2018-11-16 中国联合网络通信集团有限公司 A kind of data transmission method, device and network system
CN110213229A (en) * 2019-04-25 2019-09-06 平安科技(深圳)有限公司 Identity identifying method, system, computer equipment and storage medium
CN110661817A (en) * 2019-10-25 2020-01-07 新华三大数据技术有限公司 Resource access method and device and service gateway
CN110661817B (en) * 2019-10-25 2022-08-26 新华三大数据技术有限公司 Resource access method and device and service gateway
WO2021205257A1 (en) * 2020-04-09 2021-10-14 International Business Machines Corporation Key attribute verification
US11165588B1 (en) 2020-04-09 2021-11-02 International Business Machines Corporation Key attribute verification
CN115398856A (en) * 2020-04-09 2022-11-25 国际商业机器公司 Key attribute verification
GB2609168A (en) * 2020-04-09 2023-01-25 Ibm Key attribute verification

Similar Documents

Publication Publication Date Title
US10848318B2 (en) System for authenticating certificate based on blockchain network, and method for authenticating certificate based on blockchain network by using same
CN111429254B (en) Business data processing method and device and readable storage medium
CN111079128B (en) Data processing method and device, electronic equipment and storage medium
CN1956372B (en) A digital certificate that indicates a parameter of an associated cryptographic token
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
CN108737442A (en) A kind of cryptographic check processing method
CN105530253B (en) Wireless sensor network access authentication method under Restful framework based on CA certificate
CN104767731A (en) Identity authentication protection method of Restful mobile transaction system
CN113473458B (en) Device access method, data transmission method and computer readable storage medium
CN104883255A (en) Password resetting method and device
CN111510288B (en) Key management method, electronic device and storage medium
CN107888548A (en) A kind of Information Authentication method and device
CN104243452B (en) A kind of cloud computing access control method and system
US20120284787A1 (en) Personal Secured Access Devices
CN110035035B (en) Secondary authentication method and system for single sign-on
CN112632574A (en) Multi-mechanism data processing method and device based on alliance chain and related equipment
CN107566393A (en) A kind of dynamic rights checking system and method based on trust certificate
US8806216B2 (en) Implementation process for the use of cryptographic data of a user stored in a data base
CN111756528A (en) Quantum session key distribution method and device and communication architecture
US10615975B2 (en) Security authentication method for generating secure key by combining authentication elements of multi-users
CN106657002A (en) Novel crash-proof base correlation time multi-password identity authentication method
CN115276978A (en) Data processing method and related device
CN108900595B (en) Method, device and equipment for accessing data of cloud storage server and computing medium
CN111541708B (en) Identity authentication method based on power distribution
CN110086627B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180406