CN108023874B - Single sign-on verification device and method and computer readable storage medium - Google Patents
Single sign-on verification device and method and computer readable storage medium Download PDFInfo
- Publication number
- CN108023874B CN108023874B CN201711131291.8A CN201711131291A CN108023874B CN 108023874 B CN108023874 B CN 108023874B CN 201711131291 A CN201711131291 A CN 201711131291A CN 108023874 B CN108023874 B CN 108023874B
- Authority
- CN
- China
- Prior art keywords
- user data
- token information
- login request
- time
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Abstract
The invention discloses a single sign-on verification device, which comprises a memory and a processor, wherein a single sign-on verification program which can run on the processor is stored in the memory, and the program realizes the following steps when being executed by the processor: judging whether a login request sent by a user terminal contains token information or not; if so, acquiring token information and user data from the login request, and recording the time of receiving the login request; decrypting the token information by using the key to acquire user data and credential creation time contained in the token information; if the user data contained in the login request is consistent with the user data contained in the token information and the time difference between the recorded time and the credential creating time is smaller than a preset threshold value, judging that the verification is passed; otherwise, the check is judged to fail. The invention also provides a single sign-on verification method and a computer readable storage medium. The invention reduces the data volume needing to be maintained and improves the verification efficiency of single sign-on.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a single sign-on verification device and method and a computer readable storage medium.
Background
In the existing single sign-on technology, the verification scheme is generally as follows: when a user terminal logs in an application system for the first time, a server generates unique token information (token), a mapping relation is established between the token information and a logged account, and the token information is sent to the user terminal so that the user terminal can carry the token information to check when logging in other application systems subsequently, information such as an account number and a password can not be input any more, and the user can access all mutually trusted application systems only by logging in once.
In the scheme, a database needs to be established at a server end, a large amount of account information of users, token information distributed to the account information and mapping relations among the account information and the token information are maintained, when a login request containing the token information is received, the user information can be inquired by inquiring the corresponding relation between the token information and the users in the database, and then the login authority of the users is verified, but the scheme not only needs to maintain a large amount of data at the server end, but also needs to inquire the mapping relations from the database every time of verification, and therefore verification efficiency is low.
Disclosure of Invention
The invention provides a single sign-on verification device, a single sign-on verification method and a computer readable storage medium, and mainly aims to reduce the data volume maintained by a server and improve the verification efficiency of single sign-on.
In order to achieve the above object, the present invention provides a single sign-on verification apparatus, including a memory and a processor, where the memory stores a single sign-on verification program executable on the processor, and the single sign-on verification program implements the following steps when executed by the processor:
when a login request sent by a user terminal is received, judging whether the login request contains token information;
if the login request contains token information, acquiring the token information and user data from the login request, and recording the time of receiving the login request;
decrypting the token information by using a decryption algorithm corresponding to a first preset encryption algorithm and a pre-stored key to obtain user data and credential creation time contained in the token information;
comparing the user data contained in the login request with the user data contained in the token information, and judging whether the time difference between the recorded time and the credential creation time is less than a preset threshold value;
if the user data contained in the login request is consistent with the user data contained in the token information and the time difference is smaller than a preset threshold value, judging that the verification is passed;
otherwise, the check is judged to fail.
Optionally, the single sign-on verification program may be further executed by the processor, so as to implement the following steps after the step of determining whether the token information is included in the login request when the login request sent by the user terminal is received:
if the login request does not contain token information, user data are obtained from the login request, wherein the user data at least comprise user identity information and a service system identifier;
taking the current time as the voucher creation time, and acquiring a prestored secret key;
based on the secret key and a first preset encryption algorithm, encrypting the user data and the voucher creating time;
and acquiring a character string obtained through encryption processing, taking the character string as token information, and sending the token information to the user terminal.
Optionally, the step of encrypting the user data and the credential creation time based on the key and a first preset encryption algorithm includes:
encrypting the user data based on the secret key and a first preset encryption algorithm to generate a first encryption result, and encrypting the voucher creation time based on a second preset encryption algorithm to generate a second encryption result;
synthesizing the first encryption result and the second encryption result into a character string;
and encrypting the character string based on the second preset encryption algorithm.
Optionally, the first encryption algorithm is an advanced encryption standard AES algorithm, and the second preset encryption algorithm is a BASE64 algorithm.
Optionally, the single sign-on verification program may be further executed by the processor, so that before the step of determining whether the token information is included in the login request when the login request sent by the user terminal is received, the following steps are further implemented:
acquiring current time, and generating a variable factor according to the current time and preset reference time;
and acquiring a random character string from an encryption machine, and encrypting the random character string and the variable factor by using a third preset encryption algorithm to generate and store the key.
In addition, to achieve the above object, the present invention further provides a single sign-on verification method, including:
when a login request sent by a user terminal is received, judging whether the login request contains token information;
if not, acquiring user data from the login request, wherein the user data at least comprises user identity information and a service system identifier;
taking the current time as the voucher creation time, and acquiring a prestored secret key;
based on the secret key and a first preset encryption algorithm, encrypting the user data and the voucher creating time;
and acquiring a character string obtained through encryption processing, taking the character string as token information, and sending the token information to the user terminal.
Optionally, after the step of determining whether the token information is included in the login request when the login request sent by the user terminal is received, the method further includes the following steps:
if the login request contains token information, acquiring the token information and user data from the login request, and recording the time of receiving the login request;
decrypting the token information by using a decryption algorithm corresponding to the first preset encryption algorithm and the key to acquire user data and credential creation time contained in the token information;
comparing the user data contained in the login request with the user data contained in the token information, and judging whether the time difference between the recorded time and the credential creation time is less than a preset threshold value;
if the user data contained in the login request is consistent with the user data contained in the token information and the time difference is smaller than a preset threshold value, judging that the verification is passed;
otherwise, the check is judged to fail.
Optionally, the step of encrypting the user data and the credential creation time based on the key and a first preset encryption algorithm includes:
encrypting the user data based on the secret key and a first preset encryption algorithm to generate a first encryption result, and encrypting the voucher creation time based on a second preset encryption algorithm to generate a second encryption result;
synthesizing the first encryption result and the second encryption result into a character string;
and encrypting the character string based on the second preset encryption algorithm.
Optionally, before the step of determining whether the token information is included in the login request when the login request sent by the user terminal is received, the method further includes the following steps:
acquiring current time, and generating a variable factor according to the current time and preset reference time;
and acquiring a random character string from an encryption machine, and encrypting the random character string and the variable factor by using a third preset encryption algorithm to generate and store the key.
In addition, to achieve the above object, the present invention further provides a computer readable storage medium, on which a single sign-on verification program is stored, where the single sign-on verification program is executable by one or more processors to implement the steps of the single sign-on verification method described above.
The invention provides a single sign-on verification device, a single sign-on verification method and a computer readable storage medium, when a sign-on request sent by a user terminal carries token information, user data and the token information are obtained from the sign-on request, the time of receiving the sign-on request is recorded, the token information is decrypted by using a decryption algorithm corresponding to a first preset encryption algorithm and a pre-stored key to obtain the user data and the credential creation time contained in the token information, the user data contained in the sign-on request is compared with the user contained in the token information, whether the time difference between the recorded time and the obtained credential creation time is smaller than a preset threshold value or not is judged, if yes, the token information is judged to be legal, and if not, the verification is judged to be passed, otherwise, the verification is judged to be failed, and according to the scheme, the token information used for verifying the authority carried in the sign-on request comprises the encrypted user data, and the certificate generation time is obtained after the token information is decrypted, so that the token information and the certificate generation time can be obtained, and the token information and the certificate generation time are compared with the user data contained in the login request to check the legality of the token information.
Drawings
FIG. 1 is a diagram of a single sign-on verification apparatus according to a preferred embodiment of the present invention;
FIG. 2 is a block diagram of a single sign-on verification process according to an embodiment of the single sign-on verification apparatus of the present invention;
FIG. 3 is a flowchart illustrating a single sign-on verification method according to a preferred embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides a single sign-on verification device. Fig. 1 is a schematic diagram of a verification apparatus for single sign-on according to a preferred embodiment of the present invention.
In this embodiment, the single sign-on verification apparatus at least includes a memory 11, a processor 12, a communication bus 13, and a network interface 14.
The memory 11 includes at least one type of readable storage medium, which includes a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, and the like. The memory 11 may in some embodiments be an internal storage unit of the single sign-on verification device, for example a hard disk of the single sign-on verification device. The memory 11 may also be an external storage device of the single sign-on verification apparatus in other embodiments, such as a plug-in hard disk provided on the single sign-on verification apparatus, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 11 may include both an internal storage unit of the single sign-on verification apparatus and an external storage device. The memory 11 may be used to temporarily store data that has been output or is to be output, as well as application software installed in the single sign-on verification device and various types of data, such as a code of a single sign-on verification program.
The processor 12 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor or other data Processing chip in some embodiments, and is used for running program codes stored in the memory 11 or Processing data, such as performing a check program for single sign-on.
The communication bus 13 is used to realize connection communication between these components.
The network interface 14 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), typically used to establish a communication link between the apparatus and other electronic devices.
Fig. 1 shows only a single sign-on verification device with components 11-14 and a single sign-on verification procedure, but it is to be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
Optionally, the device may further comprise a user interface, which may comprise a Display (Display), an input unit such as a Keyboard (Keyboard), and optionally a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the single sign-on verification device and for displaying a visual user interface.
In the embodiment of the apparatus shown in fig. 1, a single sign-on verification program is stored in the memory 11; the processor 12 implements the following steps when executing the single sign-on verification program stored in the memory 11:
and when a login request sent by a user terminal is received, judging whether the login request contains the token information.
And if the login request contains token information, acquiring the token information and user data from the login request, and recording the time of receiving the login request.
The single sign-on verification apparatus proposed in this embodiment may be a single sign-on server. The login request received by the verification device can be directly sent by the user terminal, or can be redirected to the verification device by the service system after the user terminal is sent to the service system. The checking device detects whether the token information exists in the login request, if the token information exists in the login request, the login of the user terminal is not the first login, and the token information is distributed by the checking device when the token information is logged in before.
The verification device distributes token information to the user terminal in the following implementation mode: when the user terminal logs in the service system for the first time or when the token carried in the login request is detected to be invalid, the token is distributed for the user terminal.
Specifically, as an implementation manner, if the login request does not have token information, obtaining user data from the login request, where the user data at least includes user identity information and a service system identifier; taking the current time as the voucher creation time, and acquiring a prestored secret key; based on the secret key and a first preset encryption algorithm, encrypting the user data and the voucher creating time; and acquiring a character string obtained through encryption processing, taking the character string as token information, and sending the token information to the user terminal.
In some embodiments, the user data may include, but is not limited to, the following: user identity information, service system identification, user IP address, single sign-on server grouping, IP address of host where proxy is located, and the like. And acquiring the information from the login request, and combining the information, wherein the information is distinguished by using "|". After the user data are obtained, a secret key stored in the server in advance is obtained, and the secret key and a first preset encryption algorithm are used for carrying out encryption processing on the user data and the certificate creation time, wherein the certificate creation time is the current time, namely the time when the encryption processing is carried out. Alternatively, in some embodiments, the user data and the credential creation time may be encrypted separately and then the combined result may be encrypted again.
Specifically, the step of encrypting the user data and the credential creation time based on the key and a first preset encryption algorithm includes:
encrypting the user data based on the secret key and a first preset encryption algorithm to generate a first encryption result, and encrypting the voucher creation time based on a second preset encryption algorithm to generate a second encryption result; synthesizing the first encryption result and the second encryption result into a character string; and encrypting the character string based on the second preset encryption algorithm.
For example, the key is pk (v), and the credential creation time is cTime, then the result obtained after the encryption processing according to the above steps is endtoken 64((AES (pk (v), detotoken) | BASE64(cTime)), where detotoken is user data.
The key used in the above process may be stored after being acquired from another channel by the verification apparatus, or may be generated by the verification apparatus according to the following steps:
acquiring current time, and generating a variable factor according to the current time and preset reference time; and acquiring a random character string from an encryption machine, and encrypting the random character string and the variable factor by using a third preset encryption algorithm to generate and store the key.
Specifically, the current time cTime and a preset reference time ttime are obtained, a variable factor V ═ cTime-ttime/ttime is calculated, a random string SEED is obtained from the encryption engine, and the variable factor V and the random string SEED are encrypted, where the third preset encryption algorithm may be an HMAC _ SHA _1 algorithm. The specific process of generating the key is as follows:
pk (V) | HOTP (SEED, V +1), where "| |" is a connector;
hot (K, C) (HMAC _ SHA _1(K ', C') &0x7FFFFFFF) mod 10d, where K 'is the hash data of K and C' is the hash data of C, and then setd and V are respectively substituted as K, C values into the above equations to calculate hot (SEED, V) and hot (SEED, V + 1). HASH with HMAC _ SHA _1 algorithm will result in a 20 byte 40 bit hexadecimal number, mod is the remainder operation, and modulo 10d gives a digital password in d bits. The hot is a HMAC-based one-time password Algorithm, and the HMAC (Hash Message Authentication Code) Algorithm mainly uses a Hash Algorithm, takes a key and a Message as input, generates a Message digest as output, and can be bound with any iterative Hash function, for example, bound with a SHA _1(Secure Hash Algorithm) Algorithm to form an HMAC _ SHA _1 Algorithm.
After the token information is generated according to the above manner, the verification device sends the result obtained by the encryption processing as the token information to the user terminal for storage, and the user terminal carries the token information in the subsequently sent login request, for example, when sending the login request to other service systems having a trust relationship with the service system, the user terminal carries the token information, so that all mutually trusted application systems can be accessed only by logging in once.
If the login request contains token information, the token information and the user data contained in the login request are obtained, the time when the login request is received is recorded, and then the legality of the obtained token information is verified.
And decrypting the token information by using a decryption algorithm corresponding to a first preset encryption algorithm and a pre-stored key so as to obtain the user data and the credential creation time contained in the token information.
And comparing the user data contained in the login request with the user data contained in the token information, and judging whether the time difference between the recorded time and the voucher creation time is smaller than a preset threshold value.
And if the user data contained in the login request is consistent with the user data contained in the token information and the time difference is smaller than a preset threshold value, judging that the verification is passed.
Otherwise, the check is judged to fail.
And decrypting the token information, wherein the decryption process is substantially an inverse operation of the encryption process, and the decryption is performed according to a first preset encryption algorithm and a prestored secret key.
Taking the example of entiken BASE64[ AES (pk (v), Detoken | | | BASE64(cTime) ], the following procedure is followed for decryption:
obtaining AES (PK (V), Detoken) and BASE64(cTime) according to operation of BASE64.decode (BASE64[ AES (PK (V), Detoken) | | BASE64(cTime)), and obtaining user data Detoken and voucher creation time cTime contained in the AES (PK (V), Detoken) and BASE64(cTime) through the following operation:
DeToken ═ base64.decode (AES. decode (DeToken')), wherein DeToken ═ AES (pk (v), DeToken);
time BASE64 decoder (cTime'), where cTime BASE64 (cTime).
Comparing the user data acquired from the token information with the user data contained in the login request, simultaneously judging whether the time difference between the credential creation time contained in the token information and the current time is smaller than the preset threshold value, if the user data acquired from the token information is consistent with the user data contained in the login request and the time difference is smaller than the preset threshold value, passing the verification, allowing the user to directly log in the service system, and if the user data contained in the login request is inconsistent with the user data contained in the token information and/or the time difference is larger than or equal to the preset threshold value, judging that the verification fails, and returning a login interface to the user terminal for the user to log in again after inputting an account number and a password. It should be noted that the preset threshold is an effective period of a token message set at the verifying apparatus, and when the preset threshold is exceeded, the token message is considered to be invalid, and the user terminal needs to re-authenticate and re-acquire a new token message.
In the single sign-on verification device provided in this embodiment, when token information is carried in a login request sent by a user terminal, user data and the token information are obtained from the login request, a time for receiving the login request is recorded, the token information is decrypted by using a decryption algorithm corresponding to a first preset encryption algorithm and a pre-stored key to obtain the user data and credential creation time contained in the token information, the user data contained in the login request and a user contained in the token information are compared, meanwhile, whether a time difference between the recorded time and the obtained credential creation time is smaller than a preset threshold value is determined, if yes, the token information is determined to be legal, so that the verification is determined to be passed, otherwise, the verification is determined to be failed, and according to the above scheme, the token information for verifying authority carried in the login request contains the encrypted user data, and the certificate generation time is obtained after the token information is decrypted, so that the token information and the certificate generation time can be obtained, and the token information and the certificate generation time are compared with the user data contained in the login request to check the legality of the token information.
Alternatively, in other embodiments, the single-sign-on verification program may be divided into one or more modules, and the one or more modules are stored in the memory 11 and executed by one or more processors (in this embodiment, the processor 12) to implement the present invention.
For example, referring to fig. 2, a schematic diagram of a program module of a single sign-on verification procedure in an embodiment of the single sign-on verification apparatus of the present invention is shown, in this embodiment, the single sign-on verification procedure may be divided into a judgment module 10, an acquisition module 20, a decryption module 30, and a verification module 40, which exemplarily:
the judging module 10 is configured to: when a login request sent by a user terminal is received, judging whether the login request contains token information;
the obtaining module 20 is configured to: if the login request contains token information, acquiring the token information and user data from the login request, and recording the time of receiving the login request;
the decryption module 30 is configured to: decrypting the token information by using a decryption algorithm corresponding to a first preset encryption algorithm and a pre-stored key to obtain user data and credential creation time contained in the token information;
the verification module 40 is configured to: comparing the user data contained in the login request with the user data contained in the token information, and judging whether the time difference between the recorded time and the credential creation time is less than a preset threshold value;
if the user data contained in the login request is consistent with the user data contained in the token information and the time difference is smaller than a preset threshold value, judging that the verification is passed; otherwise, the check is judged to fail.
The functions or operation steps implemented by the program modules such as the determining module 10, the obtaining module 20, the decrypting module 30 and the verifying module 40 are substantially the same as those of the above embodiments, and are not described herein again.
In addition, the invention also provides a single sign-on verification method. Fig. 3 is a flowchart illustrating a verification method for single sign-on according to a preferred embodiment of the present invention. The method may be performed by an apparatus, which may be implemented by software and/or hardware.
In this embodiment, the single sign-on verification method includes:
step S10, when receiving a login request sent by a user terminal, determining whether the login request includes the token information.
Step S20, if the login request includes token information, acquiring the token information and user data from the login request, and recording the time when the login request is received.
The verification method of single sign-on proposed in the embodiment is described below with a single sign-on server as an execution subject. The login request received by the single sign-on server can be directly sent by the user terminal, or can be redirected to the single sign-on server by the service system after the user terminal is sent to the service system. The single sign-on server detects whether the token information exists in the login request, if the token information is included, the fact that the login of the user terminal is not the first login is indicated, and the token information is distributed by the single sign-on server when the user terminal is logged in before.
The single sign-on server distributes token information to the user terminal in the following implementation mode: when the user terminal logs in the service system for the first time or when the token carried in the login request is detected to be invalid, the token is distributed for the user terminal.
Specifically, as an implementation manner, if the login request does not have token information, obtaining user data from the login request, where the user data at least includes user identity information and a service system identifier; taking the current time as the voucher creation time, and acquiring a prestored secret key; based on the secret key and a first preset encryption algorithm, encrypting the user data and the voucher creating time; and acquiring a character string obtained through encryption processing, taking the character string as token information, and sending the token information to the user terminal.
In some embodiments, the user data may include, but is not limited to, the following: user identity information, service system identification, user IP address, single sign-on server grouping, IP address of host where proxy is located, and the like. And acquiring the information from the login request, and combining the information, wherein the information is distinguished by using "|". After the user data are obtained, a secret key stored in the server in advance is obtained, and the secret key and a first preset encryption algorithm are used for carrying out encryption processing on the user data and the certificate creation time, wherein the certificate creation time is the current time, namely the time when the encryption processing is carried out. Alternatively, in some embodiments, the user data and the credential creation time may be encrypted separately and then the combined result may be encrypted again.
Specifically, the step of encrypting the user data and the credential creation time based on the key and a first preset encryption algorithm includes:
encrypting the user data based on the secret key and a first preset encryption algorithm to generate a first encryption result, and encrypting the voucher creation time based on a second preset encryption algorithm to generate a second encryption result; synthesizing the first encryption result and the second encryption result into a character string; and encrypting the character string based on the second preset encryption algorithm.
For example, the key is pk (v), and the credential creation time is cTime, then the result obtained after the encryption processing according to the above steps is endtoken 64((AES (pk (v), detotoken) | BASE64(cTime)), where detotoken is user data.
The key used in the above process may be stored after the single sign-on server obtains the key from another channel, or the single sign-on server generates the key according to the following steps:
acquiring current time, and generating a variable factor according to the current time and preset reference time; and acquiring a random character string from an encryption machine, and encrypting the random character string and the variable factor by using a third preset encryption algorithm to generate and store the key.
Specifically, the current time cTime and a preset reference time ttime are obtained, a variable factor V ═ cTime-ttime/ttime is calculated, a random string SEED is obtained from the encryption engine, and the variable factor V and the random string SEED are encrypted, where the third preset encryption algorithm may be an HMAC _ SHA _1 algorithm. The specific process of generating the key is as follows:
pk (V) | HOTP (SEED, V +1), where "| |" is a connector;
hot (K, C) (HMAC _ SHA _1(K ', C') &0x7FFFFFFF) mod 10d, where K 'is the hash data of K and C' is the hash data of C, and then setd and V are respectively substituted as K, C values into the above equations to calculate hot (SEED, V) and hot (SEED, V + 1). HASH with HMAC _ SHA _1 algorithm will result in a 20 byte 40 bit hexadecimal number, mod is the remainder operation, and modulo 10d gives a digital password in d bits. The hot is a HMAC-based one-time password Algorithm, and the HMAC (Hash Message Authentication Code) Algorithm mainly uses a Hash Algorithm, takes a key and a Message as input, generates a Message digest as output, and can be bound with any iterative Hash function, for example, bound with a SHA _1(Secure Hash Algorithm) Algorithm to form an HMAC _ SHA _1 Algorithm.
After the token information is generated according to the above manner, the single sign-on server sends the result obtained by the encryption processing as the token information to the user terminal for storage, and the user terminal carries the token information in the subsequently sent login request, for example, when sending the login request to other service systems having a trust relationship with the service system, the user terminal carries the token information, so that all mutually trusted application systems can be accessed only by logging on once.
If the login request contains token information, the token information and the user data contained in the login request are obtained, the time when the login request is received is recorded, and then the legality of the obtained token information is verified.
Step S30, decrypting the token information using a decryption algorithm corresponding to the first preset encryption algorithm and a pre-stored key, so as to obtain the user data and the credential creation time included in the token information.
Step S40, comparing the user data included in the login request with the user data included in the token information, and determining whether a time difference between the recorded time and the credential creation time is less than a preset threshold.
Step S50, if the user data included in the login request is consistent with the user data included in the token information, and the time difference is smaller than a preset threshold, it is determined that the verification is passed.
And step S60, otherwise, judging that the verification fails.
And decrypting the token information, wherein the decryption process is substantially an inverse operation of the encryption process, and the decryption is performed according to a first preset encryption algorithm and a prestored secret key.
Taking the example of entiken BASE64[ AES (pk (v), Detoken | | | BASE64(cTime) ], the following procedure is followed for decryption:
obtaining AES (PK (V), Detoken) and BASE64(cTime) according to operation of BASE64.decode (BASE64[ AES (PK (V), Detoken) | | BASE64(cTime)), and obtaining user data Detoken and voucher creation time cTime contained in the AES (PK (V), Detoken) and BASE64(cTime) through the following operation:
DeToken ═ base64.decode (AES. decode (DeToken')), wherein DeToken ═ AES (pk (v), DeToken);
time BASE64 decoder (cTime'), where cTime BASE64 (cTime).
Comparing the user data acquired from the token information with the user data contained in the login request, simultaneously judging whether the time difference between the credential creation time contained in the token information and the current time is smaller than the preset threshold value, if the user data acquired from the token information is consistent with the user data contained in the login request and the time difference is smaller than the preset threshold value, passing the verification, allowing the user to directly log in the service system, and if the user data contained in the login request is inconsistent with the user data contained in the token information and/or the time difference is larger than or equal to the preset threshold value, judging that the verification fails, and returning a login interface to the user terminal for the user to log in again after inputting an account number and a password. It should be noted that the preset threshold is an effective period of a token message set at the single sign-on server, and when the preset threshold is exceeded, the token message is considered to be invalid, and the user terminal needs to re-authenticate and re-acquire a new token message.
In the single sign-on verification method provided by this embodiment, when a login request sent by a user terminal carries token information, user data and token information are obtained from the login request, the time for receiving the login request is recorded, the token information is decrypted by using a decryption algorithm corresponding to a first preset encryption algorithm and a pre-stored key to obtain the user data and credential creation time contained in the token information, the user data contained in the login request and the user contained in the token information are compared, meanwhile, whether the time difference between the recorded time and the obtained credential creation time is smaller than a preset threshold value is judged, if yes, the token information is judged to be legal, so that the verification is passed, otherwise, the verification fails, and according to the above scheme, the token information for verifying authority carried in the login request contains the encrypted user data, and the certificate generation time is obtained after the token information is decrypted, so that the token information and the certificate generation time can be obtained, and the token information and the certificate generation time are compared with the user data contained in the login request to check the legality of the token information.
Furthermore, an embodiment of the present invention further provides a computer-readable storage medium, where a single sign-on verification program is stored on the computer-readable storage medium, where the single sign-on verification program is executable by one or more processors to implement the following operations:
when a login request sent by a user terminal is received, judging whether the login request contains token information;
if the login request contains token information, acquiring the token information and user data from the login request, and recording the time of receiving the login request;
decrypting the token information by using a decryption algorithm corresponding to a first preset encryption algorithm and a pre-stored key to obtain user data and credential creation time contained in the token information;
comparing the user data contained in the login request with the user data contained in the token information, and judging whether the time difference between the recorded time and the credential creation time is less than a preset threshold value;
if the user data contained in the login request is consistent with the user data contained in the token information and the time difference is smaller than a preset threshold value, judging that the verification is passed;
otherwise, the check is judged to fail.
Further, the check program of single sign-on is executed by the processor to further implement the following operations:
if the login request does not contain token information, user data are obtained from the login request, wherein the user data at least comprise user identity information and a service system identifier;
taking the current time as the voucher creation time, and acquiring a prestored secret key;
based on the secret key and a first preset encryption algorithm, encrypting the user data and the voucher creating time;
and acquiring a character string obtained through encryption processing, taking the character string as token information, and sending the token information to the user terminal.
Further, the step of encrypting the user data and the credential creation time based on the key and a first preset encryption algorithm includes:
encrypting the user data based on the secret key and a first preset encryption algorithm to generate a first encryption result, and encrypting the voucher creation time based on a second preset encryption algorithm to generate a second encryption result;
synthesizing the first encryption result and the second encryption result into a character string;
and encrypting the character string based on the second preset encryption algorithm.
The specific implementation of the computer-readable storage medium of the present invention is substantially the same as the embodiments of the single sign-on verification apparatus and method, and will not be described in detail herein.
It should be noted that the above-mentioned numbers of the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments. And the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, apparatus, article, or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, apparatus, article, or method. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, apparatus, article, or method that includes the element.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (5)
1. A single sign-on verification apparatus, comprising a memory and a processor, the memory having stored thereon a single sign-on verification program executable on the processor, the single sign-on verification program when executed by the processor implementing the steps of:
when a login request sent by a user terminal is received, judging whether the login request contains token information; the login request comprises user data, and the user data at least comprises user identity information and a service system identifier;
if the login request contains token information, acquiring the token information and user data from the login request, and recording the time of receiving the login request;
decrypting the token information by using a decryption algorithm corresponding to a first preset encryption algorithm and a pre-stored key to obtain user data and credential creation time contained in the token information;
comparing the user data contained in the login request with the user data contained in the token information, and judging whether the time difference between the recorded time and the credential creation time is less than a preset threshold value;
if the user data contained in the login request is consistent with the user data contained in the token information and the time difference is smaller than a preset threshold value, judging that the verification is passed;
otherwise, judging that the verification fails;
if the login request does not contain token information, acquiring user data from the login request;
taking the current time as the voucher creation time, and acquiring a prestored secret key;
based on the secret key and a first preset encryption algorithm, encrypting the user data and the voucher creating time;
acquiring a character string obtained through encryption processing, taking the character string as token information, and sending the token information to the user terminal;
the step of encrypting the user data and the credential creation time based on the key and a first preset encryption algorithm comprises:
encrypting the user data based on the secret key and a first preset encryption algorithm to generate a first encryption result, and encrypting the voucher creation time based on a second preset encryption algorithm to generate a second encryption result;
synthesizing the first encryption result and the second encryption result into a character string;
encrypting the character string based on the second preset encryption algorithm;
the first preset encryption algorithm is an Advanced Encryption Standard (AES) algorithm, and the second preset encryption algorithm is a BASE64 algorithm.
2. The single sign-on verification apparatus as claimed in claim 1, wherein the single sign-on verification program is further executable by the processor to, before the step of determining whether the token information is included in the login request when the login request sent by the user terminal is received, further implement the following steps:
acquiring current time, and generating a variable factor according to the current time and preset reference time;
and acquiring a random character string from an encryption machine, and encrypting the random character string and the variable factor by using a third preset encryption algorithm to generate and store the key.
3. A single sign-on verification method, comprising:
when a login request sent by a user terminal is received, judging whether the login request contains token information; the login request comprises user data, and the user data at least comprises user identity information and a service system identifier;
if the login request contains token information, acquiring the token information and user data from the login request, and recording the time of receiving the login request;
decrypting the token information by using a decryption algorithm corresponding to a first preset encryption algorithm and a pre-stored key to obtain user data and credential creation time contained in the token information;
comparing the user data contained in the login request with the user data contained in the token information, and judging whether the time difference between the recorded time and the credential creation time is less than a preset threshold value;
if the user data contained in the login request is consistent with the user data contained in the token information and the time difference is smaller than a preset threshold value, judging that the verification is passed;
otherwise, judging that the verification fails;
if the login request does not contain token information, acquiring user data from the login request;
taking the current time as the voucher creation time, and acquiring a prestored secret key;
based on the secret key and a first preset encryption algorithm, encrypting the user data and the voucher creating time;
acquiring a character string obtained through encryption processing, taking the character string as token information, and sending the token information to the user terminal;
the step of encrypting the user data and the credential creation time based on the key and a first preset encryption algorithm comprises:
encrypting the user data based on the secret key and a first preset encryption algorithm to generate a first encryption result, and encrypting the voucher creation time based on a second preset encryption algorithm to generate a second encryption result;
synthesizing the first encryption result and the second encryption result into a character string;
encrypting the character string based on the second preset encryption algorithm;
the first preset encryption algorithm is an Advanced Encryption Standard (AES) algorithm, and the second preset encryption algorithm is a BASE64 algorithm.
4. The method for verifying single sign-on according to claim 3, wherein before the step of determining whether the token information is included in the login request when the login request sent by the user terminal is received, the method further comprises the following steps:
acquiring current time, and generating a variable factor according to the current time and preset reference time;
and acquiring a random character string from an encryption machine, and encrypting the random character string and the variable factor by using a third preset encryption algorithm to generate and store the key.
5. A computer-readable storage medium having stored thereon a single-sign-on verification program executable by one or more processors to perform the steps of the single-sign-on verification method of any one of claims 3 to 4.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711131291.8A CN108023874B (en) | 2017-11-15 | 2017-11-15 | Single sign-on verification device and method and computer readable storage medium |
| PCT/CN2018/076107 WO2019095567A1 (en) | 2017-11-15 | 2018-02-10 | Single sign-on verification device, method, and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711131291.8A CN108023874B (en) | 2017-11-15 | 2017-11-15 | Single sign-on verification device and method and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108023874A CN108023874A (en) | 2018-05-11 |
| CN108023874B true CN108023874B (en) | 2020-11-03 |
Family
ID=62079914
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711131291.8A Active CN108023874B (en) | 2017-11-15 | 2017-11-15 | Single sign-on verification device and method and computer readable storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108023874B (en) |
| WO (1) | WO2019095567A1 (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108809991A (en) * | 2018-06-15 | 2018-11-13 | 北京云枢网络科技有限公司 | A method of the client side verification based on SDK dynamic watermarks |
| CN109190341B (en) * | 2018-07-26 | 2024-03-15 | 平安科技(深圳)有限公司 | Login management system and method |
| CN109639711A (en) * | 2018-12-29 | 2019-04-16 | 成都康赛信息技术有限公司 | A kind of Distributed C AS authentication method based on privately owned chain session id |
| CN109948333A (en) * | 2019-03-08 | 2019-06-28 | 北京顺丰同城科技有限公司 | A kind of safety defense method and device of account attack |
| CN110191090B (en) * | 2019-04-25 | 2022-03-18 | 平安科技(深圳)有限公司 | Single sign-on verification method and device, computer equipment and storage medium |
| CN110417906A (en) * | 2019-08-05 | 2019-11-05 | 中国联合网络通信集团有限公司 | Information call method and equipment |
| WO2021026937A1 (en) * | 2019-08-15 | 2021-02-18 | 奇安信安全技术(珠海)有限公司 | Method and apparatus for checking login behavior, and system, storage medium and electronic apparatus |
| CN112836206A (en) * | 2019-11-22 | 2021-05-25 | 腾讯科技(深圳)有限公司 | Login method, device, storage medium and computer equipment |
| CN111061718A (en) * | 2019-12-19 | 2020-04-24 | 中国建设银行股份有限公司 | Data checking method and device |
| CN112019505A (en) * | 2020-07-22 | 2020-12-01 | 北京达佳互联信息技术有限公司 | Login method, device, server, electronic equipment and storage medium |
| CN114124534A (en) * | 2021-11-24 | 2022-03-01 | 航天信息股份有限公司 | Data interaction system and method |
| CN114338196A (en) * | 2021-12-30 | 2022-04-12 | 湖南快乐阳光互动娱乐传媒有限公司 | User identity authentication method and device |
| CN114363090B (en) * | 2022-03-02 | 2022-10-25 | 工业互联网创新中心(上海)有限公司 | Method for realizing single sign-on platform of multi-application system and management system |
| CN114500097A (en) * | 2022-03-03 | 2022-05-13 | 中国农业银行股份有限公司四川省分行 | Verification mechanism based on single sign-on of Web system |
| CN115225354A (en) * | 2022-07-07 | 2022-10-21 | 通号智慧城市研究设计院有限公司 | Multi-application single sign-on method, device, computer equipment and medium |
| CN117336102B (en) * | 2023-11-30 | 2024-03-01 | 北京冠程科技有限公司 | Identity authentication system with multiple verification and authentication method thereof |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1323508C (en) * | 2003-12-17 | 2007-06-27 | 上海市高级人民法院 | A Single Sign On method based on digital certificate |
| CN101060520A (en) * | 2006-04-21 | 2007-10-24 | 盛趣信息技术(上海)有限公司 | Token-based SSO authentication system |
| US8769651B2 (en) * | 2012-09-19 | 2014-07-01 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
| CN103139200B (en) * | 2013-01-06 | 2016-06-15 | 深圳市元征科技股份有限公司 | A kind of method of Web service single-sign-on |
| CN107070880A (en) * | 2017-02-16 | 2017-08-18 | 济南浪潮高新科技投资发展有限公司 | A kind of method and system of single-sign-on, a kind of authentication center's server |
-
2017
- 2017-11-15 CN CN201711131291.8A patent/CN108023874B/en active Active
-
2018
- 2018-02-10 WO PCT/CN2018/076107 patent/WO2019095567A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2019095567A1 (en) | 2019-05-23 |
| CN108023874A (en) | 2018-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108023874B (en) | Single sign-on verification device and method and computer readable storage medium | |
| CN110493197B (en) | Login processing method and related equipment | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| JP4638912B2 (en) | Method for transmitting a direct proof private key in a signed group to a device using a distribution CD | |
| US10650168B2 (en) | Data processing device | |
| CN110719173B (en) | Information processing method and device | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| US20140006781A1 (en) | Encapsulating the complexity of cryptographic authentication in black-boxes | |
| CN1956372A (en) | A digital certificate that indicates a parameter of an associated cryptographic token | |
| CN112953707A (en) | Key encryption method, decryption method, data encryption method and decryption method | |
| KR102137122B1 (en) | Security check method, device, terminal and server | |
| CN109495268B (en) | Two-dimensional code authentication method and device and computer readable storage medium | |
| CN111639325B (en) | Merchant authentication method, device, equipment and storage medium based on open platform | |
| CN112615834B (en) | Security authentication method and system | |
| CN110071937B (en) | Login method, system and storage medium based on block chain | |
| CN105099707A (en) | Offline authentication method, server and system | |
| CN113010874A (en) | Login authentication method and device, electronic equipment and computer readable storage medium | |
| CN114793184B (en) | Security chip communication method and device based on third-party key management node | |
| CN114157434A (en) | Login verification method and device, electronic equipment and storage medium | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| CN113505353A (en) | Authentication method, device, equipment and storage medium | |
| US20090210719A1 (en) | Communication control method of determining whether communication is permitted/not permitted, and computer-readable recording medium recording communication control program | |
| CN112437046A (en) | Communication method, system, electronic device and storage medium for preventing replay attack | |
| CN105577606A (en) | Method and device for realizing register of authenticator | |
| CN108881153B (en) | Authentication method for login |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |