CN108199852A - A kind of method for authenticating, right discriminating system and computer readable storage medium - Google Patents
A kind of method for authenticating, right discriminating system and computer readable storage medium Download PDFInfo
- Publication number
- CN108199852A CN108199852A CN201810282990.0A CN201810282990A CN108199852A CN 108199852 A CN108199852 A CN 108199852A CN 201810282990 A CN201810282990 A CN 201810282990A CN 108199852 A CN108199852 A CN 108199852A
- Authority
- CN
- China
- Prior art keywords
- terminal
- server
- target terminal
- calling
- authorized signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Storage Device Security (AREA)
Abstract
This application discloses a kind of method for authenticating, right discriminating system and computer readable storage mediums.The method for authenticating includes terminal to server transmission solicited message and first is called to ask for an autograph, server asks for an autograph according to the solicited message and first obtains the address of the calling terminal and when checking server memory and containing the authority records for calling terminal invocation target terminal, authorization message and the first authorized signature are generated, the authorization message and first authorized signature are then sent to calling terminal;Terminal is called to send call request to target terminal, target terminal generates the second authorized signature according to the authorization message;If first authorized signature is identical with second authorized signature, the target terminal performs processing request text.The application is signed by key pair generation to realize authentication and the mandate between micro services, so as to improve the safety of overall architecture.
Description
Technical field
This application involves field of information security technology, and in particular to a kind of method for authenticating, right discriminating system and computer-readable
Storage medium.
Background technology
Under micro services framework, an application can be split into several micro services, each micro services in system
It is independently disposed, is loose coupling between each micro services.Each micro services are required for authenticating with clearly current access
Access user and access rights.Meanwhile under micro services framework, need to consider scene, the user and micro- of applications access
A variety of authentication scenarios such as the authentication between authentication, micro services and micro services between service.
At present, authentication scheme of user's (including browser and APP) between micro services is highly developed, in distribution
In the environment of multisystem, the security protocol with OAUTH 2.0 for representative also has become current professional standard.But for advising greatly
Used by mould distributed system for micro services framework, due to the variation of software system structure, once there is rogue program addition
Into entire micro services framework, then illegal or unauthorized operation is completed possibly also with the calling interface inside micro services framework, it is right
The internal security of micro services framework generates threat.
Invention content
In view of this, the application provides a kind of method for authenticating, right discriminating system and computer readable storage medium, can be micro-
Authentication is realized between service and is authorized, so as to improve the safety of micro services framework, prevents rogue program from invading.
The application in a first aspect, provide a kind of method for authenticating, including:
Terminal to server is called to send solicited message and first to ask for an autograph, described first asks for an autograph by calling eventually
Hold private key generation;
Server receives the solicited message and first and asks for an autograph;
Server asks for an autograph according to the solicited message and first obtains the address for calling terminal;
When checking server memory and containing the authority records for calling terminal invocation target terminal, generation authorizes server
Information and the first authorized signature, first authorized signature are generated by target terminal public key;
The authorization message and first authorized signature are sent to calling terminal by server;
Terminal is called to receive authorization message and the first authorized signature that the server is sent;
Terminal is called to send call request to target terminal, the call request includes authorization requests head, authorization message, the
One authorized signature and request text;
Target terminal receives the call request and generates the second authorized signature according to the authorization message;
If first authorized signature is identical with second authorized signature, the target terminal performs please described in processing
Seek text.
Preferably, the server asks for an autograph according to the solicited message and first obtains the address for calling terminal
Including:
Server is obtained according to the solicited message calls terminal public key, and according to the calling terminal public key generation second
It asks for an autograph;
It asks for an autograph with described second identical if described first asks for an autograph, the tune is obtained according to hypertext transfer protocol
With the address of terminal.
Preferably, it is described to be included according to the authorization message the second authorized signature of generation:
Target terminal obtains target terminal private key according to the authorization message, and according to target terminal private key generation the
Two authorized signatures.
Preferably, the solicited message includes calling mark, the mark of target terminal and the timestamp of terminal;
Wherein, the time when timestamp is the calling terminal generation solicited message.
Preferably, the server is obtained according to the solicited message calls terminal public key to include:
When the difference of the timestamp and server current time is in time threshold, according to the mark for calling terminal
Know and obtain calling terminal public key corresponding with the calling terminal secret key.
Preferably, the authorization message include calling the mark of terminal, call the address of terminal, target terminal mark and
Expired time.
Preferably, the target terminal obtains target terminal private key according to the authorization message and includes:
When the address of the calling terminal in the authorization message with call far-end address it is identical, in the authorization message
The mark of target terminal is identical with the mark of current target terminal, and the current time of target terminal be less than expired time when, root
Target terminal private key is obtained according to the mark of the target terminal.
Preferably, the method further includes:
The rear of the processing request text completion, which is performed, in the target terminal sends the calling to the calling terminal
Request;
Terminal is called to receive and caches the call request that the target terminal is sent.
Second aspect provides a kind of right discriminating system, including:
Terminal is called, is asked for an autograph for sending solicited message and first to server, receives what the server was sent
Authorization message and the first authorized signature send call request to target terminal, and described first asks for an autograph by calling terminal private
Key generates, and the call request includes authorization requests head, authorization message, the first authorized signature and request text;
Server asks for an autograph for receiving the solicited message and first, is asked according to the solicited message and first
Signature obtain it is described call terminal address, check server memory contain call terminal invocation target terminal permission note
During record, authorization message and the first authorized signature are generated, the authorization message and first authorized signature are sent to calling eventually
End, first authorized signature are generated by target terminal public key;
Target terminal, for receiving the call request and generating the second authorized signature according to the call request, if institute
It is identical with second authorized signature to state the first authorized signature, then performs the processing request text.
The third aspect provides a kind of computer readable storage medium, stores computer program instructions, the computer thereon
Program instruction realizes method as described above when being executed by processor.
This application discloses a kind of method for authenticating, right discriminating system and computer readable storage mediums.Method for authenticating includes adjusting
Solicited message and first is sent with terminal to server to ask for an autograph, server asks for an autograph according to the solicited message and first
Obtain it is described call terminal address and check server memory contain call terminal invocation target terminal authority records
When, authorization message and the first authorized signature are generated, the authorization message and first authorized signature are then sent to calling
Terminal;Terminal is called to send call request to target terminal, target terminal generates the second authorized signature according to the authorization message;
If first authorized signature is identical with second authorized signature, the target terminal performs processing request text.This Shen
Please by key pair generation signature to realize authentication and the mandate between micro services, so as to improve the safety of overall architecture.
Description of the drawings
By referring to the drawings to the description of the embodiment of the present application, the above-mentioned and other purpose of the application, feature and
Advantage will be apparent from, in the accompanying drawings:
Fig. 1 is the flow diagram of the method for authenticating of the embodiment of the present application;
Fig. 2 is that the server of the embodiment of the present application obtains the flow diagram for calling terminal address;
Fig. 3 is the schematic diagram of the electronic equipment of the embodiment of the present application.
Specific embodiment
The application is described below based on embodiment, but the application is not restricted to these embodiments.Under
Text is detailed to describe some specific detail sections in the datail description of the application.Do not have for a person skilled in the art
The description of these detail sections can also understand the application completely.In order to avoid obscuring the essence of the application, well known method, mistake
There is no narrations in detail for journey, flow, element and circuit.
In addition, it should be understood by one skilled in the art that provided herein attached drawing be provided to explanation purpose, and
What attached drawing was not necessarily drawn to scale.
Unless the context clearly requires otherwise, otherwise throughout the specification and claims " comprising ", "comprising" etc. are similar
Word should be construed to the meaning included rather than exclusive or exhaustive meaning;That is, it is containing for " including but not limited to "
Justice.
In the description of the present application, it is to be understood that term " first ", " second " etc. are only used for description purpose, without
It is understood that indicate or implying relative importance.In addition, in the description of the present application, unless otherwise indicated, the meaning of " multiple "
It is two or more.
The application is described in detail below in conjunction with the accompanying drawings.
The embodiment of the present application micro services framework includes multiple micro services and server.Multiple micro services can be a certain big
Specifically a certain function services in type complex software application.Each micro services, which only focus on, to be completed a task and completes well
The task.In all cases, each Charge-de-Mission a small professional ability.Each micro services can be by different team independence
Exploitation, is independent of each other, and accelerates to release the speed in market.It is carried out for example, flight reservation application can be divided into seven micro services
Implement.Seven micro services are respectively book flight, timetable inquiry, calculate admission fee, seat allocation, management reward, update client
And adjustment inventory.For micro services framework used by large scale distributed system, due to the variation of software configuration, one
Denier has rogue program to be added in entire micro services framework, then completes the illegal or behaviour that goes beyond one's commission possibly also with intrinsic call interface
Make.
In the present embodiment, right discriminating system includes calling terminal, server and target terminal.Server is stored including public key
Unit calls licence units, granted unit.Public key storing unit is used to store the public key of multiple terminals, the private with multiple terminals
Key corresponds.Licence units is called to be used to store the call relation between terminal and terminal.Granted unit is used to store and hold
Row is to the authorisation process of solicited message.
In the present embodiment, in order to improve the internal security of micro services framework, each independent micro services has one
A key pair based on rivest, shamir, adelman, wherein, private key is stored in micro services, and public key is stored in server.Key
To encryption and decryption key pair or signature sign test key pair can be used as.
Fig. 1 is the flow diagram of the method for authenticating of the embodiment of the present application.As shown in Figure 1, the method for authenticating includes:
Step S110, terminal to server is called to send solicited message and first to ask for an autograph, described first asks for an autograph
By the way that terminal secret key is called to generate.
Specifically, terminal is called according to the demand of calling generation solicited message, and using the tune for being stored in calling terminal inner
The solicited message is encrypted with terminal secret key generation first to ask for an autograph.Then the solicited message and first are asked
Signature is sent to server.
Wherein, it is to call terminal distribution to be described by server to call terminal secret key.In the present embodiment, the service
Device is preset with a kind of Encryption Algorithm with the calling terminal, and the calling terminal is according to preset Encryption Algorithm, using calling
The solicited message is encrypted in terminal secret key, and generation first asks for an autograph.Optionally, Encryption Algorithm can be RSA Algorithm,
Data signature algorithm (Digital Signature Algorithm, DSA) that National Bureau of Standards proposes etc..Wherein, RSA
Algorithm is by the naming of tri- inventors of Rivest, Shamir, Adleman.
Wherein, solicited message includes calling mark, the mark of target terminal and the timestamp of terminal.Wherein, it calls eventually
The mark at end is to call terminal for marking.The mark of target terminal is the terminal for marking called, and server is according to institute
The mark for stating target terminal is authorized.Timestamp (timestamp), which is one, can represent a data in some specific time
Data that are before already existing, complete, can verify that, typically a character string mainly provide a electricity to the user
Sub- evidence, to prove the generation time of certain data of user.In the present embodiment, timestamp is used to represent the production of solicited message
The raw time.
Step S120, server receives the solicited message and first and asks for an autograph.
Server receives the solicited message and first and asks for an autograph, and by the solicited message and first ask for an autograph into
Row storage and processing.
Step S130, server asks for an autograph according to the solicited message and first obtains the address for calling terminal.
Specifically, as shown in Fig. 2, server, which asks for an autograph to obtain according to the solicited message of reception and first, calls terminal
Address includes:
Step S131, server is obtained according to the solicited message calls terminal public key, and public according to the calling terminal
Key generation second asks for an autograph.
Server judges the difference of the timestamp and server current time in solicited message after solicited message is received
Whether when in time threshold, to prevent during server receives solicited message, rogue program is added in solicited message, right
Micro services framework causes security risk, it is also possible to filter the delay due to equipment or network and receive repeated data and then
Repetitive endowment is caused to operate, server operating pressure is caused to aggravate.When the time threshold can respond demand according to server
Between setting or be artificially configured.
When the difference of the timestamp and server current time is in time threshold, server is according in solicited message
The mark of calling terminal acquisition inquired in server call the corresponding calling terminal public key of terminal secret key with described.The clothes
Be engaged in device storage calling terminal public key with it is described calling terminal it is corresponding, and with it is described calling terminal storage calling terminal secret key
Match.Optionally, the server can will call terminal public key to carry out corresponding preservation with the mark for calling terminal.Institute
Server is stated after solicited message is received, searches calling terminal public key corresponding with calling terminal iidentification.
Optionally, when the difference of the timestamp and server current time is more than time threshold, then server determines
The solicited message is illegal, stops that the solicited message is carried out the operation such as to authorize.The server can be to the calling
Terminal hair solicited message not by message, for example, the time is expired.Call terminal can be according to feedback information again to server
Solicited message is sent to be authorized.
Further, the server is encrypted the call request using the calling terminal public key of storage, generates
Second asks for an autograph.Described second asks for an autograph is compared for asking for an autograph with receive first, to determine to call eventually
Whether end is legal.
If step S132, described first asks for an autograph ask for an autograph with described second it is identical, according to hypertext transfer protocol
Obtain the address for calling terminal.
Specifically, the server by receive first ask for an autograph and generate second ask for an autograph and match,
It asks for an autograph with described second if described first asks for an autograph and matches consistent, the server is according to hypertext transfer protocol
(HTTP, HyperText Transfer Protocol) obtains the address for calling terminal.The hypertext transfer protocol
(HTTP, HyperText Transfer Protocol) is a kind of procotol being most widely used on internet, all
WWW files must comply with this standard.
Optionally, if described first ask for an autograph with second ask for an autograph matching it is inconsistent, it is described calling terminal do not conform to
Method, server stop carrying out the processing such as subsequent authorization to solicited message.The server can in vain be signed to terminal is called to send
Name information, mark first ask for an autograph invalid.Call terminal that can send solicited message to server again according to feedback information
It asks for an autograph with first and carries out authorisation process.
Step S140, server check server memory contain call terminal invocation target terminal authority records
When, it generates authorization message and the first authorized signature, first authorized signature is generated by target terminal public key.
Server checks tune whether is stored in the calling licence units of server after the address for calling terminal is got
With the authority records of terminal invocation target terminal.Call terminal invocation target whole when the calling licence units memory of server contains
During the authority records at end, server generates authorization message according to solicited message.Wherein, the authorization message includes calling terminal
Mark, call the address of terminal, target terminal mark and expired time.
With a transaction scene citing:Order micro services after order is completed need that account micro services is called to complete reconciliation
The operation of withholing at family.It first confirms that order micro services have firstly the need of server authorization center and calls account micro services interface
Permission, while it is true and genuine for also having mechanism to ensure order micro services as terminal is called.
When the expired time receives the call request comprising authorization message for target terminal, the foundation that is judged,
To avoid the processing of repeated data carried out when terminal being called to send information to target terminal by malicious intercepted or delay.The mistake
Time phase can be a preset time difference, and target terminal can be according to the current time and clothes when receiving call request
The difference of time during business device generation authorization message is compared with preset time difference judges whether the call request closes
Method.Optionally, the expired time can also be when increasing by one on the basis of time of the server when generating authorization message
Between threshold value.It when target terminal receives authorization message, is compared, judged with expired time according to current time when receiving
Whether current time is more than expired time.
Further, the mark inquiry of target terminal of the server in solicited message obtains target terminal public key, and
The authorization message is encrypted according to target terminal public key the first authorized signature of generation.The target of the server storage is whole
It holds public key corresponding with target terminal, and matches with the target terminal private key of target terminal storage.Optionally, the clothes
Target terminal public key can be carried out corresponding preservation by business device with the mark of the target terminal.In the present embodiment, the service
A kind of Encryption Algorithm is equally preset between device and the target terminal, with the Encryption Algorithm phase between server and calling terminal
Together.
Optionally, if there is no the authority records for calling terminal invocation target terminal in the calling licence units of server, clothes
Being engaged in device can be to calling terminal to send unwarranted access information, and calling terminal stops call request.
Step S150, the authorization message and first authorized signature are sent to calling terminal by server.
Specifically, the authorization message generated according to solicited message and the first authorized signature are sent to calling eventually by server
End, in order to call terminal that can carry out subsequent calling processing.
Step S160, terminal is called to receive authorization message and the first authorized signature that the server is sent.
Step S170, terminal is called to send call request to target terminal, the call request includes authorization requests head, awards
Weigh information, the first authorized signature and request text.
Call terminal that authorization requests head is added in call request after authorization message and the first authorized signature is received
And target terminal is sent to, so that target terminal receives the call request, and handle the call request.Specifically, the calling
Request includes authorization requests head, authorization message, the first authorized signature and request text.
Step S180, target terminal receives the call request and generates the second authorized signature according to the authorization message.
Specifically, target terminal receives the call request, and parsing is carried out to the call request and obtains authorization requests
Head, authorization message, the first authorized signature.And from the authorization message obtain call terminal mark, call terminal address,
The mark and expired time of target terminal.
Target terminal checks that the mark of the target terminal in the authorization message and the current target for receiving authorization message are whole
Identifying whether for end is consistent, to determine whether the call request information received is correct information.
Target terminal judges target terminal current time whether in expired time according to expired time, for Filtration Goal
Terminal receives repetition call request data in the process for receiving call request due to the delay of equipment or network, can keep away
Exempt to reprocess identical call request, increase target terminal operating pressure and stored memory.
The address of calling terminal of the target terminal in the authorization message judge with the far-end address of calling whether phase
Together, whether it is correct information with the determining call request information received.
When the mark of the target terminal received is consistent with the mark of current target terminal, the calling in the authorization message
The address of terminal judges the current time of identical with the far-end address called and described target terminal in expired time, according to mesh
Authorization message is encrypted the second authorized signature of generation in the target terminal private key for marking terminal memory storage.The target terminal storage
Target terminal private key it is corresponding with the target terminal and corresponding with the target terminal public key of the server storage.Institute
The second authorized signature is stated for being compared with the first authorized signature received, to determine to call terminal whether legal.
Illustrate by taking the interface that order micro services call account micro services as an example:For order micro services, pass through first
Authentication is asked to the authorization center of server, authorization center can include order in authorization token, that is, authorization message of return
The address of terminal is referred to herein as called in the address of micro services.Then when order micro services ask account micro services interface,
The address of order micro services when asking and authorization message are sent to account micro services by order micro services, when asking herein
Order micro services address be call far-end address.Judge address and the calling of the calling terminal in the authorization message
Far-end address it is whether identical, the ground of the order micro services in address and authorization message during request to judge order micro services
Location, authorization message to be prevented to be stolen.
It optionally, can be to tune when the mark of the target terminal received and the inconsistent mark of current target terminal
Send invalid information with terminal, can specifically illustrate to receive call request target terminal is incorrect or authorization message in target
The mark of terminal is incorrect, then calls terminal that can regenerate call request and sends or terminate and calls.
Optionally, when the current time of the target terminal is more than expired time, then target terminal determines the calling
Request failure, stops handling the call request.The target terminal can send out expired request to the calling terminal
Information.Call terminal that can send call request to target terminal again according to feedback information.
Optionally, when the address of the calling terminal in the authorization message is differed with the far-end address called, target
Terminal can return to the address for calling terminal as the information of invalid address to calling terminal.
In the present embodiment, judge the mark of target terminal and identifying whether for the current target terminal for receiving authorization message
Unanimously, call terminal address judge it is whether identical and whether current time of target terminal in mistake with the far-end address called
Judgement sequence in time phase can arbitrarily be set, as long as above three Rule of judgment meets the requirements simultaneously, target terminal root
Authorization message is encrypted according to target terminal private key the second authorized signature of generation.
If step S190, described first authorized signature is identical with second authorized signature, the target terminal performs
Handle the request text.
Specifically, the target terminal by the first authorized signature received and generation the second authorized signature carry out
Match, if first authorized signature matches unanimously with second authorized signature, target terminal is performing the processing request just
Text.
Optionally, if first authorized signature matches inconsistent, the calling terminal with second authorized signature
Illegal, the target terminal can be to calling terminal to send invalid signature information, and the first authorized signature of mark is invalid.It calls eventually
End can ask for an autograph according to feedback information to server transmission solicited message and first and carry out authorisation process again.
Optionally, the method further includes:
Step S200, the rear of the processing request text completion is performed in the target terminal to send to the calling terminal
The call request.
Step S210, terminal is called to receive and caches the call request that the target terminal is sent.
Terminal is called to cache the call request of reception, it can be direct when calling terminal invocation target terminal again
Call request is sent to target terminal, the process of server mandate is omitted, is improved under the premise of it will not cause security breaches
Call efficiency.
This application discloses a kind of method for authenticating, please draw lots before idols including terminal to server is called to send solicited message and first
Name, server asks for an autograph according to the solicited message and first to be obtained the address of the calling terminal and is checking server
When memory contains the authority records for calling terminal invocation target terminal, authorization message and the first authorized signature are generated, then by institute
It states authorization message and first authorized signature is sent to calling terminal;Terminal is called to send call request, mesh to target terminal
It marks terminal and the second authorized signature is generated according to the authorization message;If first authorized signature and the second authorized signature phase
Together, then the target terminal performs processing request text.The application generates signature to realize between micro services by key pair
Authentication and mandate, so as to improve the safety of overall architecture, prevent the invasion of rogue program.
Fig. 3 is the schematic diagram of the electronic equipment of the embodiment of the present invention.Electronic equipment shown in Fig. 3 is filled for general data processing
It puts, including general computer hardware structure, includes at least processor 31 and memory 32.Processor 31 and memory 32
It is connected by bus 33.Memory 32 is suitable for the executable instruction of storage processor 31 or program.Processor 31 can be independent
Microprocessor or one or more microprocessor set.Processor 31 is deposited by performing memory 32 as a result,
The instruction of storage is realized so as to perform the method flow of embodiment present invention as described above for the processing of data and for other
The control of device.Bus 33 links together above-mentioned multiple components, while said modules are connected to 34 He of display controller
Display device and input/output (I/O) device 35.Input/output (I/O) device 35 can be mouse, keyboard, modulation /demodulation
Device, network interface, touch-control input device, body-sensing input unit, printer and other devices well known in the art.Typically,
Input/output device 35 is connected by input/output (I/O) controller 36 with system.Preferably, the electronic equipment of the present embodiment
For server.
Meanwhile as skilled in the art will be aware of, the various aspects of the embodiment of the present application may be implemented as be
System, method or computer program product.Therefore, the various aspects of the embodiment of the present application can take following form:Complete hardware
Embodiment, complete software embodiment (including firmware, resident software, microcode etc.) usually can all claim herein
The embodiment for being combined software aspects with hardware aspect for " circuit ", " module " or " system ".In addition, the side of the application
Face can take following form:The computer program product realized in one or more computer-readable medium, computer can
Reading medium has the computer readable program code realized on it.
The arbitrary combination of one or more computer-readable mediums can be utilized.Computer-readable medium can be computer
Readable signal medium or computer readable storage medium.Computer readable storage medium can be such as (but not limited to) electronics,
Magnetic, optical, electromagnetism, infrared or semiconductor system, device or aforementioned any suitable combination.Meter
The more specific example (exhaustive to enumerate) of calculation machine readable storage medium storing program for executing will include the following terms:With one or more electric wire
Electrical connection, hard disk, random access memory (RAM), read-only memory (ROM), erasable is compiled portable computer diskette
Journey read-only memory (EPROM or flash memory), optical fiber, portable optic disk read-only storage (CD-ROM), light storage device,
Magnetic memory apparatus or aforementioned any suitable combination.In the context of this hair application embodiment, computer-readable storage medium
Matter can be can include or store the program used by instruction execution system, device or combine instruction execution system,
The arbitrary tangible medium for the program that device uses.
Computer-readable signal media can include the data-signal propagated, and the data-signal of the propagation has wherein
The computer readable program code realized such as the part in a base band or as carrier wave.The signal of such propagation may be used
Any form in diversified forms, including but not limited to:Electromagnetism, optical or its any appropriate combination.It is computer-readable
Signal media can be following arbitrary computer-readable medium:It is not computer readable storage medium, and can be to by instructing
The program that execution system, device use or combination instruction execution system, device use is communicated, is propagated
Or transmission.
Including but not limited to wireless, wired, fiber optic cables, RF etc. or aforementioned can be used arbitrary appropriately combined arbitrary
Suitable medium transmits the program code realized on a computer-readable medium.
Computer program code for performing for the operation of the application various aspects can be with one or more programming languages
The arbitrary of speech combines to write, and the programming language includes:The programming language of object-oriented such as Java, Smalltalk, C++ etc.;
And conventional process programming language such as " C " programming language or similar programming language.Program code can be used as independent software package
Fully on the user computer, partly perform on the user computer;Partly exist on the user computer and partly
It is performed on remote computer;Or it fully performs on remote computer or entitlement center.In the latter case, may be used
Remote computer is calculated by including any type of network connection of LAN (LAN) or wide area network (WAN) to user
Machine can be attached (such as internet by using ISP) with outer computer.
The above-mentioned flow chart legend according to the method for the embodiment of the present application, equipment (system) and computer program product and/
Or block diagram describes the various aspects of the application.It will be appreciated that each block and flow of flow chart legend and/or block diagram
The combination of block in figure legend and/or block diagram can be realized by computer program instructions.These computer program instructions can be with
The processor of all-purpose computer, special purpose computer or other programmable data processing devices is provided to, to generate machine so that
(being performed via computer or the processor of other programmable data processing devices) instruction establishment be used to implement flow chart and/or
The device of function/action specified in block diagram or block.
These computer program instructions can also be stored in can instruct computer, other programmable data processing devices
Or in the computer-readable medium that runs in a specific way of other devices so that the instruction production stored in computer-readable medium
It is raw to include realizing the product of the instruction of function/action specified in flow chart and/or block diagram or block.
Computer program instructions can also be loaded on computer, other programmable data processing devices or other devices
On, so as to perform a series of operable steps on computer, other programmable devices or other devices to generate computer reality
Existing process so that the instruction offer performed on computer or other programmable devices is used to implement in flow chart and/or frame
The process of function/action specified in segment or block.
The foregoing is merely the preferred embodiments of the application, are not limited to the application, for those skilled in the art
For, the application can have various modifications and changes.All any modifications made within spirit herein and principle are equal
Replace, improve etc., it should be included within the protection domain of the application.
Claims (10)
1. a kind of method for authenticating, including:
Terminal to server is called to send solicited message and first to ask for an autograph, described first asks for an autograph by calling terminal private
Key generates;
Server receives the solicited message and first and asks for an autograph;
Server asks for an autograph according to the solicited message and first obtains the address for calling terminal;
Server generates authorization message when checking server memory and containing the authority records for calling terminal invocation target terminal
With the first authorized signature, first authorized signature is generated by target terminal public key;
The authorization message and first authorized signature are sent to calling terminal by server;
Terminal is called to receive authorization message and the first authorized signature that the server is sent;
Terminal is called to send call request to target terminal, the call request is awarded including authorization requests head, authorization message, first
Right of approval name and request text;
Target terminal receives the call request and generates the second authorized signature according to the authorization message;
If first authorized signature is identical with second authorized signature, the target terminal is performing the processing request just
Text.
2. according to the method described in claim 1, it is characterized in that, the server is asked according to the solicited message and first
Signature obtains the address for calling terminal and includes:
Server is obtained according to the solicited message calls terminal public key, and according to the second request of the calling terminal public key generation
Signature;
If described first asks for an autograph ask for an autograph with described second it is identical, according to hypertext transfer protocol obtain it is described call eventually
The address at end.
3. according to the method described in claim 1, it is characterized in that, described generate the second authorized signature according to the authorization message
Including:
Target terminal obtains target terminal private key, and award according to target terminal private key generation second according to the authorization message
Right of approval name.
4. method according to claim 1 or 2, which is characterized in that the solicited message includes calling mark, the mesh of terminal
Mark the mark and timestamp of terminal;
Wherein, the time when timestamp is the calling terminal generation solicited message.
5. according to the method described in claim 4, it is characterized in that, the server obtains calling eventually according to the solicited message
End public key includes:
When the difference of the timestamp and server current time is in time threshold, obtained according to the mark for calling terminal
Take calling terminal public key corresponding with the calling terminal secret key.
6. according to the method described in claim 1, it is characterized in that, the authorization message includes calling the mark of terminal, call
The address of terminal, the mark of target terminal and expired time.
7. according to the method described in claim 3, it is characterized in that, the target terminal obtains target according to the authorization message
Terminal secret key includes:
When the address of the calling terminal in the authorization message with call far-end address it is identical, the target in the authorization message
The mark of terminal is identical with the mark of current target terminal, and the current time of target terminal be less than expired time when, according to institute
The mark for stating target terminal obtains target terminal private key.
8. according to the method described in claim 1, it is characterized in that, the method further includes:
The rear of the processing request text completion, which is performed, in the target terminal sends the call request to the calling terminal;
Terminal is called to receive and caches the call request that the target terminal is sent.
9. a kind of right discriminating system, including:
Terminal is called, is asked for an autograph for sending solicited message and first to server, receives the mandate that the server is sent
Information and the first authorized signature send call request to target terminal, and described first asks for an autograph by the way that terminal secret key is called to give birth to
Into the call request includes authorization requests head, authorization message, the first authorized signature and request text;
Server asks for an autograph for receiving the solicited message and first, is asked for an autograph according to the solicited message and first
Obtain it is described call terminal address, check server memory contain call terminal invocation target terminal authority records
When, authorization message and the first authorized signature are generated, the authorization message and first authorized signature are sent to calling terminal,
First authorized signature is generated by target terminal public key;
Target terminal, for receiving the call request and generating the second authorized signature according to the call request, if described the
One authorized signature is identical with second authorized signature, then performs the processing request text.
10. a kind of computer readable storage medium, stores computer program instructions thereon, which is characterized in that the computer journey
Such as claim 1-8 any one of them methods are realized in sequence instruction when being executed by processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810282990.0A CN108199852B (en) | 2018-04-02 | 2018-04-02 | Authentication method, authentication system and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810282990.0A CN108199852B (en) | 2018-04-02 | 2018-04-02 | Authentication method, authentication system and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108199852A true CN108199852A (en) | 2018-06-22 |
| CN108199852B CN108199852B (en) | 2021-02-26 |
Family
ID=62596543
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810282990.0A Expired - Fee Related CN108199852B (en) | 2018-04-02 | 2018-04-02 | Authentication method, authentication system and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108199852B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109359449A (en) * | 2018-10-17 | 2019-02-19 | 郑州云海信息技术有限公司 | A kind of method for authenticating based on micro services, device, server and storage medium |
| CN109522682A (en) * | 2018-11-15 | 2019-03-26 | 郑州云海信息技术有限公司 | A kind of method for authenticating and device |
| CN109660988A (en) * | 2019-01-02 | 2019-04-19 | 百度在线网络技术(北京)有限公司 | Communicate authentication processing method, device and electronic equipment |
| CN109995773A (en) * | 2019-03-21 | 2019-07-09 | 北京旷视科技有限公司 | Data processing method and device |
| CN110138741A (en) * | 2019-04-15 | 2019-08-16 | 平安科技(深圳)有限公司 | Micro services management method, device and computer equipment based on management platform |
| CN110809023A (en) * | 2019-09-25 | 2020-02-18 | 视联动力信息技术股份有限公司 | Communication connection establishing method and device based on video networking |
| CN110943995A (en) * | 2019-12-03 | 2020-03-31 | 浪潮软件股份有限公司 | Method for realizing session forwarding in micro-service architecture |
| CN111031037A (en) * | 2019-12-12 | 2020-04-17 | 北京金山云网络技术有限公司 | Authentication method and device for object storage service and electronic equipment |
| CN111600899A (en) * | 2020-05-25 | 2020-08-28 | 华人运通(上海)云计算科技有限公司 | Micro-service access control method and device, electronic equipment and storage medium |
| CN111769939A (en) * | 2020-06-29 | 2020-10-13 | 北京海泰方圆科技股份有限公司 | Business system access method and device, storage medium and electronic equipment |
| CN112528341A (en) * | 2020-12-28 | 2021-03-19 | 深圳前海微众银行股份有限公司 | Method for generating authorization file, calling method and device |
| CN112989325A (en) * | 2021-03-12 | 2021-06-18 | 远光软件股份有限公司 | Service calling method and device, storage medium and electronic equipment |
| CN113259566A (en) * | 2021-05-19 | 2021-08-13 | 山东起跑线母婴健康管理有限公司 | System convenient for family members and doctors to acquire childbirth information in real time |
| CN113505382A (en) * | 2021-06-18 | 2021-10-15 | 杭州华橙软件技术有限公司 | Micro-service authentication method, electronic device and storage medium |
| CN113543123A (en) * | 2021-07-23 | 2021-10-22 | 闻泰通讯股份有限公司 | Method and device for dynamically setting authority of wireless network |
| CN113704789A (en) * | 2021-08-31 | 2021-11-26 | 中汽创智科技有限公司 | Vehicle-mounted communication safety processing method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080040281A1 (en) * | 2006-07-11 | 2008-02-14 | Dipanjan Chakraborty | User-vendor matching based on request from mobile wireless device |
| CN101150577A (en) * | 2007-11-02 | 2008-03-26 | 珠海金山软件股份有限公司 | A system and method for secure Internet local function call |
| CN103001976A (en) * | 2012-12-28 | 2013-03-27 | 中国科学院计算机网络信息中心 | Safe network information transmission method |
| CN105740376A (en) * | 2016-01-27 | 2016-07-06 | 北京铭万智达科技有限公司 | API (Application Program Interface) calling statistics and monitoring method in micro-service |
| CN107124431A (en) * | 2017-06-22 | 2017-09-01 | 浙江数链科技有限公司 | Method for authenticating, device, computer-readable recording medium and right discriminating system |
-
2018
- 2018-04-02 CN CN201810282990.0A patent/CN108199852B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080040281A1 (en) * | 2006-07-11 | 2008-02-14 | Dipanjan Chakraborty | User-vendor matching based on request from mobile wireless device |
| CN101150577A (en) * | 2007-11-02 | 2008-03-26 | 珠海金山软件股份有限公司 | A system and method for secure Internet local function call |
| CN103001976A (en) * | 2012-12-28 | 2013-03-27 | 中国科学院计算机网络信息中心 | Safe network information transmission method |
| CN105740376A (en) * | 2016-01-27 | 2016-07-06 | 北京铭万智达科技有限公司 | API (Application Program Interface) calling statistics and monitoring method in micro-service |
| CN107124431A (en) * | 2017-06-22 | 2017-09-01 | 浙江数链科技有限公司 | Method for authenticating, device, computer-readable recording medium and right discriminating system |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109359449A (en) * | 2018-10-17 | 2019-02-19 | 郑州云海信息技术有限公司 | A kind of method for authenticating based on micro services, device, server and storage medium |
| CN109522682A (en) * | 2018-11-15 | 2019-03-26 | 郑州云海信息技术有限公司 | A kind of method for authenticating and device |
| CN109660988A (en) * | 2019-01-02 | 2019-04-19 | 百度在线网络技术(北京)有限公司 | Communicate authentication processing method, device and electronic equipment |
| CN109660988B (en) * | 2019-01-02 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Communication authentication processing method and device and electronic equipment |
| CN109995773A (en) * | 2019-03-21 | 2019-07-09 | 北京旷视科技有限公司 | Data processing method and device |
| CN110138741A (en) * | 2019-04-15 | 2019-08-16 | 平安科技(深圳)有限公司 | Micro services management method, device and computer equipment based on management platform |
| CN110138741B (en) * | 2019-04-15 | 2022-06-17 | 平安科技(深圳)有限公司 | Micro-service management method and device based on unified management platform and computer equipment |
| CN110809023A (en) * | 2019-09-25 | 2020-02-18 | 视联动力信息技术股份有限公司 | Communication connection establishing method and device based on video networking |
| CN110809023B (en) * | 2019-09-25 | 2022-08-19 | 视联动力信息技术股份有限公司 | Communication connection establishing method and device based on video networking |
| CN110943995A (en) * | 2019-12-03 | 2020-03-31 | 浪潮软件股份有限公司 | Method for realizing session forwarding in micro-service architecture |
| CN111031037A (en) * | 2019-12-12 | 2020-04-17 | 北京金山云网络技术有限公司 | Authentication method and device for object storage service and electronic equipment |
| CN111600899A (en) * | 2020-05-25 | 2020-08-28 | 华人运通(上海)云计算科技有限公司 | Micro-service access control method and device, electronic equipment and storage medium |
| CN111769939A (en) * | 2020-06-29 | 2020-10-13 | 北京海泰方圆科技股份有限公司 | Business system access method and device, storage medium and electronic equipment |
| CN112528341A (en) * | 2020-12-28 | 2021-03-19 | 深圳前海微众银行股份有限公司 | Method for generating authorization file, calling method and device |
| CN112989325A (en) * | 2021-03-12 | 2021-06-18 | 远光软件股份有限公司 | Service calling method and device, storage medium and electronic equipment |
| CN113259566A (en) * | 2021-05-19 | 2021-08-13 | 山东起跑线母婴健康管理有限公司 | System convenient for family members and doctors to acquire childbirth information in real time |
| CN113505382A (en) * | 2021-06-18 | 2021-10-15 | 杭州华橙软件技术有限公司 | Micro-service authentication method, electronic device and storage medium |
| CN113543123A (en) * | 2021-07-23 | 2021-10-22 | 闻泰通讯股份有限公司 | Method and device for dynamically setting authority of wireless network |
| CN113543123B (en) * | 2021-07-23 | 2024-02-20 | 闻泰通讯股份有限公司 | Method and device for dynamically setting authority of wireless network |
| CN113704789A (en) * | 2021-08-31 | 2021-11-26 | 中汽创智科技有限公司 | Vehicle-mounted communication safety processing method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108199852B (en) | 2021-02-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108199852A (en) | A kind of method for authenticating, right discriminating system and computer readable storage medium | |
| US11314891B2 (en) | Method and system for managing access to personal data by means of a smart contract | |
| EP3704621B1 (en) | Secure identity and profiling system | |
| US11876807B2 (en) | Secure online access control to prevent identification information misuse | |
| US9325708B2 (en) | Secure access to data in a device | |
| CN108432180A (en) | Method and system for the certification based on PKI | |
| KR102227578B1 (en) | Method for serving certificate based on zero knowledge proof by using blockchain network, and server and terminal for using them | |
| US20180254904A1 (en) | Integrated authentication system for authentication using single-use random numbers | |
| CN110287739B (en) | Data security management method and system based on hardware private key storage technology | |
| CN111160909B (en) | Hidden static supervision system and method for blockchain supply chain transaction | |
| CN112000951A (en) | Access method, device, system, electronic equipment and storage medium | |
| US20210241270A1 (en) | System and method of blockchain transaction verification | |
| CN110619222A (en) | Authorization processing method, device, system and medium based on block chain | |
| CN101939748A (en) | Activation by trust delegation | |
| CN104009963B (en) | The security authentication mechanism of remote password | |
| CN112333173B (en) | Data transmission method, system, equipment and storage medium based on data provider | |
| CN114329610A (en) | Block chain privacy identity protection method, device, storage medium and system | |
| CN109191116B (en) | Resource management method and system and payment management method and system | |
| JP2017079419A (en) | Server authentication system, terminal, server, server authentication method, program | |
| EP2479696A1 (en) | Data security | |
| KR101821645B1 (en) | Key management method using self-extended certification | |
| CN117376035B (en) | Vehicle data transmission method, system, equipment and storage medium | |
| WO2019078601A2 (en) | Pure random number generation apparatus, authentication method applied thereto, computer program, and recording medium | |
| CN117455489A (en) | Transaction authorization method, device, equipment and storage medium | |
| KR101737925B1 (en) | Method and system for authenticating user based on challenge-response |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20210226 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |