CN109981666B - Access method, access system and access server - Google Patents
Access method, access system and access server Download PDFInfo
- Publication number
- CN109981666B CN109981666B CN201910257945.4A CN201910257945A CN109981666B CN 109981666 B CN109981666 B CN 109981666B CN 201910257945 A CN201910257945 A CN 201910257945A CN 109981666 B CN109981666 B CN 109981666B
- Authority
- CN
- China
- Prior art keywords
- party
- user data
- data
- user
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
- Storage Device Security (AREA)
Abstract
An access method and system are applied to an access party, and the method comprises the following steps: after receiving an access request through a first application, redirecting to a login interface of an accessed party from the first application according to the accessed party selected by user operation; receiving a user data ciphertext from an accessed party through a first application; and acquiring target user data and first verification data from the user data ciphertext based on the private key of the access party, verifying the first verification data by using the public key of the accessed party, and finishing the login of the user to the first application after the verification is passed. By the access method and the access system, the verification and encryption transmission of the user data can be carried out by utilizing the public and private keys of the accessed party, the two-way verification of the user data transmission is realized, and the transmission safety of the user data can be effectively ensured.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to an access method, an access system, and an access server.
Background
Today, with the rapid development of the internet, how to quickly deploy services online, shortening the period and reducing the cost becomes a goal pursued by software companies. Almost all internet software relates to an account system, and the account system is generally established with two strategies of self-establishing the account system and accessing a third party account system. The self-established account system has the advantages that the users are self-owned, and the defects that the accumulation of the users is slow, so that the service development speed is slow. On the contrary, the third-party account system has the advantages that the development period is short, generally, the third-party account system is famous and has a large number of active users, so that the business promotion and the rapid development can be facilitated, but the user is not self-owned in a certain sense.
In the initial development stage, the development of own business is more facilitated by relying on a known third-party account system when own software is not named, for example, products of many software companies can select to access account systems such as QQ and the like. Developing one software requires the use of user generated data resources in another software, which also requires accessing one system to an account center used by another system.
Secure, fast access becomes a critical consideration if it is determined that a third party account system is to be accessed.
Disclosure of Invention
The invention provides an access method, an access system and an access server, which can ensure the safety of user data transmission in a convenient mode.
Therefore, in one aspect, an embodiment of the present application provides an access method, which is applied to an access party, and the method includes: after receiving an access request through a first application, redirecting to a login interface of an accessed party from the first application according to the accessed party selected by user operation, so that a user can input user login information on the login interface of the accessed party; receiving a user data ciphertext from an accessed party through a first application, wherein the user data ciphertext is obtained by processing target user data to obtain first check data and encrypting the target user data and the first check data based on an agreed algorithm and by using a private key of the accessed party after the accessed party verifies user login information; and acquiring target user data and first verification data from the user data ciphertext based on the private key of the access party, verifying the first verification data by using the public key of the accessed party, and finishing the login of the user to the first application after the verification is passed.
Optionally, if the first verification data is a digital signature, verifying the first verification data by using the public key of the accessed party includes: and verifying and signing the first verification data based on the target user data and by using the public key of the accessed party.
Optionally, if the first verification data is a digital signature, verifying the first verification data by using the public key of the accessed party includes: the first verification data is signed based on a predetermined portion of the target user data and using the public key of the party being accessed.
Optionally, obtaining target user data and first check data from the user data ciphertext based on an access party private key includes: and decrypting the user data ciphertext by using the access party private key to obtain target user data and first check data.
Optionally, the user data ciphertext includes a first ciphertext and a second ciphertext, where obtaining the target user data and the first check data from the user data ciphertext based on the access party private key includes: decrypting the second ciphertext by using the private key of the access party to obtain a random key; and decrypting the first ciphertext by using the random key to obtain target user data and first check data.
Optionally, the target user data is obtained by assembling: the unique application identification of the accessing party at the accessed party and the unique user identification distributed to the user by the accessed party aiming at the accessing party; or the unique application identification, the unique user identification and at least one of the three data of the user data protocol version, the operation information code and the time stamp.
Optionally, the redirection interface address for receiving the user data ciphertext is sent to the accessed party.
Optionally, completing login of the user to the first application after the verification passes, including: and generating a unique identifier for the user at the access party, and correspondingly storing the target user data and the unique identifier.
On the other hand, an embodiment of the present application provides an access system, including a server and a first application installed in a terminal device, where: the first application includes: the user interface is configured to receive an access request, and redirect the access request to a login interface of an accessed party from a first application according to the accessed party selected by user operation so that a user can input user login information on the login interface of the accessed party; the redirection interface is configured to receive a user data ciphertext from an accessed party, wherein the user data ciphertext is obtained by processing target user data to obtain first check data and encrypting the target user data and the first check data based on an agreed algorithm and by using a private key of the accessed party after the accessed party verifies user login information; the server side comprises: a communication unit configured to receive a user data ciphertext from a first application; and the processing unit is configured to obtain target user data and first verification data from the user data ciphertext based on the private key of the access party, verify the first verification data by using the public key of the access party, and complete the login of the user to the first application after the verification is passed.
In another aspect, an embodiment of the present invention provides an access system, including an accessed server, an accessing server, and a first application installed in a terminal device. Wherein the first application comprises: the user interface is configured to receive an access request, and redirect the access request to a login interface of an accessed party from a first application according to the accessed party selected by user operation so that a user can input user login information on the login interface of the accessed party; a redirection interface configured to receive user data ciphertext from an accessed party. The accessed server comprises: a first communication unit configured to receive the user login information and transmit the user data ciphertext; and the first processing unit is configured to verify the user login information, process target user data to obtain first check data based on an agreed algorithm and by using a private key of an accessed party after the verification is passed, and encrypt the target user data and the first check data to obtain the user data ciphertext. The access side server includes: a second communication unit configured to receive a user data ciphertext from the first application; and the second processing unit is configured to obtain target user data and first verification data from the user data ciphertext based on the private key of the access party, verify the first verification data by using the public key of the access party, and complete the login of the user to the first application after the verification is passed.
In yet another aspect, an embodiment of the present invention provides an access server, which includes a processor configured to execute predetermined computer instructions to perform the method of any one of the above embodiments.
By the user data transmission method and the device, the verification and encryption transmission of the user data can be carried out by utilizing the public and private keys of the accessed party, the bidirectional verification of the user data transmission is realized, and the transmission safety of the user data can be effectively ensured.
Drawings
Fig. 1 is a schematic flow chart of an embodiment of an access method of the present invention.
Fig. 2 is a schematic flow chart of another embodiment of the access method of the present invention.
Fig. 3 is a schematic flow chart of another embodiment of the access method of the present invention.
Fig. 4 is a schematic flow chart of another embodiment of the access method of the present invention.
Fig. 5 is a schematic flow chart of another embodiment of the access method of the present invention.
Fig. 6 is a schematic block diagram of one embodiment of an access system of the present invention.
Fig. 7A is a schematic block diagram of another embodiment of an access system of the present invention.
Fig. 7B is a schematic flow chart of another embodiment of the access method of the present invention.
Fig. 7C is a schematic flow chart of another embodiment of the access method of the present invention.
Detailed Description
Specific embodiments of the present application will be described in detail below with reference to the accompanying drawings, but the present application is not limited thereto.
It will be understood that various modifications may be made to the embodiments disclosed herein. The following description is, therefore, not to be taken in a limiting sense, but is made merely as an exemplification of embodiments. Other variations within the scope and spirit of the disclosure will occur to those skilled in the art.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the disclosure and, together with a general description of the disclosure given above, and the detailed description of the embodiments given below, serve to explain the principles of the disclosure. These and other characteristics of the present application will become apparent from the following description of preferred forms of embodiment, given as non-limiting examples, with reference to the attached drawings.
Specific embodiments of the present disclosure are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely examples of the disclosure that may be embodied in various forms. Well-known and/or repeated functions and structures have not been described in detail so as not to obscure the present disclosure with unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present disclosure in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the disclosure.
Hereinafter, embodiments of the present application will be described in detail with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of an embodiment of an access method of the present invention. The access method of the embodiment of the invention is applied to the access party. As shown in fig. 1, the access method according to the embodiment of the present invention includes:
s11: after receiving an access request through a first application, redirecting to a login interface of an accessed party from the first application according to the accessed party selected by user operation, so that a user can input user login information on the login interface of the accessed party;
s12: receiving a user data ciphertext from an accessed party through a first application, wherein the user data ciphertext is obtained by processing target user data to obtain first check data and encrypting the target user data and the first check data based on an agreed algorithm and by using a private key of the accessed party after the accessed party verifies user login information;
s13: and obtaining target user data and first verification data from the user data ciphertext based on the private key of the access party, verifying the first verification data by using the public key of the accessed party, and finishing the login of the user to the first application after the verification is passed.
Specifically, in the embodiment of the present invention, the first application may be an independent application developed by the access party to provide an application service to the user, or may be a browser on the terminal device, and the user may access a website of the access party through the browser and log in the website. The login interface of the accessed party may be a second application different from the first application, and the redirection process jumps from the first application to the second application, for example, on the user terminal. The login interface of the accessed party can also be a browser and the like. The accessed party can be the owner of the user data, and the access party can be the user of the user data. As a specific example, the accessing party may be, for example, a server, and the accessed party may be another server, and the two are operated by different operators. As another specific example, the accessing party may include, for example, an application installed on a user terminal and an application server, the application being connected with the application server of the accessing party, and the accessed party may be another server and communicate with the accessing party.
The access party receives an access request from a user through the first application, for example, when the user needs to log in to the first application to use a specific function service of the first application, the access request is sent out through operating a user interface of the first application. At this time, the user interface of the first application may prompt whether to select to log in with the third party account, for example, when multiple third party service providers are shown in the form of multiple icons, the user may click one of the icons to select the accessed party. According to the selection operation of the user, the access party can be redirected to the login interface of the accessed party selected by the user from the first application, so that the user can input the login information of the user account of the user at the accessed party at the login interface of the accessed party.
After the user finishes inputting and submitting the login information, the accessed party receives the login information and carries out verification, if the verification is passed, the user is indicated to be a registered user of the accessed party, and the request for logging in the first application by logging in the accessed party is indicated to be submitted by the user, the accessed party carries out processing of transmitting the target user data to the first application of the accessed party.
Before transmitting user data, an access party needs to generate a pair of public and private keys in advance and submit the public key to an accessed party; the accessed party also needs to generate a pair of public and private keys in advance, generate or allocate a unique identifier for the accessed party to indicate which accessed party requests to use the user data, and submit the public key and the unique identifier to the accessed party.
The target user data to be transmitted may comprise a unique identification of the accessing party at the accessed party and user information data. When the access party includes the first application, the unique identification may be a unique application identification, such as an AppId. The user information data may include, for example, a unique identification of the user at the accessed party, which may be stored in association with login information, digital resources, profile information, etc. of the user at the accessed party. For example, in the case where the accessed party is the third party login server, after the accessing party obtains the user information data, each time the user logs in the accessing party by logging in the accessed party, the accessing party may determine that the user has passed the login authentication of the accessed party by checking the user information data transmitted from the accessed party, thereby causing the user to enter a login state at the accessing party.
In the embodiment of the invention, when the target user data needs to be transmitted to the access party, the accessed party processes the target user data based on the appointed algorithm and by using the private key of the accessed party to obtain the first check data, encrypts the target user data and the first check data to obtain the user data ciphertext and transmits the user data ciphertext to the access party. After receiving the user data ciphertext from the accessed party, the accessed party decrypts the user data ciphertext by using a private key of the accessed party to obtain target user data and first check data, and verifies the first check data by using a public key of the accessed party. Here, the first verification data is used for the accessing party to verify the accessed party, because the accessing party can only verify the first verification data by using the correct public key of the accessed party. And the accessed party encrypts the first check data and the target user data together to obtain a ciphertext and sends the ciphertext to the accessed party, which is to verify the accessed party, because only a specific accessed party holds a private key required by the ciphertext decryption process, the target user data and the first check data can be obtained from the ciphertext. In this way, bidirectional authentication between the accessing party and the accessed party is achieved.
After the bidirectional authentication between the access party and the accessed party is completed, the access party confirms that the target user data received from the accessed party is legal data, stores the target user data and enables the user to enter a state of logging in the access party through the first application.
The access method of the embodiment of the invention can utilize the public and private keys of the accessed party to carry out verification and encryption transmission of the user data, realizes bidirectional verification of user data transmission, and can effectively ensure the transmission safety of the user data. When the scheme of the embodiment of the invention is applied to third-party login, even if lawless persons intercept user data, the lawless persons can not decrypt and obtain plaintext data of the user data because the lawless persons do not have a private key of an access party, and the user data can not be tampered or counterfeited, so that the utilization of a hidden redirection vulnerability by the lawless persons is effectively avoided.
Fig. 2 is a schematic flow chart of another embodiment of the access method of the present invention. As shown in fig. 2, the access method of the embodiment of the present invention includes the following steps:
s21: after receiving an access request through a first application, redirecting the first application to a login interface of an accessed party according to the accessed party selected by user operation, so that a user can input user login information on the login interface of the accessed party.
S22: user data ciphertext is received from an accessed party through a first application.
S23: and decrypting the user data ciphertext by using the access party private key to obtain target user data and first check data.
S24: and verifying the first verification data based on the target user data and by using the public key of the accessed party.
In the embodiment of the invention, when the accessed party generates the user data ciphertext, the appointed digital signature algorithm can be used for carrying out digital signature processing on the target user data to obtain the first digital signature as the first verification data. The agreed digital signature algorithm may be any, such as a DSA signature algorithm or an RSA signature algorithm. The accessed party encrypts the target user data and the first digital signature and sends the encrypted target user data and the first digital signature to the accessed party, for example, the accessed party may encrypt the target user data and the first digital signature by using a public key of the accessed party or other agreed key and send the encrypted target user data and the first digital signature to the accessed party, where the agreed key may be a symmetric key negotiated by the two parties in advance. After receiving the user data ciphertext, the access party can obtain the target user data and the first digital signature from the data ciphertext based on the private key or other agreed key of the access party, so that the access party can check the first digital signature based on the target user data and by using the public key of the accessed party, if the first digital signature passes verification, the target user data is considered as credible data and is stored, otherwise, the target user data is considered to be illegally tampered or counterfeited, and the target user data is discarded.
Fig. 3 is a schematic flow chart of another embodiment of the access method of the present invention. As shown in fig. 3, the access method of the embodiment of the present invention includes the following steps:
s31: after receiving an access request through a first application, redirecting the first application to a login interface of an accessed party according to the accessed party selected by user operation, so that a user can input user login information on the login interface of the accessed party.
S32: user data ciphertext is received from an accessed party through a first application.
S33: and decrypting the ciphertext by using the private key of the access party to obtain the target user data and the first check data.
S34: the first verification data is signed based on a predetermined portion of the target user data and using the public key of the party being accessed.
In the embodiment of the invention, when the accessed party generates the user data ciphertext, the appointed digital signature algorithm can be used for carrying out digital signature processing on the preset part of the target user data to obtain the first digital signature as the first verification data. The agreed digital signature algorithm may be any, such as a DSA signature algorithm or an RSA signature algorithm. The accessed party encrypts the target user data and the first digital signature and sends the encrypted target user data and the first digital signature to the accessing party, for example, the accessed party may use a public key or other agreed key of the accessing party to encrypt the target user data and the first digital signature and send the encrypted target user data and the first digital signature to the accessing party. And after the access party obtains the user data ciphertext, obtaining target user data and first check data from the ciphertext based on a private key of the access party, checking the first check data based on a preset part of the target user data and by using a public key of the accessed party, if the check is passed, determining that the target user data obtained by decryption is legal and storing, and if not, abandoning the target user data obtained by decryption.
Fig. 4 is a schematic flow chart of another embodiment of the access method of the present invention. As shown in fig. 4, the access method of the embodiment of the present invention includes the following steps:
s41: after receiving an access request through a first application, redirecting the first application to a login interface of an accessed party according to the accessed party selected by user operation, so that a user can input user login information on the login interface of the accessed party.
S42: and receiving user data ciphertext from the accessed party through the first application, wherein the user data ciphertext comprises the first ciphertext and the second ciphertext.
S43: and decrypting the second ciphertext by using the private key of the access party to obtain a random key.
S44: and decrypting the first ciphertext by using the random key to obtain target user data and first check data.
S45: and verifying the first verification data based on the target user data and by using the public key of the accessed party.
In the embodiment of the invention, after the accessed party uses the private key of the accessed party to process the target user data to obtain the first check data, the random key is firstly used to encrypt the target user data and the first check data to generate a first ciphertext, then the public key of the accessed party is used to encrypt the random key to generate a second ciphertext, and the user data ciphertext comprising the first ciphertext and the second ciphertext is sent to the accessed party. The random key may be arbitrary, such as a machine-generated pseudo-random key. In the embodiment of the present invention, the accessed party encrypts the target user data and the first verification data by using the random key to obtain the first ciphertext, which may be any one, for example, the target user data and the first verification data may be encrypted as a whole, or one or a part of the target user data and the first verification data may be encrypted, and then the whole is encrypted again. Further, the predetermined portions of the target user data and the first verification data may be encrypted a plurality of times. In the embodiment of the present invention, the second ciphertext may be obtained by encrypting the random key using the public key of the access party, or in any manner, for example, encrypting the random key using the public key of the access party, partially encrypting the random key using the public key of the access party, fully encrypting the random key, or encrypting the random key for a predetermined number of times.
In the embodiment of the invention, the accessed party can assemble the first ciphertext and the second ciphertext according to the preset format and then send the first ciphertext and the second ciphertext to the accessed party, and the accessed party can extract the first ciphertext and the second ciphertext from the preset format, so that the second ciphertext is decrypted by using the private key of the accessed party to obtain the random key, the first ciphertext is decrypted by using the random key to obtain the target user data and the first check data, and then the first check data is checked. According to a specific manner of generating the first verification data by the accessed party, the verification process may specifically be to verify the first verification data based on the target user data and by using the public key of the accessed party.
Fig. 5 is a schematic flow chart of another embodiment of the access method of the present invention. As shown in fig. 5, the access method of the embodiment of the present invention includes the following steps:
s51: after receiving an access request through a first application, redirecting the first application to a login interface of an accessed party according to the accessed party selected by user operation, so that a user inputs a user login letter on the login interface of the accessed party
S52: user data ciphertext is received from an accessed party through a first application.
S53: decrypting the second ciphertext by using the private key of the access party to obtain a random key;
s54: and decrypting the first ciphertext by using the random key to obtain target user data and first check data.
S55: the first verification data is signed based on a predetermined portion of the target user data and using the public key of the party being accessed.
S56: and generating a unique identifier for the user at the access party, and correspondingly storing the target user data and the unique identifier.
In an embodiment of the present invention, the predetermined portions of the target user data are arbitrary, and in an embodiment, the predetermined portions and the numbers thereof may be associated differently, for example, specifically, the portions of the target user data are renumbered. The method comprises the steps that after an access party obtains a user data ciphertext including a first ciphertext and a second ciphertext, a random key is obtained from the second ciphertext based on a private key of the access party, the random key is used for decrypting the first ciphertext to obtain target user data and first check data, the first check data is checked and signed based on a preset part of the target user data and a public key of the access party, if the target user data obtained through decryption is judged to be legal through verification, a unique identifier is generated for the user at the access party to correspondingly store the target user data and the unique identifier, and otherwise, the target user data obtained through decryption is abandoned.
In the embodiment of the present invention, the target user data may be obtained by assembling a plurality of data. For example, the target user data may be obtained by assembling a unique application identification of the accessing party at the accessed party and a unique user identification assigned to the user by the accessed party for the accessing party. In addition, the target user data may include other user-related information besides the identification, such as at least one of a user data protocol version, an operation information code, and a time stamp.
In the embodiment of the invention, the access party can also send the redirection interface address for receiving the user data ciphertext to the accessed party through the first application or directly from the application server in advance, so that the accessed party can directly send the redirection interface address after generating the user data ciphertext.
Fig. 6 is a schematic block diagram of one embodiment of an access system of the present invention. As shown in fig. 6, the access system of the embodiment of the present invention includes a server 61 and a first application 620 installed in a terminal device 62.
The first application 620 comprises a user interface 621 and a redirection interface 622, wherein the user interface 621 is configured to receive an access request and redirect the access request from the first application to a login interface of an accessed party according to the accessed party selected by user operation, so that a user inputs user login information on the login interface of the accessed party; the redirection interface 622 is configured to receive a user data ciphertext from the accessed party, where the user data ciphertext is obtained by the accessed party processing the target user data to obtain first check data and encrypting the target user data and the first check data based on an agreed algorithm and using a private key of the accessed party after the user login information is verified by the accessed party.
The server 61 includes a communication unit 611 and a processing unit 612, where the communication unit 611 is configured to receive a user data ciphertext from a first application; the processing unit 612 is configured to obtain target user data and first verification data from the user data ciphertext based on the access party private key, verify the first verification data by using the accessed party public key, and complete the login of the user to the first application after the verification is passed.
In the embodiment of the present invention, the operation and configuration of each unit of the access system correspond to the above-described access method.
The access system of the embodiment of the invention can utilize the public and private keys of the accessed party to carry out verification and encryption transmission of the user data, realizes bidirectional verification of user data transmission, and can effectively ensure the transmission safety of the user data. When the scheme of the embodiment of the invention is applied to third-party login, even if lawless persons intercept user data, the lawless persons can not decrypt and obtain plaintext data of the user data because the lawless persons do not have a private key of an access party, and the user data can not be tampered or counterfeited, so that the utilization of a hidden redirection vulnerability by the lawless persons is effectively avoided.
Fig. 7A is a schematic block diagram of another embodiment of an access system of the present invention.
As shown in fig. 7A, the access system of the present invention includes an accessed-party server 71, an accessing-party server 72, and a first application 730 installed in a terminal device 73.
First application 730 includes user interface 731 and redirection interface 732. Wherein the user interface 731 is configured to receive an access request, and redirect the first application to a login interface of the accessed party according to the accessed party selected by the user operation, so that the user inputs user login information at the login interface of the accessed party; redirection interface 732 configured to receive user data ciphertext from an accessed party.
The accessed-party server 71 includes a first communication unit 711 and a first processing unit 712. Wherein, the first communication unit 711 is configured to receive user login information and send a user data ciphertext; and the first processing unit 712 is configured to verify the user login information, process the target user data to obtain first check data based on an agreed algorithm and by using the private key of the accessed party after the user login information passes the verification, and encrypt the target user data and the first check data to obtain a user data ciphertext.
The access server 72 comprises a second communication unit 721 and a second processing unit 722. Wherein the second communication unit 721 is configured to receive the user data cryptogram from the first application; the second processing unit 722 is configured to obtain target user data and first verification data from the user data ciphertext based on the access party private key, verify the first verification data by using the accessed party public key, and complete the login of the user to the first application after the verification is passed.
The access system of the embodiment of the invention specifically operates according to the following modes:
firstly, the accessed party needs to provide the following interfaces for the accessing party to access the initialization data (fig. 7B), and the accessing party initializes the data call:
1. generating a unique identifier AppID for an access party;
2. the access party can upload and store the public key representing the identity of the access party in the accessed party system;
3. the accessed party generates a public and private key representing the identity of the accessed party, the public key is returned to the accessed party, and the private key is stored in the system;
4. the interface address which returns the user information to the access party after the user identity authentication of the accessed party is passed can be saved;
5. the information generated by the accessed party and the access party is stored in a t _ accessParty table;
secondly, the access party needs to provide data for interface storage initialization, as follows: an id is distributed to the account center of the accessed party to identify which account center is accessed, and the public key, the private key and the AppId obtained in the step 3 in the step one are stored in a t _ userCenter table; after this step is completed, the following steps are called between the accessing party and the accessed party (fig. 7C):
1. a user accesses an online service of an access party through a terminal device (which may be a browser terminal device or a terminal device developed by the access party) (if multi-user center access is supported, the user needs to select which account center to use, such as a vacation QQ account or a Singler microblog account);
2. the account center selection item on the interface corresponds to the AppId of the user, the access side system carries the parameters of the AppId and the like, and the AppId is redirected to the accessed side user system for user login verification;
3. the user inputs correct account information on a system login page of the accessed party (of course, the user can cancel login in the process);
4. after the system verification account information of the accessed party passes, acquiring a public key of an access party corresponding to the AppId and a private key of the user from a t _ accessParty table through the parameter AppId to assemble a user data packet, paying attention to the fact that a user number unique to the access party is distributed to the user and written in UserInfo, if the user logs in through the system of the access party again, the same number is still used and is not generated again, therefore, the distributed user number needs to be stored in a t _ accessPartyUserIdMapping table of the storage service of the user, and after the login verification is passed, whether the user has the unique number specific to the access party is judged, whether the user has direct use is judged, and the user is stored in a storage after the user number is not generated. And sending the assembled data packet to a user data redirection interface provided by an access party.
5. After acquiring user data, the terminal equipment submits the data to a server of an access party;
6. after receiving the data packet, the access party service end system unpacks the data to obtain the data defined in the protocol, wherein the UserInfo stores the unique number of the login user provided by the accessed party aiming at the access party, the access party service end regenerates a unique number to be stored correspondingly, the unique number is stored in a t _ UserInfo table, if the user is already in the table, the user is not inserted, and the login of the user in the access party system is completed. The reason for the regeneration is that when the multi-account center accesses, the account centers of different manufacturers may have repeated user numbers of different accounts allocated to the access party. The login user is identified in the system of the access party using the regenerated user number.
The modules described in the embodiments of the present application may be implemented by hardware as shown in fig. 6, or may be implemented by software. For example, in another embodiment of the access system of the present invention, the access system applied to the access party may include a processor and a memory, the memory may be configured to store predetermined computer instructions, and the processor may be configured to execute the predetermined computer instructions stored in the memory to perform the processes according to the embodiments shown in fig. 1 to 5.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the electronic device to which the data processing method described above is applied may refer to the corresponding description in the foregoing product embodiments, and details are not repeated herein.
The above embodiments are only exemplary embodiments of the present application, and are not intended to limit the present application, and the protection scope of the present application is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present application and such modifications and equivalents should also be considered to be within the scope of the present application.
Claims (10)
1. An access method is applied to an access party, and comprises the following steps:
after receiving an access request through a first application, redirecting to a login interface of an accessed party from the first application according to the accessed party selected by user operation, so that a user can input user login information on the login interface of the accessed party;
receiving a user data ciphertext from an accessed party through a first application, wherein the user data ciphertext is obtained by processing target user data to obtain first check data and encrypting the target user data and the first check data based on an agreed algorithm and by using a private key of the accessed party after the accessed party verifies user login information;
obtaining target user data and first verification data from the user data ciphertext based on the private key of the access party, verifying the first verification data by using the public key of the accessed party, and completing the login of the user to the first application after the verification is passed; wherein the content of the first and second substances,
the user data ciphertext comprises a first ciphertext and a second ciphertext, wherein obtaining target user data and first check data from the user data ciphertext based on an access party private key comprises:
decrypting the second ciphertext by using the private key of the access party to obtain a random key;
and decrypting the first ciphertext by using the random key to obtain target user data and first check data.
2. The method of claim 1, wherein the first verification data is a digital signature, and verifying the first verification data using the public key of the accessed party comprises:
and verifying and signing the first verification data based on the target user data and by using the public key of the accessed party.
3. The method of claim 1, wherein the first verification data is a digital signature, and verifying the first verification data using the public key of the accessed party comprises:
the first verification data is signed based on a predetermined portion of the target user data and using the public key of the party being accessed.
4. The method of claim 1, wherein obtaining target user data and first check data from the user data ciphertext based on an access party private key comprises:
and decrypting the user data ciphertext by using the access party private key to obtain target user data and first check data.
5. The method of any one of claims 1-4, wherein the target user data is obtained by assembling: the unique application identification of the accessing party at the accessed party and the unique user identification distributed to the user by the accessed party aiming at the accessing party; or the unique application identification, the unique user identification and at least one of the three data of the user data protocol version, the operation information code and the time stamp.
6. The method of any one of claims 1-4, further comprising:
and sending the redirection interface address for receiving the user data ciphertext to the accessed party.
7. The method of any of claims 1-4, wherein completing the login of the user to the first application after the verification passes comprises:
and generating a unique identifier for the user at the access party, and correspondingly storing the target user data and the unique identifier.
8. An access system comprises a server and a first application installed on a terminal device, wherein:
the first application includes:
the user interface is configured to receive an access request, and redirect the access request to a login interface of an accessed party from a first application according to the accessed party selected by user operation so that a user can input user login information on the login interface of the accessed party;
the redirection interface is configured to receive a user data ciphertext from an accessed party, wherein the user data ciphertext is obtained by processing target user data to obtain first check data and encrypting the target user data and the first check data based on an agreed algorithm and by using a private key of the accessed party after the accessed party verifies user login information;
the server side comprises:
a communication unit configured to receive a user data ciphertext from a first application;
the processing unit is configured to obtain target user data and first verification data from the user data ciphertext based on an access party private key, verify the first verification data by using an accessed party public key, and complete the login of a user to a first application after the verification is passed; wherein the content of the first and second substances,
the user data ciphertext comprises a first ciphertext and a second ciphertext, wherein obtaining target user data and first check data from the user data ciphertext based on an access party private key comprises:
decrypting the second ciphertext by using the private key of the access party to obtain a random key;
and decrypting the first ciphertext by using the random key to obtain target user data and first check data.
9. An access system comprising an accessed-party server, an accessing-party server and a first application installed at a terminal device, wherein:
the first application includes:
the user interface is configured to receive an access request, and redirect the access request to a login interface of an accessed party from a first application according to the accessed party selected by user operation so that a user can input user login information on the login interface of the accessed party;
a redirection interface configured to receive user data ciphertext from an accessed party;
the accessed server comprises:
a first communication unit configured to receive the user login information and transmit the user data ciphertext;
the first processing unit is configured to verify the user login information, process target user data to obtain first check data based on an agreed algorithm and by using a private key of an accessed party after the user login information passes the verification, and encrypt the target user data and the first check data to obtain a user data ciphertext;
the access side server includes:
a second communication unit configured to receive a user data ciphertext from the first application;
the second processing unit is configured to obtain target user data and first verification data from the user data ciphertext based on the private key of the access party, verify the first verification data by using the public key of the access party, and complete the login of the user to the first application after the verification is passed; wherein the content of the first and second substances,
the user data ciphertext comprises a first ciphertext and a second ciphertext, wherein obtaining target user data and first check data from the user data ciphertext based on an access party private key comprises:
decrypting the second ciphertext by using the private key of the access party to obtain a random key;
and decrypting the first ciphertext by using the random key to obtain target user data and first check data.
10. An access server comprising a processor configured to execute predetermined computer instructions to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910257945.4A CN109981666B (en) | 2019-04-01 | 2019-04-01 | Access method, access system and access server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910257945.4A CN109981666B (en) | 2019-04-01 | 2019-04-01 | Access method, access system and access server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109981666A CN109981666A (en) | 2019-07-05 |
| CN109981666B true CN109981666B (en) | 2020-08-04 |
Family
ID=67082185
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910257945.4A Active CN109981666B (en) | 2019-04-01 | 2019-04-01 | Access method, access system and access server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109981666B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113949566B (en) * | 2021-10-15 | 2024-06-11 | 工银科技有限公司 | Resource access method, device, electronic equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103490881A (en) * | 2013-09-06 | 2014-01-01 | 广东数字证书认证中心有限公司 | Authentication service system, user authentication method, and authentication information processing method and system |
| CN104580264A (en) * | 2015-02-13 | 2015-04-29 | 人民网股份有限公司 | Login method, registration method and login device as well as login and refrigeration system |
| CN107017993A (en) * | 2017-04-01 | 2017-08-04 | 北京江南天安科技有限公司 | A kind of multi-party joint key is produced and digital signature method and system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924635B (en) * | 2010-08-04 | 2013-02-13 | 吴晓军 | Method and device for user identity authentication |
| CN103023646B (en) * | 2012-11-26 | 2015-12-02 | 韩益亮 | The polymerisable label decryption method of a kind of label ciphertext |
| US9830479B2 (en) * | 2014-09-16 | 2017-11-28 | Nxp Usa, Inc. | Key storage and revocation in a secure memory system |
| US9547778B1 (en) * | 2014-09-26 | 2017-01-17 | Apple Inc. | Secure public key acceleration |
| CN106792665A (en) * | 2016-12-19 | 2017-05-31 | 华东师范大学 | Wireless sensor network security small data distribution method based on short and small public-key cryptosystem |
| CN108599950A (en) * | 2018-04-09 | 2018-09-28 | 北京无字天书科技有限公司 | The implementation method of security protocol is downloaded in a kind of user key application suitable for SM9 id passwords |
-
2019
- 2019-04-01 CN CN201910257945.4A patent/CN109981666B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103490881A (en) * | 2013-09-06 | 2014-01-01 | 广东数字证书认证中心有限公司 | Authentication service system, user authentication method, and authentication information processing method and system |
| CN104580264A (en) * | 2015-02-13 | 2015-04-29 | 人民网股份有限公司 | Login method, registration method and login device as well as login and refrigeration system |
| CN107017993A (en) * | 2017-04-01 | 2017-08-04 | 北京江南天安科技有限公司 | A kind of multi-party joint key is produced and digital signature method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109981666A (en) | 2019-07-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109981665B (en) | Resource providing method and device, and resource access method, device and system | |
| CN106657152B (en) | Authentication method, server and access control device | |
| US20210092108A1 (en) | Non-custodial tool for building decentralized computer applications | |
| CN106878245B (en) | Graphic code information providing and obtaining method, device and terminal | |
| CN112000951B (en) | Access method, device, system, electronic equipment and storage medium | |
| CN111770057B (en) | Identity verification system and identity verification method | |
| CN102404314A (en) | Remote resources single-point sign on | |
| CN108833507B (en) | Authorization authentication system and method for shared product | |
| CN111770088A (en) | Data authentication method, device, electronic equipment and computer readable storage medium | |
| CN102271124A (en) | Data processing equipment and data processing method | |
| JP6572750B2 (en) | Authentication control program, authentication control device, and authentication control method | |
| CN112688773A (en) | Token generation and verification method and device | |
| CN110708162B (en) | Resource acquisition method and device, computer readable medium and electronic equipment | |
| CN104917807A (en) | Resource transfer method, apparatus and system | |
| EP3284241A1 (en) | Method and system for transaction security | |
| CN112448930A (en) | Account registration method, device, server and computer readable storage medium | |
| CN111431957B (en) | File processing method, device, equipment and system | |
| RU2698424C1 (en) | Authorization control method | |
| CN109981666B (en) | Access method, access system and access server | |
| CN109981667B (en) | User data transmission method and device | |
| CN110636503B (en) | Data encryption method, device, equipment and computer readable storage medium | |
| US10762558B1 (en) | System, method, and computer program for authorizing a payment using gesture data | |
| KR20100019165A (en) | System and method for providing internet banking service | |
| CN107241341B (en) | Access control method and device | |
| CN115150098A (en) | Identity authentication method based on challenge response mechanism and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: Room 124, 1 / F, building 2, yard 9, jiaogezhuang street, Nanfaxin Town, Shunyi District, Beijing Patentee after: Beijing Wikipedia Technology Co.,Ltd. Address before: 102200 No. 1, 120, Area C, 23 Qianqian Road, Changping Science and Technology Park, Beijing Patentee before: Beijing Wikipedia Technology Co.,Ltd. |