CN110213229B - Identity authentication method, system, computer equipment and storage medium - Google Patents

Identity authentication method, system, computer equipment and storage medium Download PDF

Info

Publication number
CN110213229B
CN110213229B CN201910341167.7A CN201910341167A CN110213229B CN 110213229 B CN110213229 B CN 110213229B CN 201910341167 A CN201910341167 A CN 201910341167A CN 110213229 B CN110213229 B CN 110213229B
Authority
CN
China
Prior art keywords
service
information
consumer
code
consumption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910341167.7A
Other languages
Chinese (zh)
Other versions
CN110213229A (en
Inventor
王丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201910341167.7A priority Critical patent/CN110213229B/en
Publication of CN110213229A publication Critical patent/CN110213229A/en
Priority to PCT/CN2019/119479 priority patent/WO2020215709A1/en
Application granted granted Critical
Publication of CN110213229B publication Critical patent/CN110213229B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses an identity authentication method, an identity authentication system, computer equipment and a storage medium, wherein the identity authentication method comprises the following steps: the service side receives a service calling request sent by a consumer side, wherein the service calling request comprises consumption coding information and authorization relation encryption information, and the authorization relation encryption information contains consumption coding-service coding calling relation information; checking whether a service key is prestored according to the consumption coding information; if the service key is prestored, decrypting the authorization relation encrypted information by using the service key to obtain consumption coding-service coding calling relation information; verifying whether the consumption code-service code calling relation information is legal or not according to the consumption code information and the pre-stored service code information; and if the service is legal, responding to the service calling request and returning the corresponding service resource to the consumer. The identity authentication method can solve the problem of large network consumption in the process of identity authentication of a consumer by a server.

Description

Identity authentication method, system, computer equipment and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to an identity authentication method, system, computer device, and storage medium.
Background
For the server cluster or the cross-domain service oriented architecture, when a consumer (i.e., a consumer of a service, such as an application system calling each service interface) accesses resources of a server (i.e., a provider of a service, such as an application system providing each service interface) in a cross-domain manner, because a prior trust relationship does not exist between the consumer and the server, the server needs to perform identity authentication on the consumer and judge whether the consumer has access right.
Therefore, how to reduce the consumption of network query in the process of authenticating the identity of the consumer by the service party is a technical problem to be solved urgently by those skilled in the art.
Disclosure of Invention
The present application mainly aims to provide an identity authentication method, system, computer device and storage medium, and aims to solve the problem of large network consumption in the process of identity authentication of a consumer by a service party.
The application provides an identity authentication method, which comprises the following steps:
the service side receives a service calling request sent by a consumer side, wherein the service calling request comprises consumption code information of the consumer side and authorization relation encryption information prestored in the consumer side, and the authorization relation encryption information contains consumption code-service code calling relation information;
checking whether a service key corresponding to the consumption coding information is prestored according to the consumption coding information;
if the service key of the corresponding consumption code information is checked, the authorization relation encrypted information is decrypted by using the service key, and consumption code-service code calling relation information is obtained;
verifying the consumption code-service code calling relation information according to the consumption code information and the pre-stored service code information, and judging whether the consumption code-service code calling relation information is legal or not;
and if the consumption code-service code calling relation information is legal, responding to the service calling request and returning the corresponding service resource to the consumer.
Further, the authorization relationship encryption information is attached with a time stamp, and after the step of the server receiving the service invocation request sent by the consumer, the method further comprises the following steps:
judging whether the authorization relation encryption information is expired or not according to the timestamp;
if the authorization relation encryption information is not expired, the step of checking whether the service key corresponding to the consumption coding information is prestored or not according to the consumption coding information is executed.
Further, after the step of judging whether the consumption code-service code calling relation information is legal, the method further comprises the following steps:
if the consumption code-service code calling relationship information is legal, calculating the consumption code-service code calling relationship information by using a preset MD5 algorithm, and obtaining and storing a corresponding MD5 value;
and sending the MD5 value to the consumer for storage.
Further, after the step of judging whether the authorization relationship encryption information is expired according to the timestamp, the method further includes:
if the authorization relationship encryption information is expired, sending prompt information of the expired identity to the consumer to prompt the consumer to perform identity authentication again;
receiving the MD5 value and the consumption coding information returned by the consumer responding to the prompt information, and checking whether a corresponding pre-stored MD5 value exists according to the consumption coding information;
if the corresponding pre-stored MD5 value exists, comparing the MD5 value with the pre-stored MD5 value, and judging whether the MD5 value is consistent with the pre-stored MD5 value;
and if the MD5 value is consistent with the pre-stored MD5 value, responding to the service calling request and returning the corresponding service resource to the consumer.
Further, after the step of determining whether the MD5 value is consistent with the pre-stored MD5 value, the method further comprises:
if the MD5 value is consistent with the pre-stored MD5 value, the time stamp on the authorization relation encryption information is refreshed;
and sending the refreshed authorization relationship encryption information and reminding information for replacing the authorization relationship encryption information to the consumer so as to remind the consumer to replace the expired authorization relationship encryption information with the refreshed authorization relationship encryption information.
The application also provides an authority application method, which comprises the following steps:
the consumption side sends a service registration request to the service registration center to register the service of the service side, wherein the service registration request comprises consumption coding information of the consumption side;
receiving service information of a service party returned by a service registration center in response to a service registration request, wherein the service information comprises service coding information;
generating consumption code-service code calling relation information according to the service code information and pre-stored consumption code information;
sending an authority application request to a service registration center, wherein the authority application request comprises consumption coding-service coding calling relation information;
and receiving and storing authorization relation encryption information returned by the service registration center in response to the authority application request, wherein the authorization relation encryption information contains consumption coding-service coding calling relation information.
Further, the authorization relationship encryption information is stored in a cache folder of the consumer, wherein the cache folder is encrypted through the local hardware information of the consumer, and the method for applying for the permission further includes:
comparing the pre-stored hardware information with the local hardware information, and judging whether the hardware information is consistent with the local hardware information or not so as to acquire authorization relation encryption information in the cache folder;
and if the hardware information is consistent with the local hardware information, sending a service calling request to the service party to acquire service resources of the service party, wherein the service calling request comprises consumption coding information and authorization relation encryption information.
The present application further provides an identity authentication system, including:
the service registration center is used for generating a service key and authorization relation encryption information, storing service information of a service party, providing the service key for the service party and providing authorization relation encryption information and service information for a consumer, wherein the authorization relation encryption information contains consumption coding-service coding calling relation information, and the service information comprises service coding information;
the consumer is used for generating consumption code-service code calling relation information according to the service code information and the consumption code information of the consumer, acquiring and storing authorization relation encryption information and service information from the service registration center, and sending a service calling request to the service server, wherein the service calling request comprises the consumption code information and the authorization relation encryption information;
and the service party is used for registering the service information of the service party to the service registration center, acquiring and storing the service key from the service registration center, and judging whether the consumer has the authority of calling the service resource of the consumer according to the service calling request sent by the consumer.
The present application further provides a computer device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the foregoing identity authentication method when executing the computer program.
The present application also proposes a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the aforementioned identity authentication method.
The beneficial effect of this application is: in the identity authentication method provided by the embodiment of the application, the identity authentication of the service party to the consumer is realized through an algorithm, except that in the process of first identity authentication, the consumer needs to obtain the authorization relationship encryption information from the service registration center, and the service party needs to obtain the service key from the service registration center, each time thereafter, when the service party performs identity authentication on the consumer, only the authorization relationship encryption information sent by the consumer needs to be decrypted and verified, and the authentication data source of a third party does not need to be relied on, so that the consumption of network query can be reduced.
Drawings
FIG. 1 is a schematic flow chart of an identity authentication method in one embodiment of the present application;
FIG. 2 is a flow chart illustrating a method for applying rights in one embodiment of the present application;
FIG. 3 is a block diagram of an identity authentication system in one embodiment of the present application;
FIG. 4 is a schematic diagram of a computer device in an implementation of the present application.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1 and fig. 3, an embodiment of the present application provides an identity authentication method, which is applied to an identity authentication system, where the identity authentication system includes a consumer, a server, and a service registry, and the consumer, the server, and the service registry can implement mutual communication in a network form, and the identity authentication method includes:
s11, the service side receives a service calling request sent by the consumer side, wherein the service calling request comprises consumption code information of the consumer side and authorization relation encryption information prestored in the consumer side, and the authorization relation encryption information contains consumption code-service code calling relation information;
s12, checking whether the service key corresponding to the consumption code information is prestored according to the consumption code information;
if the service key corresponding to the consumption code information is pre-stored in the self-checking device, S13 is executed, the authorization relation encrypted information is decrypted by using the service key, and the consumption code-service code calling relation information is obtained;
s14, verifying the consumption code-service code calling relation information according to the consumption code information and the pre-stored service code information, and judging whether the consumption code-service code calling relation information is legal or not;
if the consumption code-service code calling relation information is legal, executing S15, responding to the service calling request, and returning the corresponding service resource to the consuming party.
In step S11, the consumption code information is a unique id of a consumer, and different consumers have different consumption code information; the authorization relation encryption information is consumption code-service code calling relation information encrypted by a service key and is used for realizing the safety authentication of a service party to the identity of a consumer, wherein, the concrete expression form of the consumption code-service code calling relation information can be expressed by Cn-Pn, wherein Cn is consumption coding information corresponding to a consumer n, Pn is service coding information corresponding to a service n (the service coding information is a unique identity of a service, different service has different service coding information), therefore, the calling relation between the consumer and the server can be known through the consumption code-service code calling relation information, that is, a certain consumer needs to invoke a service resource of a certain server, for example, consumer 1 needs to invoke a service resource of server 1, the consumption code-service code invocation relationship information can be represented by C1-P1;
in this step, specifically, when the service provider is started for the first time, the service provider registers its service information into the service registration center, where the service information of the service provider includes a name of the service provider, service code information of the service provider, an IP address and a port of the service provider, a request address of the service provider, and the like; when a consumer calls service resources of a service party for the first time, the consumer needs to register the service of the service party, specifically, the consumer logs in a service registration center by receiving an account number and a password input by a user, after the login is successful, the consumer sends a service registration request for registering the service of the service party to the service registration center, wherein the service registration request comprises consumption coding information of the consumer, when the service registration center receives the service registration request, the service registration center responds to the service registration request, randomly generates and stores a service key corresponding to the consumption coding information, and returns service information of the service party to the consumer, when the consumer receives the service information, the consumer generates consumption coding-service coding calling relation information according to the service coding information in the service information and the consumption coding information of the consumer, then the consumer sends an authority application request for applying for accessing the server to the service registration center, wherein the authority application request comprises consumption code-service code calling relation information, IP address information of the consumer and the consumption code information, when the service registration center receives the authority application request, the service registration center will respond to the authority application request, find out the service key corresponding to the consumption code information generated before according to the consumption code information, and encrypt the consumption code-service code calling relation information by using the service key, thereby generating the authorization relation encryption information, further return the authorization relation encryption information to the consumer, the consumer receives and stores the authorization relation encryption information, when the consumer calls the service resource of the server, the consumer finds out the request address of the server from the self-stored service information, and then sending a service calling request to a server side in an http mode, wherein authorization relation encryption information and consumption coding information of a consumer side are placed in an http request header so as to carry out related operations in the following.
In step S12, specifically, when the server receives the authorization relationship encryption information and the consumption coding information sent by the consumer, to verify whether the current consumer has the right to access, the server needs to check the validity of the consumption coding-service coding invocation relationship information, so that the authorization relationship encryption information needs to be decrypted first to obtain the consumption coding-service coding invocation relationship information, and the authorization relationship encryption information needs to be decrypted by using the service key, so that it needs to check whether the corresponding service key is pre-stored in the server according to the consumption coding information, so as to perform the related operations later.
In the above step S13, if the service party checks that the service key itself pre-stores the corresponding service key, the service party may directly decrypt the authorization relationship encryption information by using the service key to obtain the consumption code-service code calling relationship information for performing the subsequent related operations, and if the service party checks that the service key itself does not pre-store the corresponding service key, it indicates that the service party performs the identity authentication on the current consumer for the first time, and therefore, the service party needs to obtain the corresponding service key from the service registry first, specifically, when the service party checks that the service key itself does not pre-store the corresponding service key, the service party sends a key obtaining request to the service registry, wherein the key obtaining request includes the consumption code information of the current consumer, and when the service registry receives the key obtaining request, the service registry registers the plurality of stored service keys according to the consumption code information (when different consumers register different service keys through the service registry, registers different service keys The service registry generates and stores different service keys according to service registration requests of different consumers during service of the service provider, so that a plurality of service keys are stored in the service registry), the service key corresponding to the consumption coding information is searched out and returned to the service provider, the service provider receives and stores the service key, and decrypts the authorization relation encryption information by using the service key, so that consumption coding-service coding calling relation information is obtained.
In step S14, after the consumption code-service code invoking relationship information is decrypted from the authorization relationship encrypted information by using the corresponding service key, the consumption code-service code invoking relationship information is further verified through the service code information of itself and the received consumption code information, and whether the consumption code-service code invoking relationship information is legal is determined, for example, assuming that the consumption code information sent by the current consumer to the server is C1 (i.e. it indicates that the current consumer is consumer 1), the service code information of the server is P1, and the consumption code-service code invoking relationship information obtained by decryption is C1-P1, when verification is performed, the server matches P1 and C1 with C1-P1 respectively, determines whether there is a matching item, if there is only one of the matching items (C1 or P1) or there is no matching item (i.e. neither C1 nor P1 match), it is indicated that the consumption code-service code calling relationship information provided by the current consumer is illegal, the current consumer does not have the right to access the service resource of the service provider 1, on the contrary, if the matching items C1 and P1 exist at the same time, it is indicated that the consumption code-service code calling relationship information provided by the current consumer is legal, and the current consumer has the right to access the service resource of the service provider 1, in this example, since the consumption code information is C1, the service code information is P1, and the consumption code-service code calling relationship information obtained by decryption is C1-P1, when verification is performed, the matching result of the matching items C1 and P1 exists at the same time is finally obtained, so the service provider 1 can accordingly determine that the current consumer 1 has the right to access the service resource of itself, and in other examples, for example, the consumption code information sent by the current consumer to the service provider is C1, the service code information of the service side is P1, the consumption code-service code calling relation information obtained by decryption is C2-P1, when verification is carried out, a matching result with only one matching item P1 is finally obtained, and the service side 1 can judge that the current consumer side 1 does not have the authority of accessing the service resource of the service side 1 according to the matching result, meanwhile, the fact that the consumer side 2 has the authority of accessing the service resource of the service side 1 is also explained, and the authorization relation encryption information of the consumer side 2 is probably stolen by the consumer side 1.
In the step S15, if the consumption code-service code calling relationship information is legal, the service side may determine that the current consumer has the right to access its service resource, and then respond to the service calling request sent by the current consumer and return the corresponding service resource to the consumer.
In this embodiment, the authentication of the service side to the consumer is implemented by an algorithm, except that in the first authentication process, the consumer needs to obtain the authorization relationship encryption information from the service registration center, the service side needs to obtain the service key from the service registration center, and each time the service side performs authentication to the consumer, only the authorization relationship encryption information sent by the consumer needs to be decrypted and verified without depending on the authentication data source of the third party, so that the consumption of network query can be reduced, and the authentication of the service side to the consumer is implemented by a symmetric encryption algorithm, which only encrypts the consumption encoding-service encoding call relationship information by using the service key, so that the generated encryption data (i.e. the authorization relationship encryption information) is shorter, so that when the service side performs authentication to the consumer, the decryption time can be shortened, so that the time consumption of right verification can be reduced, and the performance of the system is improved.
In addition, in this embodiment, it should be noted that, when the consumer owns the consumption code-service code invocation relation information, the consumer does not have the authority to access the service party, and only after obtaining the authorization relation encryption information (that is, the consumption code-service code invocation relation information needs to be encrypted by the service key), the consumer has the authority to access the service party, so that the consumer can be prevented from tampering with the consumption code-service code invocation relation information (because the consumer does not have the service key), and randomly invoking service resources of different service parties, thereby ensuring the security and reliability of obtaining the service resources.
In a preferred embodiment, the authorization relationship encryption information is attached with a time stamp, and after the step of the server receiving the service invocation request sent by the consumer, the method further includes:
S11A, judging whether the authorization relation encryption information is expired according to the timestamp;
if the authorization relation encryption information is not expired, the above-mentioned S12 is executed, and it is checked whether the service key corresponding to the consumption encoding information is pre-stored in the service key according to the consumption encoding information.
In this embodiment, since the longer the time the authorization relationship encryption information is stored, the greater the risk of leakage may be, the service registration center may stamp a timestamp for the authorization relationship encryption information when generating the authorization relationship encryption information, so that the authorization relationship encryption information has timeliness, that is, the consumer needs to use the authorization relationship encryption information within the valid time to obtain the service resource of the server, so as to ensure the security of obtaining the service resource to a certain extent, specifically, since the timestamp can uniquely identify the time of a certain time, and the timeliness of the timestamp and the authorization relationship encryption information are both the time attributes of the message, it can be determined whether the authorization relationship encryption information is expired according to whether the time identified by the timestamp is within the valid time of the message, for example, the time identified by the timestamp is 14 minutes and 52 seconds at 1 month and 13 months in 2019 (i.e., the generation time of the authorization relationship encryption information + the preset valid time, if the preset effective time is 7 days, the generation time of the authorization relationship encrypted information is 12/25/13/14/52/2019, wherein the preset effective time can be determined according to use requirements), the time when the authorization relationship encrypted information reaches the server is 1/13/14/50/2019, the time when the authorization relationship encrypted information reaches the server is 14/52/2019 before 1/13/14/52/2019, so that the server can judge that the authorization relationship encrypted information is not expired according to the time, and for example, the time marked by the timestamp is 13/14/52/2019/1/13/14/56/2019, the time when the authorization relationship encrypted information reaches the server is 14/56/13/56/2019, the server can judge that the authorization relationship encrypted information is expired according to the time; if the authorization relationship encryption information is not expired, then the above step S12 may be executed; if the authorization relationship encryption information has expired, the process proceeds to step S11B to perform related operations.
In a preferred embodiment, after the step of determining whether the consumption code-service code calling relationship information is legal, the method further includes:
if the consumption code-service code calling relationship information is legal, executing S14A, calculating the consumption code-service code calling relationship information by using a preset MD5 algorithm, obtaining and storing a corresponding MD5 value;
and S14B, sending the MD5 value to the consumer for storage.
In this embodiment, if the consumption code-service code invocation relationship information is legal, it indicates that the current consumer has the right to access the service resource of the service party, at this time, the service party may respond to the service invocation request sent by the current consumer, and return the corresponding service resource to the consumer, at the same time, the service party may utilize the preset MD5 algorithm to calculate the consumption code-service code invocation relationship information, obtain and store the corresponding MD5 value, and send the MD5 value to the consumer, and the consumer stores the MD5 value after receiving the MD5 value, because the MD5 value has uniqueness (one-to-one correspondence with the consumption code-service code invocation relationship information) and non-tamper property (once tampered, the MD5 value will change), the MD5 value may replace authorization relationship encryption information for implementing the secure authentication of the identity of the consumer of the service party, in this way, the subsequent consumer can apply for calling the service resource of the service party by sending the MD5 value to the service party, and the service party can judge whether the current consumer has the access right by comparing the received MD5 value with the pre-stored MD5 value, so that the process of decrypting the authorization relation encrypted information by using the service key can be omitted, thereby being beneficial to further reducing the time consumption of authentication and further improving the performance of the system.
In another preferred embodiment, after the step of determining whether the authorization relationship encryption information expires according to the timestamp, the method further includes:
if the authorization relationship encryption information is expired, executing S11B, and sending a prompt message of the expired identity to the consumer to prompt the consumer to perform identity authentication again;
S11C, receiving the MD5 value and the consumption code information returned by the consumer responding to the prompt information, and checking whether the corresponding pre-stored MD5 value exists according to the consumption code information;
if the corresponding pre-stored MD5 value exists, executing S11D, comparing the MD5 value with the pre-stored MD5 value, and judging whether the MD5 value is consistent with the pre-stored MD5 value;
if the MD5 value is consistent with the pre-stored MD5 value, S11E is performed, and the corresponding service resource is returned to the consumer in response to the service invocation request.
In the step S11B, if the authorization relationship encryption information is expired, it indicates that the current consumer does not have the right to access the service resource of the server, and at this time, the server sends a prompt message indicating that the identity is expired to the consumer to prompt the consumer to perform authentication again.
In the above step S11C, since the consumer can obtain the MD5 value that can replace the authorization relationship encryption information from the server when the consumer successfully calls the service resource of the server for the first time, when the consumer receives the prompt information that the identity sent by the server is expired, the consumer can return the consumption encoding information and the MD5 value that is saved before to the server in response to the prompt information, and the server checks whether the corresponding pre-stored MD5 value exists according to the received consumption encoding information, so as to proceed to step S11D to execute the relevant operation.
In the step S11D, if the service side checks that the corresponding pre-stored MD5 value exists, the received MD5 value is further compared with the pre-stored MD5 value, and whether the two values are consistent is determined, if so, it indicates that the current consumer has the access right; if the two are not consistent, it indicates that the current consumer does not have the access right, at this time, the server may send a prompt message indicating that the authentication fails to the consumer, and at this time, the consumer needs to obtain the authorization relationship encryption information from the service registration center again (the consumer sends a right application request to the service registration center, and at this time, the right application request includes the IP address information and the consumption encoding information of the consumer), so as to recall the service resource of the server.
In the step S11E, if the MD5 value received by the server is consistent with the pre-stored MD5 value, it indicates that the current consumer has the access right, and at this time, the server may respond to the service invocation request and return the corresponding service resource to the consumer.
In this embodiment, when the authorization relationship encrypted information expires, the consumer may re-apply for the service resource of the calling service party by re-sending the MD5 value and the consumption code information without re-obtaining the authorization relationship encrypted information from the service registry, so that the dependence on the service registry may be reduced, and the consumption of network query may be further reduced, and at the same time, the consumer sends the MD5 value and also re-sends the consumption code information once, which is advantageous in preventing identity spoofing caused by MD5 value leakage, for example, when the MD5 value of the consumer 1 is stolen by the consumer 2 due to various reasons, and the consumer 2 wants to apply for the service resource of the calling service party by using the MD5 value, due to a predetermined authentication mechanism, the consumer 2 needs to send its own MD consumption code information and the 5 value to the service party, however, since the consumption code information of the consumer 1 is different from the consumption code information of the consumer 2, when the server performs authentication, either the pre-stored MD5 value corresponding to the consumption code information of the consumer 2 cannot be found, or the MD5 value is inconsistent with the pre-stored MD5 value, which further causes authentication failure, so that the consumer 2 cannot falsely assume the identity of the consumer 1 to invoke the service resource of the server; moreover, the corresponding MD5 value can be quickly found by the server for verification according to the consumption coding information without matching one by one from a plurality of prestored MD5 values, and the matched prestored MD5 value is found out from the MD5 value (because the server can be called by different consumers with access authority, the server can store a plurality of different MD5 values), thereby being beneficial to reducing the time consumption of authentication and improving the performance of the system.
In another preferred embodiment, after the step of determining whether the MD5 value is consistent with the pre-stored MD5 value, the method further comprises:
if the MD5 value is consistent with the pre-stored MD5 value, S11F is executed, and the time stamp on the authorization relation encryption information is refreshed;
S11G, sending the refreshed authorization relationship encryption information and the reminding information of replacing the authorization relationship encryption information to the consumer to remind the consumer to replace the expired authorization relationship encryption information with the refreshed authorization relationship encryption information.
In this embodiment, if the MD5 value is consistent with the pre-stored MD5 value, it indicates that the current consumer has access right, and at this time, secondary identity authentication is required to avoid the problem of identity expiration when the current consumer applies for calling a service resource of the service provider next time, and the service provider may refresh the timestamp on the authorization relationship encryption information, for example, the time identified by the timestamp is 14 minutes 52 seconds at 1 month, 13 days, 1 month, 13 days, 14 minutes 56 seconds at 2019 month, 1 month, 13 days, 13 minutes, and assuming that the preset valid time is 7 days, when the service provider determines that the current consumer has access right through the MD5 value, the service provider may refresh the time identified by the timestamp to 14 minutes 52 seconds at 1 month, 8 months, 13 days, 2019 month, 13 minutes, and 2019 sends a warning message to notify the consumer of replacing the authorization relationship encryption information, after the consumer receives the refreshed authorization relationship encryption information and the reminding information, the consumer replaces the expired authorization relationship encryption information with the refreshed authorization relationship encryption information, so that when the consumer applies for calling the service resource of the server next time, the problem of identity expiration does not occur, and secondary identity authentication needs to be performed through the MD5 value, thereby being beneficial to reducing time consumption for authentication, improving the performance of the system and simultaneously improving the flexibility of identity authentication.
Referring to fig. 2 and fig. 3, an embodiment of the present application further provides an authority application method, which is applied to an identity authentication system, where the identity authentication system includes a consumer, a server, and a service registry, and the consumer, the server, and the service registry can implement mutual communication in a network form, and the authority application method includes:
s21, the consumer sends a service registration request to the service registration center to register the service of the server, wherein the service registration request comprises the consumption code information of the consumer;
s22, receiving service information of the service party returned by the service registration center responding to the service registration request, wherein the service information comprises service code information;
s23, generating consumption code-service code calling relation information according to the service code information and the pre-stored consumption code information;
s24, sending an authority application request to a service registration center, wherein the authority application request comprises consumption code-service code calling relation information;
and S25, receiving the authorization relation encrypted information returned by the service registration center responding to the authority application request and storing the authorization relation encrypted information, wherein the authorization relation encrypted information contains consumption code-service code calling relation information.
In step S21, when the consumer invokes the service resource of the service provider for the first time, the consumer needs to register the service of the service provider, specifically, the consumer logs in the service registration center by receiving the account and the password input by the user, and after the login is successful, the consumer sends a service registration request for registering the service of the service provider to the service registration center, where the service registration request includes consumption encoding information of the consumer, so that the consumer can subsequently apply for invoking the service resource of the service provider only if the service of a certain service provider is registered by the service registration center.
In step S22, when the service provider is started for the first time, the service provider registers its service information into the service registration center, where the service information of the service provider includes a name of the service provider, service code information of the service provider, an IP address and a port of the service provider, a request address of the service provider, and the like; specifically, when the service registration center receives a service registration request sent by a consumer, the service registration center will respond to the service registration request, randomly generate and store a service key corresponding to consumption encoding information, and return service information of the server to the consumer.
In step S23, when the consumer receives the service information returned by the service registry, the consumer generates the consumption code-service code call relation information according to the service code information in the service information and the consumption code information of the consumer, so as to perform the related operations in the following.
In step S24, after generating the consumption code-service code invocation relation information, the consuming party sends an authority application request to the service registration center, where the authority application request includes the consumption code-service code invocation relation information, the IP address information of the consuming party, and the consumption code information of the consuming party, so as to apply for the authority of invoking the service resource of the serving party.
In step S25, when the service registration center receives the authority application request, the service registration center stores the IP address information of the consumer, and responds to the authority application request, finds out the service key corresponding to the consumption coding information generated before according to the consumption coding information, and encrypts the consumption coding-service coding call relation information by using the service key, thereby generating the authorization relation encryption information, and further returns the authorization relation encryption information to the consumer, and the consumer receives and stores the authorization relation encryption information, so that the consumer conveniently has the authority to access the server, and when the consumer needs to call the service resource of the server, the consumer only needs to find out the request address of the server from the service information stored by the consumer, and further sends a service call request to the server in http form, wherein, the http request head is provided with authorization relation encryption information and consumption coding information of a consumer; in addition, in a specific application scenario, a consumer generally has multiple hosts, and a user specifically calls a service resource of a server by using a certain host of the consumer, so that the IP address information of the consumer is an IP address corresponding to the host used by the user, and thus, when a subsequent user changes the host to apply for calling the service resource of the server, the changed host needs to send an authorization application request to the service registration center again to obtain authorization relationship encryption information, wherein the authorization application request at this time includes the IP address of the host and consumption encoding information of the consumer, and thus, the service registration center can know which hosts of the consumer have obtained authorization relationship encryption information by querying the stored IP address information subsequently, thereby achieving an effect of auditing change of consumption instances.
In the embodiment, the permission of the consumer for accessing the server is realized through an algorithm, except that in the first permission application process, the consumer needs to obtain the authorization relation encryption information from the service registration center, and when the consumer needs to apply for calling the service resource of the server, the consumer only needs to call the authorization relation encryption information and the consumption code stored by the consumer each time, without depending on the authentication data source of a third party, so that the consumption of network query can be reduced.
In a preferred embodiment, the authorization relationship encryption information is stored in a cache folder of the consumer, where the cache folder is encrypted by local hardware information (such as Mac address, model information, etc.) of the consumer, and the method for applying for authorization further includes:
s26, comparing the pre-stored hardware information with the local hardware information, and judging whether the hardware information is consistent with the local hardware information or not so as to acquire the authorization relationship encryption information in the cache folder;
if the hardware information is consistent with the local hardware information, S27 is executed to send a service invocation request to the service server to obtain the service resource of the service server, where the service invocation request includes the consumption encoding information and the authorization relationship encryption information.
In this embodiment, when a user needs to apply for calling a service resource of a service provider through a certain host of a consumer, authorization relationship encryption information needs to be obtained from a cache file, so that the cache folder is decrypted first, specifically, the host compares hardware information (such as a Mac address) pre-stored by the host with local hardware information, and determines whether the hardware information is consistent with the local hardware information, if so, it preliminarily indicates that the current host has the authority to call the service resource of the service provider, and then a service call request including consumption encoding information and authorization relationship encryption information can be sent to the service provider to obtain the service resource of the service provider; if the authorization relation encryption information is not consistent with the local hardware information, the current host cannot obtain the authorization relation encryption information from the cache file, and further cannot call the service resource of the service party, so that the consumer saves the authorization relation encryption information in the cache file encrypted by the local hardware information, and when a certain host of the consumer needs to call the service resource of the service party, the cache file needs to be decrypted by the local hardware information of the consumer, so that the authorization relation encryption information can be prevented from being copied to another host of the consumer to be used (the host of the consumer is changed, the local hardware information is also changed, and the authorization relation encryption information is obtained), and the data security is improved.
Referring to fig. 3, an embodiment of the present application further provides an identity authentication system, including:
the service registration center is used for generating a service key and authorization relation encryption information, storing service information of a service party, providing the service key for the service party and providing authorization relation encryption information and service information for a consumer, wherein the authorization relation encryption information contains consumption coding-service coding calling relation information, and the service information comprises service coding information;
the consumer is used for generating consumption code-service code calling relation information according to the service code information and the consumption code information of the consumer, acquiring and storing authorization relation encryption information and service information from the service registration center, and sending a service calling request to the service server, wherein the service calling request comprises the consumption code information and the authorization relation encryption information;
and the service party is used for registering the service information of the service party to the service registration center, acquiring and storing the service key from the service registration center, and judging whether the consumer has the authority of calling the service resource of the consumer according to the service calling request sent by the consumer.
In this embodiment, the principle process of mutual communication among the service registry, the consumer and the server may refer to the related description of the above method embodiments, and those skilled in the art can understand that the details are not described herein again.
Referring to fig. 4, a computer device, which may be a server and whose internal structure may be as shown in fig. 4, is also provided in the embodiment of the present application. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the computer designed processor is used to provide computational and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The memory provides an environment for the operation of the operating system and the computer program in the non-volatile storage medium. The database of the computer device is used for storing identity authentication method programs and the like. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements the identity authentication method of any of the above embodiments.
The embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the identity authentication method in any of the above embodiments is implemented.
It will be understood by those skilled in the art that all or part of the processes of the methods of the above embodiments may be implemented by hardware associated with instructions of a computer program, which may be stored on a non-volatile computer-readable storage medium, and when executed, may include processes of the above embodiments of the methods. Any reference to memory, storage, database, or other medium provided herein and used in the examples may include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double-rate SDRAM (SSRSDRAM), Enhanced SDRAM (ESDRAM), synchronous link (Synchlink) DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, apparatus, article, or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, apparatus, article, or method. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, apparatus, article, or method that includes the element.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. An identity authentication method, comprising:
the method comprises the steps that a service party receives a service calling request sent by a consumer, wherein the service calling request comprises consumption code information of the consumer and authorization relation encryption information prestored in the consumer, and the authorization relation encryption information contains consumption code-service code calling relation information;
checking whether a service key corresponding to the consumption coding information is prestored according to the consumption coding information;
if the service key corresponding to the consumption code information is checked to be prestored, the authorization relation encrypted information is decrypted by using the service key to obtain the consumption code-service code calling relation information;
verifying the consumption code-service code calling relation information according to the consumption code information and prestored service code information, and judging whether the consumption code-service code calling relation information is legal or not;
and if the consumption code-service code calling relation information is legal, responding to the service calling request and returning the corresponding service resource to the consumer.
2. The identity authentication method according to claim 1, wherein the authorization relationship encryption information is attached with a time stamp, and after the step of the server receiving the service invocation request sent by the consumer, the method further comprises:
judging whether the authorization relation encryption information is expired or not according to the timestamp;
and if the authorization relation encryption information is not expired, executing the step of checking whether a service key corresponding to the consumption coding information is prestored according to the consumption coding information.
3. The identity authentication method of claim 2, wherein after the step of determining whether the consumption code-service code invocation relation information is legal, the method further comprises:
if the consumption code-service code calling relationship information is legal, calculating the consumption code-service code calling relationship information by using a preset MD5 algorithm, and obtaining and storing a corresponding MD5 value;
and sending the MD5 value to the consumer for storage.
4. The identity authentication method according to claim 3, wherein after the step of determining whether the authorization relationship encryption information is expired according to the timestamp, the method further comprises:
if the authorization relationship encryption information is expired, sending prompt information of the expired identity to the consumer to prompt the consumer to perform identity authentication again;
receiving the MD5 value and the consumption code information returned by the consumer in response to the prompt message, and checking whether a corresponding pre-stored MD5 value exists according to the consumption code information;
if the corresponding pre-stored MD5 value exists, comparing the MD5 value with the pre-stored MD5 value, and judging whether the MD5 value is consistent with the pre-stored MD5 value;
and if the MD5 value is consistent with the pre-stored MD5 value, responding to the service calling request and returning the corresponding service resource to the consumer.
5. The identity authentication method of claim 4, wherein after the step of determining whether the MD5 value is consistent with the pre-stored MD5 value, the method further comprises:
if the MD5 value is consistent with the pre-stored MD5 value, refreshing the time stamp on the authorization relation encryption information;
and sending the refreshed authorization relationship encryption information and reminding information for replacing the authorization relationship encryption information to the consumer so as to remind the consumer to replace the expired authorization relationship encryption information with the refreshed authorization relationship encryption information.
6. A method of claim application, comprising:
the method comprises the steps that a consumer sends a service registration request to a service registration center to register the service of a service party, wherein the service registration request comprises consumption code information of the consumer party;
receiving service information of the service party returned by a service registration center in response to the service registration request, wherein the service information comprises service coding information;
generating consumption code-service code calling relation information according to the service code information and the pre-stored consumption code information;
sending an authority application request to the service registration center, wherein the authority application request comprises the consumption code-service code calling relation information;
and receiving and storing authorization relation encryption information returned by the service registration center in response to the permission application request, wherein the authorization relation encryption information contains the consumption code-service code calling relation information.
7. The permission application method of claim 6, wherein the authorization relationship encryption information is stored in a cache folder of the consumer, wherein the cache folder is encrypted by the local hardware information of the consumer, and the permission application method further comprises:
comparing pre-stored hardware information with the local hardware information, and judging whether the hardware information is consistent with the local hardware information or not so as to acquire the authorization relationship encryption information in the cache folder;
and if the hardware information is consistent with the local hardware information, sending a service calling request to the service server to acquire service resources of the service server, wherein the service calling request comprises the consumption coding information and the authorization relation encryption information.
8. An identity authentication system, comprising:
the service registration center is used for generating a service key and authorization relation encryption information, storing service information of a service party, providing the service key for the service party and providing the authorization relation encryption information and the service information for a consumer, wherein the authorization relation encryption information contains consumption coding-service coding calling relation information, and the service information comprises service coding information;
the consumer is used for generating consumption code-service code calling relation information according to the service code information and the consumption code information of the consumer, acquiring and storing the authorization relation encryption information and the service information from the service registration center, and sending a service calling request to the service server, wherein the service calling request comprises the consumption code information and the authorization relation encryption information;
and the service party is used for registering the service information of the service party to the service registration center, acquiring and storing the service key from the service registration center, and judging whether the consumer has the authority of calling the service resource of the consumer according to the service calling request sent by the consumer.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the identity authentication method of any one of claims 1 to 5.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the identity authentication method of any one of claims 1 to 5.
CN201910341167.7A 2019-04-25 2019-04-25 Identity authentication method, system, computer equipment and storage medium Active CN110213229B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910341167.7A CN110213229B (en) 2019-04-25 2019-04-25 Identity authentication method, system, computer equipment and storage medium
PCT/CN2019/119479 WO2020215709A1 (en) 2019-04-25 2019-11-19 Identity authentication method and system, computer device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910341167.7A CN110213229B (en) 2019-04-25 2019-04-25 Identity authentication method, system, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110213229A CN110213229A (en) 2019-09-06
CN110213229B true CN110213229B (en) 2021-09-14

Family

ID=67786496

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910341167.7A Active CN110213229B (en) 2019-04-25 2019-04-25 Identity authentication method, system, computer equipment and storage medium

Country Status (2)

Country Link
CN (1) CN110213229B (en)
WO (1) WO2020215709A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213229B (en) * 2019-04-25 2021-09-14 平安科技(深圳)有限公司 Identity authentication method, system, computer equipment and storage medium
CN113094190B (en) * 2021-04-09 2024-02-23 中国工商银行股份有限公司 Micro-service calling method, micro-service calling device, electronic equipment and storage medium
CN113778715A (en) * 2021-09-14 2021-12-10 中国农业银行股份有限公司 Interface call control method and device
CN114095150B (en) * 2021-11-12 2024-01-26 微位(深圳)网络科技有限公司 Identity authentication method, device, equipment and readable storage medium
CN114697099B (en) * 2022-03-24 2024-05-17 浪潮云信息技术股份公司 Multiparty authorization authentication method based on elliptic curve encryption algorithm

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102263809A (en) * 2010-05-31 2011-11-30 中国移动通信集团贵州有限公司 Method for realizing service safety control based on enterprise service bus and apparatus thereof
US9081951B2 (en) * 2011-09-29 2015-07-14 Oracle International Corporation Mobile application, identity interface
CN103237032A (en) * 2013-04-26 2013-08-07 银联商务有限公司 Consumption management system and method
CN103888451B (en) * 2014-03-10 2017-09-26 百度在线网络技术(北京)有限公司 Authorization method, the apparatus and system of certification
US9860241B2 (en) * 2014-04-15 2018-01-02 Level 3 Communications, Llc Device registration, authentication, and authorization system and method
CN105577612B (en) * 2014-10-11 2020-04-17 中兴通讯股份有限公司 Identity authentication method, third-party server, merchant server and user terminal
CN104574052B (en) * 2015-01-30 2018-04-27 深圳飞人网络信息技术有限公司 The method of payment and system of authentication are carried out based on 3D line holographic projections
CN106559389A (en) * 2015-09-28 2017-04-05 阿里巴巴集团控股有限公司 A kind of Service Source issue, call method, device, system and cloud service platform
US20170213220A1 (en) * 2016-01-25 2017-07-27 Sigue Corporation Securing transactions on an insecure network
US10341862B2 (en) * 2016-02-05 2019-07-02 Verizon Patent And Licensing Inc. Authenticating mobile devices
CN105975846B (en) * 2016-04-29 2019-04-12 宇龙计算机通信科技(深圳)有限公司 The authentication method and system of terminal
CN109644131B (en) * 2016-07-15 2022-04-26 卡迪纳尔贸易公司 Authentication of authorized bridges using enriched messages
CN107888548A (en) * 2016-09-30 2018-04-06 北京金山云网络技术有限公司 A kind of Information Authentication method and device
CN108418790A (en) * 2018-01-22 2018-08-17 平安科技(深圳)有限公司 Business tracking method, device, terminal device and storage medium
CN108769029B (en) * 2018-05-31 2021-03-19 中国农业银行股份有限公司 Authentication device, method and system for application system
CN110213229B (en) * 2019-04-25 2021-09-14 平安科技(深圳)有限公司 Identity authentication method, system, computer equipment and storage medium

Also Published As

Publication number Publication date
WO2020215709A1 (en) 2020-10-29
CN110213229A (en) 2019-09-06

Similar Documents

Publication Publication Date Title
CN110213229B (en) Identity authentication method, system, computer equipment and storage medium
CN109522726B (en) Authentication method for applet, server and computer readable storage medium
CN111107073B (en) Application automatic login method and device, computer equipment and storage medium
CN111031047B (en) Device communication method, device, computer device and storage medium
WO2020173332A1 (en) Trusted execution environment-based application activation method and apparatus
CN112000951B (en) Access method, device, system, electronic equipment and storage medium
CN109359977B (en) Network communication method, device, computer equipment and storage medium
CN109600377B (en) Method and device for preventing unauthorized use computer device and storage medium
CN112632581A (en) User data processing method and device, computer equipment and storage medium
US10263782B2 (en) Soft-token authentication system
CN105491058B (en) API access distributed authorization method and system
CN102946392A (en) URL (Uniform Resource Locator) data encrypted transmission method and system
US11218464B2 (en) Information registration and authentication method and device
CN110855624A (en) Safety verification method based on web interface and related equipment
CN113434889B (en) Service data access method, device, equipment and storage medium
CN112528268B (en) Cross-channel applet login management method and device and related equipment
CN111159656A (en) Method, device, equipment and storage medium for preventing software from being used without authorization
CN112565281B (en) Information processing method, server and system of service key
CN112948143B (en) Application program calling method, device and system
CN108667800B (en) Access authority authentication method and device
CN112671534B (en) Service key management method, service terminal and system based on biological characteristics
CN111614458A (en) Method, system and storage medium for generating gateway JWT
CN113127818A (en) Block chain-based data authorization method and device and readable storage medium
CN110971610A (en) Control system identity verification method and device, computer equipment and storage medium
CN115329359A (en) Secret query method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant