CN110535856A - A kind of authentication method of user, device and storage medium - Google Patents
A kind of authentication method of user, device and storage medium Download PDFInfo
- Publication number
- CN110535856A CN110535856A CN201910804695.1A CN201910804695A CN110535856A CN 110535856 A CN110535856 A CN 110535856A CN 201910804695 A CN201910804695 A CN 201910804695A CN 110535856 A CN110535856 A CN 110535856A
- Authority
- CN
- China
- Prior art keywords
- user
- field
- client
- server
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
Abstract
The embodiment of the invention provides the authentication method of user a kind of, device and storage mediums.Wherein, which comprises node server receives the user's registration request message from client, and user's registration request message includes user name, password and client public key;Node server carries out verification operation to username and password, and user name, password and client public key are stored in the case where being verified;Node server receives user's login request message from client, verification operation is carried out to user's login request message, it generates and returns to user and log in challenge message to client, verification operation is carried out so that client logs in challenge message to user, generates and returns to user's login response message to node server;Node server carries out verification operation to user's login response message, and allows the user of client to log on to node server in the case where being verified.The embodiment of the present invention improves the safety of user's registration and login.
Description
Technical field
The present invention relates to view networking technology fields, more particularly to the authentication method of user a kind of, device and a kind of calculating
Machine readable storage medium storing program for executing.
Background technique
It is a kind of dedicated network for being used for high-speed transfer HD video and specialized protocol based on ethernet hardware depending on networking,
It is the more advanced form of Ethernet depending on networking, is a real-time network.
With the fast development of view networking service, the quantity depending on on-line customer is also grown rapidly.It needs to borrow depending on on-line customer
It helps and registers and logs into depending on networked clients depending on can just execute view networking service after networked server.Currently, view networking is used
Only the username and password depending on on-line customer is verified depending on networked server when being registered to view networked server at family.And
And only logging request is verified depending on networked server, is used depending on networking when being logged in view networked server depending on on-line customer
The registration at family and the safety of login are lower.
Summary of the invention
In view of the above problems, it proposes the embodiment of the present invention and overcomes the above problem or at least partly in order to provide one kind
A kind of authentication method, device and the computer readable storage medium of a kind of user to solve the above problems.
To solve the above-mentioned problems, the embodiment of the invention discloses the authentication methods of user a kind of, are applied to Verification System,
The Verification System includes: node server and client, wherein the node server and the client are set to view connection
In net, the node server is connect with the client communication, which comprises the node server, which receives, comes from institute
The user's registration request message of client is stated, the user's registration request message includes: user name, password and client public key, institute
Client is stated for generate the user including the client public key and private key for user asymmetric for the user name and the password
Key;The node server carries out verification operation to the user name and the password, and deposits in the case where being verified
Store up the user name, the password and the client public key;The node server receives the user from the client and steps on
Record request message;The node server carries out verification operation to user's login request message, generates and returns to user and steps on
Challenge message is recorded to the client, verification operation is carried out so that the client logs in challenge message to the user, generates
And user's login response message is returned to the node server;The node server to user's login response message into
Row verification operation, and allow the user of the client to log on to the node server in the case where being verified.
Optionally, UKey is installed, the client is used to call the Predistribution Algorithm in the UKey in the client
User's unsymmetrical key is generated for the user name and the password;The client is also used to deposit the private key for user
Storage is into the UKey.
Optionally, user's login request message includes: secure interactive process version field, user security configuration field
And username field;The node server carries out verification operation to user's login request message, generates and returns to user
The step of logging in challenge message to the client, comprising: the node server judges the secure interactive process version word
Whether section and the user security configuration field include corresponding default first field contents;The node server is in the peace
When full interaction flow version field and the user security configuration field include corresponding default first field contents, according to
The field contents of the username field search the client public key;The node server generates institute according to the client public key
It states user and logs in challenge message, and return to the user and log in challenge message to the client.
Optionally, the node server generates the step of user logs in challenge message according to the client public key,
It include: that the node server generates server random number and server symmetric key;The node server utilizes the use
Family public key carries out cryptographic operation to the server symmetric key, obtains server symmetric key ciphertext;The node server
The user, which is generated, according to the server random number and the server symmetric key ciphertext logs in challenge message.
Optionally, user's login challenge message includes: secure interactive process version field, server security configuration words
Section, server random number field and symmetric key ciphertext field;The field contents of the server random number field include described
Server random number, the field contents of the symmetric key ciphertext field include the server symmetric key ciphertext;The visitor
Family end is used to judge that the user to log in the secure interactive process version field and the server security in challenge message
Whether configuration field includes corresponding default second field contents;The client is also used to log in challenge message in the user
In the secure interactive process version field and the server security configuration field include corresponding default second word
It when section content, is decrypted using field contents of the private key for user to the symmetric key ciphertext field, obtains user's solution
Close result;The client be also used to according to user's decrypted result, the server random number field field contents and
User password generates user's login response message.
Optionally, the client is also used to the word using user's decrypted result to the server random number field
Section content and the exclusive or value of the user password are encrypted, and user password ciphertext is obtained.
Optionally, user's login response message includes: secure interactive process version field, user security configuration field
With user password ciphertext field, the field contents of the user password ciphertext field include the user password ciphertext;The section
The step of point server carries out verification operation to user's login response message, comprising: described in the node server judgement
Whether the secure interactive process version field and the user security configuration field in user's login response message include pair
The default third field contents answered;The secure interactive process of the node server in user's login response message
When version field and the user security configuration field include the corresponding default third field contents, the server is utilized
The field contents of the user password ciphertext field are decrypted in symmetric key, obtain server decrypted result;The node
The server decrypted result and the server random number are carried out xor operation and obtain the user password by server;It is described
Whether the node server user password and the key are consistent;The node server is in the user password and institute
When stating key agreement, determine that user's login response information authentication passes through.
The embodiment of the invention also discloses the authentication device of user a kind of, applied to the node server in Verification System,
The node server is connect with the client communication in the Verification System, the node server and client setting
In view networking, described device includes: receiving module, for receiving the user's registration request message from the client, institute
Stating user's registration request message includes: user name, password and client public key, and the client is used for as the user name and described
Password generates user's unsymmetrical key including the client public key and private key for user;Authentication module, for the user name
Verification operation is carried out with the password;Memory module is used in the authentication module to the user name and the password authentification
In the case where, the user name, the password and the client public key are stored;The receiving module is also used to receive and
From user's login request message of the client;The authentication module is also used to carry out user's login request message
Verification operation generates and returns to user's login challenge message to the client, so that the client logs in the user
Challenge message carries out verification operation, generates and returns to user's login response message to the node server;The authentication module,
It is also used to carry out verification operation to user's login response message;Login module is used in the authentication module to the use
In the case that family login response information authentication passes through, the user of the client is allowed to log on to the node server.
Optionally, UKey is installed, the client is used to call the Predistribution Algorithm in the UKey in the client
User's unsymmetrical key is generated for the user name and the password;The client is also used to deposit the private key for user
Storage is into the UKey.
Optionally, user's login request message includes: secure interactive process version field, user security configuration field
And username field;The authentication module, comprising: judgment module, for judging the secure interactive process version field and institute
State whether user security configuration field includes corresponding default first field contents;Searching module, in the secure interactive
When process version field and the user security configuration field include corresponding default first field contents, according to the use
The field contents of name in an account book field search the client public key;Generation module, for generating the user according to the client public key
Challenge message is logged in, and returns to the user and logs in challenge message to the client.
Optionally, the generation module, for generating server random number and server symmetric key;Utilize the user
Public key carries out cryptographic operation to the server symmetric key, obtains server symmetric key ciphertext;According to the server with
Machine number and the server symmetric key ciphertext generate the user and log in challenge message.
Optionally, user's login challenge message includes: secure interactive process version field, server security configuration words
Section, server random number field and symmetric key ciphertext field;The field contents of the server random number field include described
Server random number, the field contents of the symmetric key ciphertext field include the server symmetric key ciphertext;The visitor
Family end is used to judge that the user to log in the secure interactive process version field and the server security in challenge message
Whether configuration field includes corresponding default second field contents;The client is also used to log in challenge message in the user
In the secure interactive process version field and the server security configuration field include corresponding default second word
It when section content, is decrypted using field contents of the private key for user to the symmetric key ciphertext field, obtains user's solution
Close result;The client be also used to according to user's decrypted result, the server random number field field contents and
User password generates user's login response message.
Optionally, the client is also used to the word using user's decrypted result to the server random number field
Section content and the exclusive or value of the user password are encrypted, and user password ciphertext is obtained.
Optionally, user's login response message includes: secure interactive process version field, user security configuration field
With user password ciphertext field, the field contents of the user password ciphertext field include the user password ciphertext;It is described to sentence
Disconnected module, the secure interactive process version field for being also used to judge in user's login response message and user peace
Whether full configuration field includes corresponding default third field contents;The authentication module, further includes: deciphering module is used for
The secure interactive process version field and the user security configuration field in user's login response message include pair
When the default third field contents answered, using the server symmetric key to the field of the user password ciphertext field
Content is decrypted, and obtains server decrypted result;Exclusive or module is used for the server decrypted result and the server
Random number carries out xor operation and obtains the user password;Comparison module is for the user password and the key
It is no consistent;Determining module, for determining that user's login response message is tested in the user password and the key agreement
Card passes through.
The embodiment of the present invention includes following advantages:
The certificate scheme of user provided in an embodiment of the present invention, can be applied to Verification System.The Verification System can wrap
Include node server and client, wherein node server and client are set in view networking, and node server can be with visitor
The communication connection of family end.
In embodiments of the present invention, user sends user's registration request message, the use to node server by client
It include user name, password and client public key in the login request message of family.The client public key is that client is that username and password is raw
At unsymmetrical key in public key.Node server carries out verifying behaviour to the username and password in user's registration request message
Make, and stores user name, password and client public key in the case where being verified.User succeeds in registration it in node server
Afterwards, user sends user's login request message to node server by client, and node server disappears to user's logging request
Breath carries out verification operation, generates and returns to user's login challenge message to client.Client logs in challenge message to user again
Verification operation is carried out, generates and returns to user's login response message to node server.Node server is to user's login response
Message carries out verification operation, and allows the user of client to log on to node server in the case where being verified.The present invention
Embodiment not only sends username and password to node server in the registration process of user, also sends to node server
Client public key in user's unsymmetrical key, node server is in the case where being verified username and password, by user
Name, password and client public key are stored in local.In the login process of user, node server not only disappears to user's logging request
Breath and user's login response message are verified, and client also logs in challenge message to the user of node server and verifies,
The bi-directional verification between node server and client is realized, the node server permission in the case where all verifyings all pass through
The user of client logs on to node server, improves the safety of user's registration and login.
Detailed description of the invention
Fig. 1 is a kind of step flow chart of the authentication method embodiment of user of the invention;
Fig. 2 is the flow diagram of user registration course in the authentication method of user of the invention a kind of;
Fig. 3 is the flow diagram of process of user login in the authentication method of user of the invention a kind of;
Fig. 4 is a kind of software and hardware architecture figure of the authentication method of user of the invention;
Fig. 5 is a kind of structural block diagram of the authentication device embodiment of user of the invention;
Fig. 6 is a kind of networking schematic diagram of view networking of the invention;
Fig. 7 is a kind of hardware structural diagram of node server of the invention;
Fig. 8 is a kind of hardware structural diagram of access switch of the invention;
Fig. 9 is the hardware structural diagram that a kind of Ethernet association of the invention turns gateway.
Specific embodiment
In order to make the foregoing objectives, features and advantages of the present invention clearer and more comprehensible, with reference to the accompanying drawing and specific real
Applying mode, the present invention is described in further detail.
Referring to Fig.1, a kind of step flow chart of the authentication method embodiment of user of the invention is shown, the user's recognizes
Card method can be applied in Verification System, which may include node server and client, wherein node serve
Device and client can be set in view networking, and node server can be connect with client communication.The authentication method of the user
It can specifically include following steps:
Step 101, node server receives the user's registration request message from client.
In an embodiment of the present invention, node server can be NM server, and NM server can be view networking
On core equipment, control service fulfillment, the functions such as endpoint to register, are view networkings " brain ", moreover, NM server may be used also
To provide user interface for the client call in view networking.Client can be understood as the actual participation of view networking service
Person or server, client can be personal computer, set-top box, Streaming Media gateway, storage gateway, media synthesizer etc..Its
In, set-top box is the equipment of connection a television set and outside source, it can change into the digital signal of compression in TV
Hold, and shows on a television set.In general, set-top box can connect camera and microphone, for acquiring video counts
According to the multi-medium datas such as audio data, also can connect television set, for multimedias such as playing video data and audio datas
Data.
In an embodiment of the present invention, user's registration request message may include user name, password and client public key.Its
In, the user name to be registered that the entitled user of user is inputted by client, password be user by client input wait infuse
The user name of volume corresponds to password.Client public key is the public affairs in user's unsymmetrical key that client is username and password generation
Key further includes private key for user in user's unsymmetrical key.
In one preferred embodiment of the invention, UKey can be installed, client can call UKey in client
Interior Predistribution Algorithm is that username and password generates user's unsymmetrical key, and client is private by the user in user's unsymmetrical key
Key is written in Ukey.
Step 102, node server carries out verification operation to username and password, and stores in the case where being verified
User name, password and client public key.
In an embodiment of the present invention, node server first can carry out verification operation to user name, then carry out to password
Verification operation.Node server can verify whether user name meets preset user when carrying out verification operation to user name
Name rule, for example, whether the character length of verifying user name, character composition etc. meet user name requirement.Node server is right
When password carries out verification operation, it can verify whether password meets preset password rule, for example, the character of verifying password is long
Whether degree, character composition etc. meet password requirement.Meet user name requirement in user name, and when password meets password requirement, section
Point server determination is verified username and password.In turn, node server can by user name, password, and, user
Public key is stored in local, alternatively, by user name, password, and, client public key is stored in the database of server end.It needs
Illustrate, node server not only needs to store user name, password and use when storing user name, password and client public key
Family public key, it is also necessary to store the corresponding relationship between user name, password and client public key.
Above-mentioned steps 101 and step 102 may be considered the registration process of user.For a user, note
Volume process is executed in an embodiment of the present invention once, without repeating.
Step 103, node server receives user's login request message from client.
In an embodiment of the present invention, user's login request message may include secure interactive process version field, user
Security configuration field and username field etc. show a kind of specific example of user's login request message as shown in table 1.
Table 1
Step 104, node server carries out verification operation to user's login request message, generates and returns to user's login and chooses
Message of fighting carries out verification operation so that client logs in challenge message to user, generates and return to user and log in and ring to client
Answer message to node server.
In an embodiment of the present invention, node server carries out verification operation to user's login request message, and generates use
Family logs in the process of challenge message, may include steps of.
Step 201, node server judge secure interactive process version field and user security configuration field whether include
Corresponding default first field contents, if secure interactive process version field and user security configuration field include corresponding default
First field contents, then follow the steps 202;If secure interactive process version field and user security configuration field do not include correspondence
Default first field contents, then process terminates.
In practical applications, node server may determine that the field contents and user's peace of secure interactive process version field
Whether the field contents of the 1st byte of full configuration field are " 0x01 ", if the field contents of secure interactive process version field
Field contents with the 1st byte of user security configuration field are " 0x01 ", then follow the steps 202;If secure interactive process
The field contents of 1st byte of the field contents and/or user security configuration field of version field are not " 0x01 ", then process knot
Beam.It should be noted that the field contents of the 1st byte of user security configuration field are " 0x01 ", the login of client is indicated
Process supports bi-directional verification.
Step 202, node server searches client public key according to the field contents of username field.
Node server is searched according to the field contents of username field in the database of local or server end and is used
Family public key.Specifically, node server can according to the corresponding relationship between stored user name, password and client public key,
Search client public key corresponding with the field contents of username field.If node server finds the field with username field
The corresponding client public key of content, then it represents that the field contents of username field are registered user name;If node server is not
Find client public key corresponding with the field contents of username field, then it represents that the field contents of username field are unregistered
User name.
Step 203, node server generates user according to client public key and logs in challenge message.
In an embodiment of the present invention, server random number and server symmetric key can be generated in node server, benefit
Cryptographic operation is carried out to server symmetric key with stored client public key and obtains server symmetric key ciphertext, and then basis
Server random number and server symmetric key ciphertext generate user and log in challenge message.
In practical applications, it may include: secure interactive process version field, server security that user, which logs in challenge message,
Configuration field, server random number field and symmetric key ciphertext field etc. show user's login challenge and disappear as shown in table 2
A kind of specific example of breath.
Table 2
In embodiments of the present invention, after node server generates user's login challenge message, user is logged in into challenge and is disappeared
Breath is sent to client, and client, which needs to log in challenge message to user, carries out verification operation, generates and returns to user and log in and rings
Answer message to node server.
In practical applications, client may determine that user log in challenge message in secure interactive process version field and
Whether server security configuration field includes corresponding default second field contents.Specifically, client may determine that safe friendship
The field contents of 1st byte of the field contents and server security configuration field of mutual process version field whether be
" 0x01 ", if in the field of the 1st byte of the field contents of secure interactive process version field and server security configuration field
Appearance is " 0x01 ", then client executing subsequent step;If the field contents and/or server of secure interactive process version field
The field contents of 1st byte of security configuration field are not " 0x01 ", then process terminates.
If the secure interactive process version field and server security configuration field in user's login challenge message include pair
Default second field contents answered, then client can use private key for user and carry out to the field contents of symmetric key ciphertext field
Decryption, obtains user's decrypted result.In turn, client is according to user's decrypted result, the field contents of server random number field
User's login response message is generated with user password.
In embodiments of the present invention, user's login response message may include: secure interactive process version field, Yong Huan
Full configuration field and user password ciphertext field etc. show a kind of specific reality of user's login response message as shown in table 3
Example.
Table 3
If the secure interactive process version field and/or server security configuration field in user's login challenge message are not wrapped
Containing corresponding default second field contents, then process terminates.
Step 105, node server carries out verification operation to user's login response message, and in the case where being verified
The user of client is allowed to log on to node server.
In an embodiment of the present invention, the process that node server carries out verification operation to user's login response message can be with
Include the following steps.
Step 301, node server judges secure interactive process version field and user in user's login response message
Whether security configuration field includes corresponding default third field contents, if the secure interactive process in user's login response message
Version field and user security configuration field include corresponding default third field contents, then follow the steps 302;If user logs in
Secure interactive process version field and/or user security configuration field in response message do not include corresponding default third field
Content, then process terminates.
In practical applications, node server may determine that the secure interactive process version word in user's login response message
Whether the field contents of section and the 1st byte of user security configuration field are " 0x01 ", if in user's login response message
The field contents of secure interactive process version field and the 1st byte of user security configuration field are " 0x01 ", then execute step
Rapid 302;If the 1st word of secure interactive process version field and/or user security configuration field in user's login response message
The field contents of section are not " 0x01 ", then process terminates.
Step 302, node server is carried out using field contents of the server symmetric key to user password ciphertext field
Decryption, obtains server decrypted result.
Step 303, server decrypted result and server random number are carried out xor operation and obtain user by node server
Password.
Step 304, it is whether consistent with key to compare user password for node server, if user password and key agreement,
Node server determines that user's login response information authentication passes through;If user password is inconsistent with key, process terminates.
Above-mentioned steps 103 to step 105 may be considered the login process of user.
Referring to Fig. 2, the flow diagram of user registration course in the authentication method of user a kind of is shown.Pacify in client
Equipped with UKey, user inputs username and password to be registered by client.Client call UKey generate with it is to be registered
Corresponding a pair of of the user's unsymmetrical key of username and password, is written UKey for the private key for user in user's unsymmetrical key, will
Client public key in user's unsymmetrical key, username and password to be registered are sent to node server.Node server pair
The legitimacy of user name, the legitimacy of password are verified, if username and password passes through legitimate verification, by user
Name, password and client public key are collectively stored in node server local or database.
Referring to Fig. 3, the flow diagram of process of user login in the authentication method of user a kind of is shown.User passes through visitor
Family end sends user's login request message to node server.Node server verifies user's login request message, and
User, which is returned, to client logs in challenge message.Client logs in challenge message to user and verifies, and to node server
Send user's login response message.Node server verifies user's login response message, if being verified, node clothes
Business device allows the user of client to log on to node server.
Referring to Fig. 4, a kind of software and hardware architecture figure of the authentication method of user is shown.User is taken by client to node
Device of being engaged in issues certification request, which may include user interface module, user authentication secure interactive module, in software
Between part and crypto module Software Development Kit (Software Development Kit, SDK), wherein user authentication safety
Interactive module is communicated with the user authentication secure interactive module of node server by managing pass-through channel.Node server also wraps
Include software middleware, crypto-operation software library and database.The crypto module SDK of client is used to call the password of crypto module
Module software/firmware.
The certificate scheme of user provided in an embodiment of the present invention, can be applied to Verification System.The Verification System can wrap
Include node server and client, wherein node server and client are set in view networking, and node server can be with visitor
The communication connection of family end.
In embodiments of the present invention, user sends user's registration request message, the use to node server by client
It include user name, password and client public key in the login request message of family.The client public key is that client is that username and password is raw
At unsymmetrical key in public key.Node server carries out verifying behaviour to the username and password in user's registration request message
Make, and stores user name, password and client public key in the case where being verified.User succeeds in registration it in node server
Afterwards, user sends user's login request message to node server by client, and node server disappears to user's logging request
Breath carries out verification operation, generates and returns to user's login challenge message to client.Client logs in challenge message to user again
Verification operation is carried out, generates and returns to user's login response message to node server.Node server is to user's login response
Message carries out verification operation, and allows the user of client to log on to node server in the case where being verified.The present invention
Embodiment not only sends username and password to node server in the registration process of user, also sends to node server
Client public key in user's unsymmetrical key, node server is in the case where being verified username and password, by user
Name, password and client public key are stored in local.In the login process of user, node server not only disappears to user's logging request
Breath and user's login response message are verified, and client also logs in challenge message to the user of node server and verifies,
The bi-directional verification between node server and client is realized, the node server permission in the case where all verifyings all pass through
The user of client logs on to node server, improves the safety of user's registration and login.
It should be noted that for simple description, therefore, it is stated as a series of action groups for embodiment of the method
It closes, but those skilled in the art should understand that, embodiment of that present invention are not limited by the describe sequence of actions, because according to
According to the embodiment of the present invention, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art also should
Know, the embodiments described in the specification are all preferred embodiments, and the related movement not necessarily present invention is implemented
Necessary to example.
Referring to Fig. 5, a kind of structural block diagram of the authentication device embodiment of user of the invention is shown, which can answer
For the node server in Verification System, the node server is connect with the client communication in the Verification System, institute
It states node server and the client is set in view networking, described device can specifically include following module:
Receiving module 51, for receiving the user's registration request message from the client, the user's registration request
Message includes: user name, password and client public key, and the client is used to generate for the user name and the password including institute
State user's unsymmetrical key of client public key and private key for user;
Authentication module 52, for carrying out verification operation to the user name and the password;
Memory module 53, for the case where the authentication module 52 passes through the user name and the password authentification
Under, store the user name, the password and the client public key;
The receiving module 51 is also used to receive user's login request message from the client;
The authentication module 52 is also used to carry out verification operation to user's login request message, generates and return to use
Family logs in challenge message to the client, carries out verification operation so that the client logs in challenge message to the user,
It generates and returns to user's login response message to the node server;
The authentication module 52 is also used to carry out verification operation to user's login response message;
Login module 54, for the case where the authentication module 52 passes through user's login response information authentication
Under, allow the user of the client to log on to the node server.
In one preferred embodiment of the invention, UKey is installed, the client is for calling in the client
Predistribution Algorithm in the UKey is that the user name and the password generate user's unsymmetrical key;The client is also
For storing the private key for user into the UKey.
In one preferred embodiment of the invention, user's login request message includes: secure interactive process version
Field, user security configuration field and username field;
The authentication module 52, comprising:
Judgment module 521, for judging the secure interactive process version field and the user security configuration field is
It is no to include corresponding default first field contents;
Searching module 522, for including in the secure interactive process version field and the user security configuration field
When corresponding default first field contents, the client public key is searched according to the field contents of the username field;
Generation module 523 logs in challenge message for generating the user according to the client public key, and returns to the use
Family logs in challenge message to the client.
In one preferred embodiment of the invention, the generation module 523, for generating server random number and service
Device symmetric key;Cryptographic operation is carried out to the server symmetric key using the client public key, it is symmetrically close to obtain server
Key ciphertext;The user, which is generated, according to the server random number and the server symmetric key ciphertext logs in challenge message.
In one preferred embodiment of the invention, user's login challenge message includes: secure interactive process version
Field, server security configuration field, server random number field and symmetric key ciphertext field;The server random number word
The field contents of section include the server random number, and the field contents of the symmetric key ciphertext field include the server
Symmetric key ciphertext;
The client be used to judge the user log in the secure interactive process version field in challenge message and
Whether the server security configuration field includes corresponding default second field contents;
The client be also used to the user log in challenge message in the secure interactive process version field and
When the server security configuration field includes corresponding default second field contents, using the private key for user to described
The field contents of symmetric key ciphertext field are decrypted, and obtain user's decrypted result;
The client be also used to according to user's decrypted result, the server random number field field contents and
User password generates user's login response message.
In one preferred embodiment of the invention, the client is also used to using user's decrypted result to described
The exclusive or value of the field contents of server random number field and the user password is encrypted, and user password ciphertext is obtained.
In one preferred embodiment of the invention, user's login response message includes: secure interactive process version
Field, user security configuration field and user password ciphertext field, the field contents of the user password ciphertext field include institute
State user password ciphertext;
The judgment module 521 is also used to judge the secure interactive process version in user's login response message
Whether this field and the user security configuration field include corresponding default third field contents;
The authentication module 52, further includes:
Deciphering module 524, in user's login response message the secure interactive process version field and
When the user security configuration field includes the corresponding default third field contents, the server symmetric key pair is utilized
The field contents of the user password ciphertext field are decrypted, and obtain server decrypted result;
Exclusive or module 525 is obtained for the server decrypted result to be carried out xor operation with the server random number
To the user password;
Comparison module 526, it is whether consistent for the user password and the key;
Determining module 527, for determining that user's login response disappears in the user password and the key agreement
Breath is verified.
For device embodiment, since it is basically similar to the method embodiment, related so being described relatively simple
Place illustrates referring to the part of embodiment of the method.
The embodiment of the invention also provides a kind of devices, comprising:
One or more processors;With
One or more machine readable medias of instruction are stored thereon with, are executed when by one or more of processors
When, so that described device executes the authentication method of one or more users as described in the embodiments of the present invention.
The embodiment of the invention also provides the computer programs of a kind of computer readable storage medium, storage to handle
Device executes the authentication method of user as described in the embodiments of the present invention.
All the embodiments in this specification are described in a progressive manner, the highlights of each of the examples are with
The difference of other embodiments, the same or similar parts between the embodiments can be referred to each other.
Embodiment in order to enable those skilled in the art to better understand the present invention is introduced to depending on networking below:
It is the important milestone of network Development depending on networking, is a real-time network, can be realized HD video real-time Transmission,
Push numerous Internet applications to HD video, high definition is face-to-face.
Real-time high-definition video switching technology is used depending on networking, it can be such as high in a network platform by required service
Clear video conference, Intellectualized monitoring analysis, emergency command, digital broadcast television, delay TV, the Web-based instruction, shows video monitoring
Field live streaming, VOD program request, TV Mail, individual character records (PVR), Intranet (manages) channel by oneself, intelligent video Broadcast Control, information publication
All be incorporated into a system platform etc. services such as tens of kinds of videos, voice, picture, text, communication, data, by TV or
Computer realizes that high-definition quality video plays.
Depending on networking, applied portion of techniques is as described below:
Network technology (Network Technology)
Traditional ethernet (Ethernet) is improved depending on the network technology innovation networked, with potential huge on network
Video flow.(Circuit is exchanged different from simple network packet packet switch (Packet Switching) or lattice network
Switching), Streaming demand is met using Packet Switching depending on networking technology.Has grouping depending on networking technology
Flexible, the simple and low price of exchange, is provided simultaneously with the quality and safety assurance of circuit switching, it is virtually electric to realize the whole network switch type
The seamless connection of road and data format.
Switching technology (Switching Technology)
Two advantages of asynchronous and packet switch that Ethernet is used depending on networking eliminate Ethernet under the premise of complete compatible and lack
It falls into, has the end-to-end seamless connection of the whole network, direct user terminal, directly carrying IP data packet.User data is in network-wide basis
It is not required to any format conversion.It is the more advanced form of Ethernet depending on networking, is a real-time exchange platform, can be realized at present mutually
The whole network large-scale high-definition realtime video transmission that networking cannot achieve pushes numerous network video applications to high Qinghua, unitizes.
Server technology (Server Technology)
It is different from traditional server, its Streaming Media depending on the server technology in networking and unified video platform
Transmission be built upon it is connection-oriented on the basis of, data-handling capacity is unrelated with flow, communication time, single network layer energy
Enough transmitted comprising signaling and data.For voice and video business, handled depending on networking and unified video platform Streaming Media
Complexity many simpler than data processing, efficiency substantially increase hundred times or more than traditional server.
Reservoir technology (Storage Technology)
The ultrahigh speed reservoir technology of unified video platform in order to adapt to the media content of vast capacity and super-flow and
Using state-of-the-art real time operating system, the programme information in server instruction is mapped to specific hard drive space, media
Content is no longer pass through server, and moment is directly delivered to user terminal, and user waits typical time less than 0.2 second.It optimizes
Sector distribution greatly reduces the mechanical movement of hard disc magnetic head tracking, and resource consumption only accounts for the 20% of the internet ad eundem IP, but
The concurrent flow greater than 3 times of traditional disk array is generated, overall efficiency promotes 10 times or more.
Network security technology (Network Security Technology)
Depending on the structural design networked by servicing independent licence system, equipment and the modes such as user data is completely isolated every time
The network security problem that puzzlement internet has thoroughly been eradicated from structure, does not need antivirus applet, firewall generally, has prevented black
The attack of visitor and virus, structural carefree secure network is provided for user.
It services innovative technology (Service Innovation Technology)
Business and transmission are fused together by unified video platform, whether single user, private user or a net
The sum total of network is all only primary automatic connection.User terminal, set-top box or PC are attached directly to unified video platform, obtain rich
The multimedia video service of rich colorful various forms.Unified video platform is traditional to substitute with table schema using " menu type "
Complicated applications programming, considerably less code, which can be used, can be realized complicated application, realize the new business innovation of " endless ".
Networking depending on networking is as described below:
It is a kind of central controlled network structure depending on networking, which can be Tree Network, Star network, ring network etc. class
Type, but centralized control node is needed to control whole network in network on this basis.
As shown in fig. 6, being divided into access net and Metropolitan Area Network (MAN) two parts depending on networking.
The equipment of access mesh portions can be mainly divided into 3 classes: node server, access switch, terminal (including various machines
Top box, encoding board, memory etc.).Node server is connected with access switch, and access switch can be with multiple terminal phases
Even, and it can connect Ethernet.
Wherein, node server is the node that centralized control functions are played in access net, can control access switch and terminal.
Node server can directly be connected with access switch, can also directly be connected with terminal.
Similar, the equipment of metropolitan area mesh portions can also be divided into 3 classes: metropolitan area server, node switch, node serve
Device.Metropolitan area server is connected with node switch, and node switch can be connected with multiple node servers.
Wherein, node server is the node server for accessing mesh portions, i.e. node server had both belonged to access wet end
Point, and belong to metropolitan area mesh portions.
Metropolitan area server is the node that centralized control functions are played in Metropolitan Area Network (MAN), can control node switch and node serve
Device.Metropolitan area server can be directly connected to node switch, can also be directly connected to node server.
It can be seen that be entirely a kind of central controlled network structure of layering depending on networking network, and node server and metropolitan area
The network controlled under server can be the various structures such as tree-shaped, star-like, cyclic annular.
Visually claim, access mesh portions can form unified video platform (part in virtual coil), and multiple unified videos are flat
Platform can form view networking;Each unified video platform can be interconnected by metropolitan area and wide area depending on networking.
Classify depending on networked devices
1.1 embodiment of the present invention can be mainly divided into 3 classes: server depending on the equipment in networking, interchanger (including ether
Net gateway), terminal (including various set-top boxes, encoding board, memory etc.).Depending on networking can be divided on the whole Metropolitan Area Network (MAN) (or
National net, World Wide Web etc.) and access net.
1.2 equipment for wherein accessing mesh portions can be mainly divided into 3 classes: node server, access switch (including ether
Net gateway), terminal (including various set-top boxes, encoding board, memory etc.).
The specific hardware structure of each access network equipment are as follows:
Node server:
As shown in fig. 7, mainly including Network Interface Module 701, switching engine module 702, CPU module 703, disk array
Module 704;
Wherein, Network Interface Module 701, the Bao Jun that CPU module 703, disk array module 704 are come in enter switching engine
Module 702;Switching engine module 702 look into the operation of address table 705 to the packet come in, to obtain the navigation information of packet;
And the packet is stored according to the navigation information of packet the queue of corresponding pack buffer 706;If the queue of pack buffer 706 is close
It is full, then it abandons;All pack buffer queues of 702 poll of switching engine mould, are forwarded: 1) port if meeting the following conditions
It is less than to send caching;2) the queue package counting facility is greater than zero.Disk array module 704 mainly realizes the control to hard disk, including
The operation such as initialization, read-write to hard disk;CPU module 703 is mainly responsible between access switch, terminal (not shown)
Protocol processes, to address table 705 (including descending protocol packet address table, uplink protocol package address table, data packet addressed table)
Configuration, and, the configuration to disk array module 704.
Access switch:
As shown in figure 8, mainly including Network Interface Module (downstream network interface module 801, uplink network interface module
802), switching engine module 803 and CPU module 804;
Wherein, the packet (upstream data) that downstream network interface module 801 is come in enters packet detection module 805;Packet detection mould
Whether mesh way address (DA), source address (SA), type of data packet and the packet length of the detection packet of block 805 meet the requirements, if met,
It then distributes corresponding flow identifier (stream-id), and enters switching engine module 803, otherwise abandon;Uplink network interface mould
The packet (downlink data) that block 802 is come in enters switching engine module 803;The data packet that CPU module 804 is come in enters switching engine
Module 803;Switching engine module 803 look into the operation of address table 806 to the packet come in, to obtain the navigation information of packet;
If the packet into switching engine module 803 is that downstream network interface is gone toward uplink network interface, in conjunction with flow identifier
(stream-id) packet is stored in the queue of corresponding pack buffer 807;If the queue of the pack buffer 807 is close full,
It abandons;If the packet into switching engine module 803 is not that downstream network interface is gone toward uplink network interface, according to packet
Navigation information is stored in the data packet queue of corresponding pack buffer 807;If the queue of the pack buffer 807 is close full,
Then abandon.
All pack buffer queues of 803 poll of switching engine module, are divided to two kinds of situations in embodiments of the present invention:
If the queue is that downstream network interface is gone toward uplink network interface, meets the following conditions and be forwarded: 1)
It is less than that the port sends caching;2) the queue package counting facility is greater than zero;3) token that rate control module generates is obtained;
If the queue is not that downstream network interface is gone toward uplink network interface, meets the following conditions and is forwarded:
1) it is less than to send caching for the port;2) the queue package counting facility is greater than zero.
Rate control module 808 is configured by CPU module 804, to all downlink networks in programmable interval
Interface generates token toward the pack buffer queue that uplink network interface is gone, to control the code rate of forwarded upstream.
CPU module 804 is mainly responsible for the protocol processes between node server, the configuration to address table 806, and,
Configuration to rate control module 808.
Ethernet association turns gateway:
As shown in figure 9, mainly including Network Interface Module (downstream network interface module 901, uplink network interface module
902), switching engine module 903, CPU module 904, packet detection module 905, rate control module 908, address table 906, Bao Huan
Storage 907 and MAC adding module 909, MAC removing module 910.
Wherein, the data packet that downstream network interface module 901 is come in enters packet detection module 905;Packet detection module 905 is examined
Ethernet mac DA, ethernet mac SA, Ethernet length or frame type, the view networking mesh way address of measured data packet
DA, whether meet the requirements depending on networking source address SA, depending on networking data Packet type and packet length, corresponding stream is distributed if meeting
Identifier (stream-id);Then, MAC DA, MAC SA, length or frame type are subtracted by MAC removing module 910
(2byte), and enter corresponding receive and cache, otherwise abandon;
Downstream network interface module 901 detects the transmission caching of the port, according to the view of packet networking mesh if there is Bao Ze
Address D A knows the ethernet mac DA of corresponding terminal, adds the ethernet mac DA of terminal, Ethernet assists the MAC for turning gateway
SA, Ethernet length or frame type, and send.
The function that Ethernet association turns other modules in gateway is similar with access switch.
Terminal:
It mainly include Network Interface Module, Service Processing Module and CPU module;For example, set-top box mainly connects including network
Mouth mold block, video/audio encoding and decoding engine modules, CPU module;Encoding board mainly includes Network Interface Module, video encoding engine
Module, CPU module;Memory mainly includes Network Interface Module, CPU module and disk array module.
The equipment of 1.3 metropolitan area mesh portions can be mainly divided into 2 classes: node server, node switch, metropolitan area server.
Wherein, node switch mainly includes Network Interface Module, switching engine module and CPU module;Metropolitan area server mainly includes
Network Interface Module, switching engine module and CPU module are constituted.
2, networking data package definition is regarded
2.1 access network data package definitions
Access net data packet mainly include following sections: destination address (DA), source address (SA), reserve bytes,
payload(PDU)、CRC。
As shown in the table, the data packet for accessing net mainly includes following sections:
DA | SA | Reserved | Payload | CRC |
Wherein:
Destination address (DA) is made of 8 bytes (byte), and first character section indicates type (such as the various associations of data packet
Discuss packet, multicast packet, unicast packet etc.), be up to 256 kinds of possibility, the second byte to the 6th byte is metropolitan area net address,
Seven, the 8th bytes are access net address;
Source address (SA) is also to be made of 8 bytes (byte), is defined identical as destination address (DA);
Reserve bytes are made of 2 bytes;
The part payload has different length according to the type of different datagrams, is if it is various protocol packages
64 bytes are 32+1024=1056 bytes if it is single group unicast packets words, are not restricted to above 2 kinds certainly;
CRC is made of 4 bytes, and calculation method follows the Ethernet CRC algorithm of standard.
2.2 Metropolitan Area Network (MAN) packet definitions
The topology of Metropolitan Area Network (MAN) is pattern, may there is 2 kinds, connection even of more than two kinds, i.e. node switching between two equipment
It can all can exceed that 2 kinds between machine and node server, node switch and node switch, node switch and node server
Connection.But the metropolitan area net address of metropolitan area network equipment is uniquely, to close to accurately describe the connection between metropolitan area network equipment
System, introduces parameter in embodiments of the present invention: label, uniquely to describe a metropolitan area network equipment.
(Multi-Protocol Label Switch, multiprotocol label are handed over by the definition of label and MPLS in this specification
Change) label definition it is similar, it is assumed that between equipment A and equipment B there are two connection, then data packet from equipment A to equipment B just
There are 2 labels, data packet also there are 2 labels from equipment B to equipment A.Label is divided into label, outgoing label, it is assumed that data packet enters
The label (entering label) of equipment A is 0x0000, and the label (outgoing label) when this data packet leaves equipment A may reform into
0x0001.The networking process of Metropolitan Area Network (MAN) is to enter network process under centralized control, also means that address distribution, the label of Metropolitan Area Network (MAN)
Distribution be all to be dominated by metropolitan area server, node switch, node server be all passively execute, this point with
The label distribution of MPLS is different, and the distribution of the label of MPLS is the result that interchanger, server are negotiated mutually.
As shown in the table, the data packet of Metropolitan Area Network (MAN) mainly includes following sections:
DA | SA | Reserved | Label | Payload | CRC |
That is destination address (DA), source address (SA), reserve bytes (Reserved), label, payload (PDU), CRC.Its
In, the format of label, which can refer to, such as gives a definition: label is 32bit, wherein high 16bit retains, only with low 16bit, its position
Set is between the reserve bytes and payload of data packet.
It should be understood by those skilled in the art that, the embodiment of the embodiment of the present invention can provide as method, apparatus or calculate
Machine program product.Therefore, the embodiment of the present invention can be used complete hardware embodiment, complete software embodiment or combine software and
The form of the embodiment of hardware aspect.Moreover, the embodiment of the present invention can be used one or more wherein include computer can
With in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code
The form of the computer program product of implementation.
The embodiment of the present invention be referring to according to the method for the embodiment of the present invention, terminal device (system) and computer program
The flowchart and/or the block diagram of product describes.It should be understood that flowchart and/or the block diagram can be realized by computer program instructions
In each flow and/or block and flowchart and/or the block diagram in process and/or box combination.It can provide these
Computer program instructions are set to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing terminals
Standby processor is to generate a machine, so that being held by the processor of computer or other programmable data processing terminal devices
Capable instruction generates for realizing in one or more flows of the flowchart and/or one or more blocks of the block diagram
The device of specified function.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing terminal devices
In computer-readable memory operate in a specific manner, so that instruction stored in the computer readable memory generates packet
The manufacture of command device is included, which realizes in one side of one or more flows of the flowchart and/or block diagram
The function of being specified in frame or multiple boxes.
These computer program instructions can also be loaded into computer or other programmable data processing terminal devices, so that
Series of operation steps are executed on computer or other programmable terminal equipments to generate computer implemented processing, thus
The instruction executed on computer or other programmable terminal equipments is provided for realizing in one or more flows of the flowchart
And/or in one or more blocks of the block diagram specify function the step of.
Although the preferred embodiment of the embodiment of the present invention has been described, once a person skilled in the art knows bases
This creative concept, then additional changes and modifications can be made to these embodiments.So the following claims are intended to be interpreted as
Including preferred embodiment and fall into all change and modification of range of embodiment of the invention.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that process, method, article or terminal device including a series of elements not only wrap
Those elements are included, but also including other elements that are not explicitly listed, or further includes for this process, method, article
Or the element that terminal device is intrinsic.In the absence of more restrictions, being wanted by what sentence "including a ..." limited
Element, it is not excluded that there is also other identical elements in process, method, article or the terminal device for including the element.
Above to a kind of authentication method of user provided by the present invention, device and a kind of computer readable storage medium,
It is described in detail, used herein a specific example illustrates the principle and implementation of the invention, the above reality
The explanation for applying example is merely used to help understand method and its core concept of the invention;Meanwhile for the general technology of this field
Personnel, according to the thought of the present invention, there will be changes in the specific implementation manner and application range, in conclusion this theory
Bright book content should not be construed as limiting the invention.
Claims (16)
1. a kind of authentication method of user, which is characterized in that be applied to Verification System, the Verification System includes: node serve
Device and client, wherein the node server and the client are set in view networking, the node server with it is described
Client communication connection, which comprises
The node server receives the user's registration request message from the client, the user's registration request message packet
Include: user name, password and client public key, the client are used to generate for the user name and the password including the user
User's unsymmetrical key of public key and private key for user;
The node server carries out verification operation to the user name and the password, and stores in the case where being verified
The user name, the password and the client public key;
The node server receives user's login request message from the client;
The node server to user's login request message carry out verification operation, generate and return user log in challenge disappear
Breath carries out verification operation so that the client logs in challenge message to the user, generates and return to use to the client
Family login response message is to the node server;
The node server carries out verification operation to user's login response message, and allows in the case where being verified
The user of the client logs on to the node server.
2. the authentication method of user according to claim 1, which is characterized in that be equipped with UKey, institute in the client
It is that the user name and the password generation user are asymmetric that client, which is stated, for calling the Predistribution Algorithm in the UKey
Key;The client is also used to store the private key for user into the UKey.
3. the authentication method of user according to claim 1, which is characterized in that user's login request message includes:
Secure interactive process version field, user security configuration field and username field;
The node server to user's login request message carry out verification operation, generate and return user log in challenge disappear
The step of breath to client, comprising:
The node server judge the secure interactive process version field and the user security configuration field whether include
Corresponding default first field contents;
The node server includes corresponding in the secure interactive process version field and the user security configuration field
When default first field contents, the client public key is searched according to the field contents of the username field;
The node server generates the user according to the client public key and logs in challenge message, and returns to the user and log in
Challenge message is to the client.
4. the authentication method of user according to claim 3, which is characterized in that the node server is according to the user
Public key generates the step of user logs in challenge message, comprising:
The node server generates server random number and server symmetric key;
The node server carries out cryptographic operation to the server symmetric key using the client public key, obtains server
Symmetric key ciphertext;
The node server generates the user according to the server random number and the server symmetric key ciphertext and steps on
Record challenge message.
5. the authentication method of user according to claim 4, which is characterized in that the user logs in challenge message and includes:
Secure interactive process version field, server security configuration field, server random number field and symmetric key ciphertext field;Institute
The field contents for stating server random number field include the server random number, in the field of the symmetric key ciphertext field
Holding includes the server symmetric key ciphertext;
The client is used to judge that the user to log in the secure interactive process version field in challenge message and described
Whether server security configuration field includes corresponding default second field contents;
The client is also used to log in the secure interactive process version field and described in challenge message in the user
When server security configuration field includes corresponding default second field contents, using the private key for user to described symmetrical
The field contents of key ciphertext field are decrypted, and obtain user's decrypted result;
The client is also used to according to user's decrypted result, the field contents of the server random number field and user
User's login response message described in password generated.
6. the authentication method of user according to claim 5, which is characterized in that the client is also used to utilize the use
Family decrypted result encrypts the field contents of the server random number field and the exclusive or value of the user password, obtains
User password ciphertext.
7. the authentication method of user according to claim 5, which is characterized in that user's login response message includes:
Secure interactive process version field, user security configuration field and user password ciphertext field, the user password ciphertext field
Field contents include the user password ciphertext;
The step of node server carries out verification operation to user's login response message, comprising:
The node server judges the secure interactive process version field in user's login response message and described
Whether user security configuration field includes corresponding default third field contents;
The secure interactive process version field and the use of the node server in user's login response message
When family security configuration field includes the corresponding default third field contents, using the server symmetric key to the use
The registered permanent residence enables the field contents of ciphertext field be decrypted, and obtains server decrypted result;
The node server obtains the server decrypted result and server random number progress xor operation described
User password;
Whether the node server user password and the key are consistent;
The node server determines user's login response information authentication in the user password and the key agreement
Pass through.
8. a kind of authentication device of user, which is characterized in that applied to the node server in Verification System, the node serve
Device is connect with the client communication in the Verification System, and the node server and the client are set in view networking,
Described device includes:
Receiving module, for receiving the user's registration request message from the client, the user's registration request message packet
Include: user name, password and client public key, the client are used to generate for the user name and the password including the user
User's unsymmetrical key of public key and private key for user;
Authentication module, for carrying out verification operation to the user name and the password;
Memory module, for storing institute in the case where the authentication module passes through the user name and the password authentification
State user name, the password and the client public key;
The receiving module is also used to receive user's login request message from the client;
The authentication module is also used to carry out verification operation to user's login request message, generates and returns to user's login
Challenge message carries out verification operation so that the client logs in challenge message to the user, generates simultaneously to the client
User's login response message is returned to the node server;
The authentication module is also used to carry out verification operation to user's login response message;
Login module, for allowing institute in the case where the authentication module passes through user's login response information authentication
The user for stating client logs on to the node server.
9. the authentication device of user according to claim 8, which is characterized in that be equipped with UKey, institute in the client
It is that the user name and the password generation user are asymmetric that client, which is stated, for calling the Predistribution Algorithm in the UKey
Key;The client is also used to store the private key for user into the UKey.
10. the authentication device of user according to claim 8, which is characterized in that user's login request message includes:
Secure interactive process version field, user security configuration field and username field;
The authentication module, comprising:
Judgment module, for judging whether the secure interactive process version field and the user security configuration field include pair
Default first field contents answered;
Searching module, for including corresponding institute in the secure interactive process version field and the user security configuration field
When stating default first field contents, the client public key is searched according to the field contents of the username field;
Generation module logs in challenge message for generating the user according to the client public key, and returns to the user and log in
Challenge message is to the client.
11. the authentication device of user according to claim 10, which is characterized in that the generation module, for generating clothes
Device random number of being engaged in and server symmetric key;Cryptographic operation is carried out to the server symmetric key using the client public key,
Obtain server symmetric key ciphertext;The use is generated according to the server random number and the server symmetric key ciphertext
Family logs in challenge message.
12. the authentication device of user according to claim 11, which is characterized in that the user logs in challenge message
It includes: secure interactive process version field, server security configuration field, server random number field and symmetric key ciphertext word
Section;The field contents of the server random number field include the server random number, the symmetric key ciphertext field
Field contents include the server symmetric key ciphertext;
The client is used to judge that the user to log in the secure interactive process version field in challenge message and described
Whether server security configuration field includes corresponding default second field contents;
The client is also used to log in the secure interactive process version field and described in challenge message in the user
When server security configuration field includes corresponding default second field contents, using the private key for user to described symmetrical
The field contents of key ciphertext field are decrypted, and obtain user's decrypted result;
The client is also used to according to user's decrypted result, the field contents of the server random number field and user
User's login response message described in password generated.
13. the authentication device of user according to claim 12, which is characterized in that the client is also used to using described
User's decrypted result encrypts the field contents of the server random number field and the exclusive or value of the user password, obtains
To user password ciphertext.
14. the authentication device of user according to claim 12, which is characterized in that user's login response message package
It includes: secure interactive process version field, user security configuration field and user password ciphertext field, the user password ciphertext word
The field contents of section include the user password ciphertext;
The judgment module, be also used to judge the secure interactive process version field in user's login response message and
Whether the user security configuration field includes corresponding default third field contents;
The authentication module, further includes:
Deciphering module, in user's login response message the secure interactive process version field and the user
When security configuration field includes the corresponding default third field contents, using the server symmetric key to the user
The field contents of password ciphertext field are decrypted, and obtain server decrypted result;
Exclusive or module obtains the use for the server decrypted result and the server random number to be carried out xor operation
The registered permanent residence enables;
Comparison module, it is whether consistent for the user password and the key;
Determining module, for determining user's login response information authentication in the user password and the key agreement
Pass through.
15. a kind of device characterized by comprising
One or more processors;With
One or more machine readable medias of instruction are stored thereon with, when being executed by one or more of processors, are made
Obtain the authentication method for one or more users that described device is executed as described in claim 1 to 7.
16. a kind of computer readable storage medium, which is characterized in that its computer program stored executes processor as weighed
Benefit requires the authentication method of 1 to 7 described in any item users.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910804695.1A CN110535856B (en) | 2019-08-28 | 2019-08-28 | User authentication method, device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910804695.1A CN110535856B (en) | 2019-08-28 | 2019-08-28 | User authentication method, device and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110535856A true CN110535856A (en) | 2019-12-03 |
CN110535856B CN110535856B (en) | 2022-04-26 |
Family
ID=68664838
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910804695.1A Active CN110535856B (en) | 2019-08-28 | 2019-08-28 | User authentication method, device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110535856B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111147471A (en) * | 2019-12-20 | 2020-05-12 | 视联动力信息技术股份有限公司 | Terminal network access authentication method, device, system and storage medium |
CN114679293A (en) * | 2021-06-15 | 2022-06-28 | 腾讯云计算(北京)有限责任公司 | Access control method, device and storage medium based on zero trust security |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160209062A1 (en) * | 2015-01-19 | 2016-07-21 | Lennox Industries Inc. | Server integration with a heating, ventilation, and air conditioning system |
CN107911337A (en) * | 2017-10-11 | 2018-04-13 | 海信集团有限公司 | A kind of apparatus bound method, server and equipment |
CN109347835A (en) * | 2018-10-24 | 2019-02-15 | 苏州科达科技股份有限公司 | Information transferring method, client, server and computer readable storage medium |
-
2019
- 2019-08-28 CN CN201910804695.1A patent/CN110535856B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160209062A1 (en) * | 2015-01-19 | 2016-07-21 | Lennox Industries Inc. | Server integration with a heating, ventilation, and air conditioning system |
CN107911337A (en) * | 2017-10-11 | 2018-04-13 | 海信集团有限公司 | A kind of apparatus bound method, server and equipment |
CN109347835A (en) * | 2018-10-24 | 2019-02-15 | 苏州科达科技股份有限公司 | Information transferring method, client, server and computer readable storage medium |
Non-Patent Citations (1)
Title |
---|
老刘: "一个故事讲完https", 《HTTPS://MP.WEIXIN.QQ.COM/S/STQQAFHEPLBKWAPQZG3NRA》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111147471A (en) * | 2019-12-20 | 2020-05-12 | 视联动力信息技术股份有限公司 | Terminal network access authentication method, device, system and storage medium |
CN111147471B (en) * | 2019-12-20 | 2023-02-28 | 视联动力信息技术股份有限公司 | Terminal network access authentication method, device, system and storage medium |
CN114679293A (en) * | 2021-06-15 | 2022-06-28 | 腾讯云计算(北京)有限责任公司 | Access control method, device and storage medium based on zero trust security |
Also Published As
Publication number | Publication date |
---|---|
CN110535856B (en) | 2022-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110430043A (en) | A kind of authentication method, system and device and storage medium | |
CN108418778A (en) | A kind of internet and method, apparatus and interactive system regarding connected network communication | |
CN108173803B (en) | A kind of networked by view accesses the method and view connection cat server-side of internet | |
CN108023858B (en) | A kind of view networking network management safety certifying method and its system | |
CN108632238A (en) | A kind of method and apparatus of permission control | |
CN108965224A (en) | A kind of method and apparatus of video on demand | |
CN109120897A (en) | A kind of view networking monitoring videogram sharing method and device | |
CN109672664A (en) | A kind of authentication method and system regarding networked terminals | |
CN109769123A (en) | A kind of processing method and system regarding networking data | |
CN109743170A (en) | A kind of Streaming Media logs in and the method and apparatus of data transmission encryption | |
CN109462594A (en) | A kind of data processing method and system based on view networking | |
CN110062195A (en) | A kind of video conference cut-in method and system | |
CN109977137A (en) | A kind of data query method and apparatus | |
CN109447625A (en) | A kind of two dimensional code method of payment and system | |
CN110661784B (en) | User authentication method, device and storage medium | |
CN110535856A (en) | A kind of authentication method of user, device and storage medium | |
CN108965941A (en) | A kind of data capture method and view networking management system | |
CN110493193A (en) | Data transmission method and device | |
CN110351080A (en) | A kind of key exchange method and device | |
CN108881791B (en) | A kind of conference control method and Conference control device based on view networking | |
CN110012063A (en) | A kind of processing method and system of data packet | |
CN109376507A (en) | A kind of data safety control method and system | |
CN110445759A (en) | A kind of electronic whiteboard sharing method and device | |
CN110149497A (en) | A kind of view networked data transmission method, apparatus, system and readable storage medium storing program for executing | |
CN109586851A (en) | Data transmission method and device based on view networking |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CB03 | Change of inventor or designer information | ||
CB03 | Change of inventor or designer information |
Inventor after: Zhao Hailiang Inventor after: Sun Shaomin Inventor after: Liang Hao Inventor after: Yang Chunhui Inventor before: Zhao Hailiang Inventor before: Sun Shaomin Inventor before: Liang Hao Inventor before: Yang Chunhui |