CN110535856A - A kind of authentication method of user, device and storage medium - Google Patents

A kind of authentication method of user, device and storage medium Download PDF

Info

Publication number
CN110535856A
CN110535856A CN201910804695.1A CN201910804695A CN110535856A CN 110535856 A CN110535856 A CN 110535856A CN 201910804695 A CN201910804695 A CN 201910804695A CN 110535856 A CN110535856 A CN 110535856A
Authority
CN
China
Prior art keywords
user
field
client
server
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910804695.1A
Other languages
Chinese (zh)
Other versions
CN110535856B (en
Inventor
赵海亮
孙绍敏
梁昊
杨春辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Visionvera Information Technology Co Ltd
Original Assignee
Visionvera Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Visionvera Information Technology Co Ltd filed Critical Visionvera Information Technology Co Ltd
Priority to CN201910804695.1A priority Critical patent/CN110535856B/en
Publication of CN110535856A publication Critical patent/CN110535856A/en
Application granted granted Critical
Publication of CN110535856B publication Critical patent/CN110535856B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Abstract

The embodiment of the invention provides the authentication method of user a kind of, device and storage mediums.Wherein, which comprises node server receives the user's registration request message from client, and user's registration request message includes user name, password and client public key;Node server carries out verification operation to username and password, and user name, password and client public key are stored in the case where being verified;Node server receives user's login request message from client, verification operation is carried out to user's login request message, it generates and returns to user and log in challenge message to client, verification operation is carried out so that client logs in challenge message to user, generates and returns to user's login response message to node server;Node server carries out verification operation to user's login response message, and allows the user of client to log on to node server in the case where being verified.The embodiment of the present invention improves the safety of user's registration and login.

Description

A kind of authentication method of user, device and storage medium
Technical field
The present invention relates to view networking technology fields, more particularly to the authentication method of user a kind of, device and a kind of calculating Machine readable storage medium storing program for executing.
Background technique
It is a kind of dedicated network for being used for high-speed transfer HD video and specialized protocol based on ethernet hardware depending on networking, It is the more advanced form of Ethernet depending on networking, is a real-time network.
With the fast development of view networking service, the quantity depending on on-line customer is also grown rapidly.It needs to borrow depending on on-line customer It helps and registers and logs into depending on networked clients depending on can just execute view networking service after networked server.Currently, view networking is used Only the username and password depending on on-line customer is verified depending on networked server when being registered to view networked server at family.And And only logging request is verified depending on networked server, is used depending on networking when being logged in view networked server depending on on-line customer The registration at family and the safety of login are lower.
Summary of the invention
In view of the above problems, it proposes the embodiment of the present invention and overcomes the above problem or at least partly in order to provide one kind A kind of authentication method, device and the computer readable storage medium of a kind of user to solve the above problems.
To solve the above-mentioned problems, the embodiment of the invention discloses the authentication methods of user a kind of, are applied to Verification System, The Verification System includes: node server and client, wherein the node server and the client are set to view connection In net, the node server is connect with the client communication, which comprises the node server, which receives, comes from institute The user's registration request message of client is stated, the user's registration request message includes: user name, password and client public key, institute Client is stated for generate the user including the client public key and private key for user asymmetric for the user name and the password Key;The node server carries out verification operation to the user name and the password, and deposits in the case where being verified Store up the user name, the password and the client public key;The node server receives the user from the client and steps on Record request message;The node server carries out verification operation to user's login request message, generates and returns to user and steps on Challenge message is recorded to the client, verification operation is carried out so that the client logs in challenge message to the user, generates And user's login response message is returned to the node server;The node server to user's login response message into Row verification operation, and allow the user of the client to log on to the node server in the case where being verified.
Optionally, UKey is installed, the client is used to call the Predistribution Algorithm in the UKey in the client User's unsymmetrical key is generated for the user name and the password;The client is also used to deposit the private key for user Storage is into the UKey.
Optionally, user's login request message includes: secure interactive process version field, user security configuration field And username field;The node server carries out verification operation to user's login request message, generates and returns to user The step of logging in challenge message to the client, comprising: the node server judges the secure interactive process version word Whether section and the user security configuration field include corresponding default first field contents;The node server is in the peace When full interaction flow version field and the user security configuration field include corresponding default first field contents, according to The field contents of the username field search the client public key;The node server generates institute according to the client public key It states user and logs in challenge message, and return to the user and log in challenge message to the client.
Optionally, the node server generates the step of user logs in challenge message according to the client public key, It include: that the node server generates server random number and server symmetric key;The node server utilizes the use Family public key carries out cryptographic operation to the server symmetric key, obtains server symmetric key ciphertext;The node server The user, which is generated, according to the server random number and the server symmetric key ciphertext logs in challenge message.
Optionally, user's login challenge message includes: secure interactive process version field, server security configuration words Section, server random number field and symmetric key ciphertext field;The field contents of the server random number field include described Server random number, the field contents of the symmetric key ciphertext field include the server symmetric key ciphertext;The visitor Family end is used to judge that the user to log in the secure interactive process version field and the server security in challenge message Whether configuration field includes corresponding default second field contents;The client is also used to log in challenge message in the user In the secure interactive process version field and the server security configuration field include corresponding default second word It when section content, is decrypted using field contents of the private key for user to the symmetric key ciphertext field, obtains user's solution Close result;The client be also used to according to user's decrypted result, the server random number field field contents and User password generates user's login response message.
Optionally, the client is also used to the word using user's decrypted result to the server random number field Section content and the exclusive or value of the user password are encrypted, and user password ciphertext is obtained.
Optionally, user's login response message includes: secure interactive process version field, user security configuration field With user password ciphertext field, the field contents of the user password ciphertext field include the user password ciphertext;The section The step of point server carries out verification operation to user's login response message, comprising: described in the node server judgement Whether the secure interactive process version field and the user security configuration field in user's login response message include pair The default third field contents answered;The secure interactive process of the node server in user's login response message When version field and the user security configuration field include the corresponding default third field contents, the server is utilized The field contents of the user password ciphertext field are decrypted in symmetric key, obtain server decrypted result;The node The server decrypted result and the server random number are carried out xor operation and obtain the user password by server;It is described Whether the node server user password and the key are consistent;The node server is in the user password and institute When stating key agreement, determine that user's login response information authentication passes through.
The embodiment of the invention also discloses the authentication device of user a kind of, applied to the node server in Verification System, The node server is connect with the client communication in the Verification System, the node server and client setting In view networking, described device includes: receiving module, for receiving the user's registration request message from the client, institute Stating user's registration request message includes: user name, password and client public key, and the client is used for as the user name and described Password generates user's unsymmetrical key including the client public key and private key for user;Authentication module, for the user name Verification operation is carried out with the password;Memory module is used in the authentication module to the user name and the password authentification In the case where, the user name, the password and the client public key are stored;The receiving module is also used to receive and From user's login request message of the client;The authentication module is also used to carry out user's login request message Verification operation generates and returns to user's login challenge message to the client, so that the client logs in the user Challenge message carries out verification operation, generates and returns to user's login response message to the node server;The authentication module, It is also used to carry out verification operation to user's login response message;Login module is used in the authentication module to the use In the case that family login response information authentication passes through, the user of the client is allowed to log on to the node server.
Optionally, UKey is installed, the client is used to call the Predistribution Algorithm in the UKey in the client User's unsymmetrical key is generated for the user name and the password;The client is also used to deposit the private key for user Storage is into the UKey.
Optionally, user's login request message includes: secure interactive process version field, user security configuration field And username field;The authentication module, comprising: judgment module, for judging the secure interactive process version field and institute State whether user security configuration field includes corresponding default first field contents;Searching module, in the secure interactive When process version field and the user security configuration field include corresponding default first field contents, according to the use The field contents of name in an account book field search the client public key;Generation module, for generating the user according to the client public key Challenge message is logged in, and returns to the user and logs in challenge message to the client.
Optionally, the generation module, for generating server random number and server symmetric key;Utilize the user Public key carries out cryptographic operation to the server symmetric key, obtains server symmetric key ciphertext;According to the server with Machine number and the server symmetric key ciphertext generate the user and log in challenge message.
Optionally, user's login challenge message includes: secure interactive process version field, server security configuration words Section, server random number field and symmetric key ciphertext field;The field contents of the server random number field include described Server random number, the field contents of the symmetric key ciphertext field include the server symmetric key ciphertext;The visitor Family end is used to judge that the user to log in the secure interactive process version field and the server security in challenge message Whether configuration field includes corresponding default second field contents;The client is also used to log in challenge message in the user In the secure interactive process version field and the server security configuration field include corresponding default second word It when section content, is decrypted using field contents of the private key for user to the symmetric key ciphertext field, obtains user's solution Close result;The client be also used to according to user's decrypted result, the server random number field field contents and User password generates user's login response message.
Optionally, the client is also used to the word using user's decrypted result to the server random number field Section content and the exclusive or value of the user password are encrypted, and user password ciphertext is obtained.
Optionally, user's login response message includes: secure interactive process version field, user security configuration field With user password ciphertext field, the field contents of the user password ciphertext field include the user password ciphertext;It is described to sentence Disconnected module, the secure interactive process version field for being also used to judge in user's login response message and user peace Whether full configuration field includes corresponding default third field contents;The authentication module, further includes: deciphering module is used for The secure interactive process version field and the user security configuration field in user's login response message include pair When the default third field contents answered, using the server symmetric key to the field of the user password ciphertext field Content is decrypted, and obtains server decrypted result;Exclusive or module is used for the server decrypted result and the server Random number carries out xor operation and obtains the user password;Comparison module is for the user password and the key It is no consistent;Determining module, for determining that user's login response message is tested in the user password and the key agreement Card passes through.
The embodiment of the present invention includes following advantages:
The certificate scheme of user provided in an embodiment of the present invention, can be applied to Verification System.The Verification System can wrap Include node server and client, wherein node server and client are set in view networking, and node server can be with visitor The communication connection of family end.
In embodiments of the present invention, user sends user's registration request message, the use to node server by client It include user name, password and client public key in the login request message of family.The client public key is that client is that username and password is raw At unsymmetrical key in public key.Node server carries out verifying behaviour to the username and password in user's registration request message Make, and stores user name, password and client public key in the case where being verified.User succeeds in registration it in node server Afterwards, user sends user's login request message to node server by client, and node server disappears to user's logging request Breath carries out verification operation, generates and returns to user's login challenge message to client.Client logs in challenge message to user again Verification operation is carried out, generates and returns to user's login response message to node server.Node server is to user's login response Message carries out verification operation, and allows the user of client to log on to node server in the case where being verified.The present invention Embodiment not only sends username and password to node server in the registration process of user, also sends to node server Client public key in user's unsymmetrical key, node server is in the case where being verified username and password, by user Name, password and client public key are stored in local.In the login process of user, node server not only disappears to user's logging request Breath and user's login response message are verified, and client also logs in challenge message to the user of node server and verifies, The bi-directional verification between node server and client is realized, the node server permission in the case where all verifyings all pass through The user of client logs on to node server, improves the safety of user's registration and login.
Detailed description of the invention
Fig. 1 is a kind of step flow chart of the authentication method embodiment of user of the invention;
Fig. 2 is the flow diagram of user registration course in the authentication method of user of the invention a kind of;
Fig. 3 is the flow diagram of process of user login in the authentication method of user of the invention a kind of;
Fig. 4 is a kind of software and hardware architecture figure of the authentication method of user of the invention;
Fig. 5 is a kind of structural block diagram of the authentication device embodiment of user of the invention;
Fig. 6 is a kind of networking schematic diagram of view networking of the invention;
Fig. 7 is a kind of hardware structural diagram of node server of the invention;
Fig. 8 is a kind of hardware structural diagram of access switch of the invention;
Fig. 9 is the hardware structural diagram that a kind of Ethernet association of the invention turns gateway.
Specific embodiment
In order to make the foregoing objectives, features and advantages of the present invention clearer and more comprehensible, with reference to the accompanying drawing and specific real Applying mode, the present invention is described in further detail.
Referring to Fig.1, a kind of step flow chart of the authentication method embodiment of user of the invention is shown, the user's recognizes Card method can be applied in Verification System, which may include node server and client, wherein node serve Device and client can be set in view networking, and node server can be connect with client communication.The authentication method of the user It can specifically include following steps:
Step 101, node server receives the user's registration request message from client.
In an embodiment of the present invention, node server can be NM server, and NM server can be view networking On core equipment, control service fulfillment, the functions such as endpoint to register, are view networkings " brain ", moreover, NM server may be used also To provide user interface for the client call in view networking.Client can be understood as the actual participation of view networking service Person or server, client can be personal computer, set-top box, Streaming Media gateway, storage gateway, media synthesizer etc..Its In, set-top box is the equipment of connection a television set and outside source, it can change into the digital signal of compression in TV Hold, and shows on a television set.In general, set-top box can connect camera and microphone, for acquiring video counts According to the multi-medium datas such as audio data, also can connect television set, for multimedias such as playing video data and audio datas Data.
In an embodiment of the present invention, user's registration request message may include user name, password and client public key.Its In, the user name to be registered that the entitled user of user is inputted by client, password be user by client input wait infuse The user name of volume corresponds to password.Client public key is the public affairs in user's unsymmetrical key that client is username and password generation Key further includes private key for user in user's unsymmetrical key.
In one preferred embodiment of the invention, UKey can be installed, client can call UKey in client Interior Predistribution Algorithm is that username and password generates user's unsymmetrical key, and client is private by the user in user's unsymmetrical key Key is written in Ukey.
Step 102, node server carries out verification operation to username and password, and stores in the case where being verified User name, password and client public key.
In an embodiment of the present invention, node server first can carry out verification operation to user name, then carry out to password Verification operation.Node server can verify whether user name meets preset user when carrying out verification operation to user name Name rule, for example, whether the character length of verifying user name, character composition etc. meet user name requirement.Node server is right When password carries out verification operation, it can verify whether password meets preset password rule, for example, the character of verifying password is long Whether degree, character composition etc. meet password requirement.Meet user name requirement in user name, and when password meets password requirement, section Point server determination is verified username and password.In turn, node server can by user name, password, and, user Public key is stored in local, alternatively, by user name, password, and, client public key is stored in the database of server end.It needs Illustrate, node server not only needs to store user name, password and use when storing user name, password and client public key Family public key, it is also necessary to store the corresponding relationship between user name, password and client public key.
Above-mentioned steps 101 and step 102 may be considered the registration process of user.For a user, note Volume process is executed in an embodiment of the present invention once, without repeating.
Step 103, node server receives user's login request message from client.
In an embodiment of the present invention, user's login request message may include secure interactive process version field, user Security configuration field and username field etc. show a kind of specific example of user's login request message as shown in table 1.
Table 1
Step 104, node server carries out verification operation to user's login request message, generates and returns to user's login and chooses Message of fighting carries out verification operation so that client logs in challenge message to user, generates and return to user and log in and ring to client Answer message to node server.
In an embodiment of the present invention, node server carries out verification operation to user's login request message, and generates use Family logs in the process of challenge message, may include steps of.
Step 201, node server judge secure interactive process version field and user security configuration field whether include Corresponding default first field contents, if secure interactive process version field and user security configuration field include corresponding default First field contents, then follow the steps 202;If secure interactive process version field and user security configuration field do not include correspondence Default first field contents, then process terminates.
In practical applications, node server may determine that the field contents and user's peace of secure interactive process version field Whether the field contents of the 1st byte of full configuration field are " 0x01 ", if the field contents of secure interactive process version field Field contents with the 1st byte of user security configuration field are " 0x01 ", then follow the steps 202;If secure interactive process The field contents of 1st byte of the field contents and/or user security configuration field of version field are not " 0x01 ", then process knot Beam.It should be noted that the field contents of the 1st byte of user security configuration field are " 0x01 ", the login of client is indicated Process supports bi-directional verification.
Step 202, node server searches client public key according to the field contents of username field.
Node server is searched according to the field contents of username field in the database of local or server end and is used Family public key.Specifically, node server can according to the corresponding relationship between stored user name, password and client public key, Search client public key corresponding with the field contents of username field.If node server finds the field with username field The corresponding client public key of content, then it represents that the field contents of username field are registered user name;If node server is not Find client public key corresponding with the field contents of username field, then it represents that the field contents of username field are unregistered User name.
Step 203, node server generates user according to client public key and logs in challenge message.
In an embodiment of the present invention, server random number and server symmetric key can be generated in node server, benefit Cryptographic operation is carried out to server symmetric key with stored client public key and obtains server symmetric key ciphertext, and then basis Server random number and server symmetric key ciphertext generate user and log in challenge message.
In practical applications, it may include: secure interactive process version field, server security that user, which logs in challenge message, Configuration field, server random number field and symmetric key ciphertext field etc. show user's login challenge and disappear as shown in table 2 A kind of specific example of breath.
Table 2
In embodiments of the present invention, after node server generates user's login challenge message, user is logged in into challenge and is disappeared Breath is sent to client, and client, which needs to log in challenge message to user, carries out verification operation, generates and returns to user and log in and rings Answer message to node server.
In practical applications, client may determine that user log in challenge message in secure interactive process version field and Whether server security configuration field includes corresponding default second field contents.Specifically, client may determine that safe friendship The field contents of 1st byte of the field contents and server security configuration field of mutual process version field whether be " 0x01 ", if in the field of the 1st byte of the field contents of secure interactive process version field and server security configuration field Appearance is " 0x01 ", then client executing subsequent step;If the field contents and/or server of secure interactive process version field The field contents of 1st byte of security configuration field are not " 0x01 ", then process terminates.
If the secure interactive process version field and server security configuration field in user's login challenge message include pair Default second field contents answered, then client can use private key for user and carry out to the field contents of symmetric key ciphertext field Decryption, obtains user's decrypted result.In turn, client is according to user's decrypted result, the field contents of server random number field User's login response message is generated with user password.
In embodiments of the present invention, user's login response message may include: secure interactive process version field, Yong Huan Full configuration field and user password ciphertext field etc. show a kind of specific reality of user's login response message as shown in table 3 Example.
Table 3
If the secure interactive process version field and/or server security configuration field in user's login challenge message are not wrapped Containing corresponding default second field contents, then process terminates.
Step 105, node server carries out verification operation to user's login response message, and in the case where being verified The user of client is allowed to log on to node server.
In an embodiment of the present invention, the process that node server carries out verification operation to user's login response message can be with Include the following steps.
Step 301, node server judges secure interactive process version field and user in user's login response message Whether security configuration field includes corresponding default third field contents, if the secure interactive process in user's login response message Version field and user security configuration field include corresponding default third field contents, then follow the steps 302;If user logs in Secure interactive process version field and/or user security configuration field in response message do not include corresponding default third field Content, then process terminates.
In practical applications, node server may determine that the secure interactive process version word in user's login response message Whether the field contents of section and the 1st byte of user security configuration field are " 0x01 ", if in user's login response message The field contents of secure interactive process version field and the 1st byte of user security configuration field are " 0x01 ", then execute step Rapid 302;If the 1st word of secure interactive process version field and/or user security configuration field in user's login response message The field contents of section are not " 0x01 ", then process terminates.
Step 302, node server is carried out using field contents of the server symmetric key to user password ciphertext field Decryption, obtains server decrypted result.
Step 303, server decrypted result and server random number are carried out xor operation and obtain user by node server Password.
Step 304, it is whether consistent with key to compare user password for node server, if user password and key agreement, Node server determines that user's login response information authentication passes through;If user password is inconsistent with key, process terminates.
Above-mentioned steps 103 to step 105 may be considered the login process of user.
Referring to Fig. 2, the flow diagram of user registration course in the authentication method of user a kind of is shown.Pacify in client Equipped with UKey, user inputs username and password to be registered by client.Client call UKey generate with it is to be registered Corresponding a pair of of the user's unsymmetrical key of username and password, is written UKey for the private key for user in user's unsymmetrical key, will Client public key in user's unsymmetrical key, username and password to be registered are sent to node server.Node server pair The legitimacy of user name, the legitimacy of password are verified, if username and password passes through legitimate verification, by user Name, password and client public key are collectively stored in node server local or database.
Referring to Fig. 3, the flow diagram of process of user login in the authentication method of user a kind of is shown.User passes through visitor Family end sends user's login request message to node server.Node server verifies user's login request message, and User, which is returned, to client logs in challenge message.Client logs in challenge message to user and verifies, and to node server Send user's login response message.Node server verifies user's login response message, if being verified, node clothes Business device allows the user of client to log on to node server.
Referring to Fig. 4, a kind of software and hardware architecture figure of the authentication method of user is shown.User is taken by client to node Device of being engaged in issues certification request, which may include user interface module, user authentication secure interactive module, in software Between part and crypto module Software Development Kit (Software Development Kit, SDK), wherein user authentication safety Interactive module is communicated with the user authentication secure interactive module of node server by managing pass-through channel.Node server also wraps Include software middleware, crypto-operation software library and database.The crypto module SDK of client is used to call the password of crypto module Module software/firmware.
The certificate scheme of user provided in an embodiment of the present invention, can be applied to Verification System.The Verification System can wrap Include node server and client, wherein node server and client are set in view networking, and node server can be with visitor The communication connection of family end.
In embodiments of the present invention, user sends user's registration request message, the use to node server by client It include user name, password and client public key in the login request message of family.The client public key is that client is that username and password is raw At unsymmetrical key in public key.Node server carries out verifying behaviour to the username and password in user's registration request message Make, and stores user name, password and client public key in the case where being verified.User succeeds in registration it in node server Afterwards, user sends user's login request message to node server by client, and node server disappears to user's logging request Breath carries out verification operation, generates and returns to user's login challenge message to client.Client logs in challenge message to user again Verification operation is carried out, generates and returns to user's login response message to node server.Node server is to user's login response Message carries out verification operation, and allows the user of client to log on to node server in the case where being verified.The present invention Embodiment not only sends username and password to node server in the registration process of user, also sends to node server Client public key in user's unsymmetrical key, node server is in the case where being verified username and password, by user Name, password and client public key are stored in local.In the login process of user, node server not only disappears to user's logging request Breath and user's login response message are verified, and client also logs in challenge message to the user of node server and verifies, The bi-directional verification between node server and client is realized, the node server permission in the case where all verifyings all pass through The user of client logs on to node server, improves the safety of user's registration and login.
It should be noted that for simple description, therefore, it is stated as a series of action groups for embodiment of the method It closes, but those skilled in the art should understand that, embodiment of that present invention are not limited by the describe sequence of actions, because according to According to the embodiment of the present invention, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art also should Know, the embodiments described in the specification are all preferred embodiments, and the related movement not necessarily present invention is implemented Necessary to example.
Referring to Fig. 5, a kind of structural block diagram of the authentication device embodiment of user of the invention is shown, which can answer For the node server in Verification System, the node server is connect with the client communication in the Verification System, institute It states node server and the client is set in view networking, described device can specifically include following module:
Receiving module 51, for receiving the user's registration request message from the client, the user's registration request Message includes: user name, password and client public key, and the client is used to generate for the user name and the password including institute State user's unsymmetrical key of client public key and private key for user;
Authentication module 52, for carrying out verification operation to the user name and the password;
Memory module 53, for the case where the authentication module 52 passes through the user name and the password authentification Under, store the user name, the password and the client public key;
The receiving module 51 is also used to receive user's login request message from the client;
The authentication module 52 is also used to carry out verification operation to user's login request message, generates and return to use Family logs in challenge message to the client, carries out verification operation so that the client logs in challenge message to the user, It generates and returns to user's login response message to the node server;
The authentication module 52 is also used to carry out verification operation to user's login response message;
Login module 54, for the case where the authentication module 52 passes through user's login response information authentication Under, allow the user of the client to log on to the node server.
In one preferred embodiment of the invention, UKey is installed, the client is for calling in the client Predistribution Algorithm in the UKey is that the user name and the password generate user's unsymmetrical key;The client is also For storing the private key for user into the UKey.
In one preferred embodiment of the invention, user's login request message includes: secure interactive process version Field, user security configuration field and username field;
The authentication module 52, comprising:
Judgment module 521, for judging the secure interactive process version field and the user security configuration field is It is no to include corresponding default first field contents;
Searching module 522, for including in the secure interactive process version field and the user security configuration field When corresponding default first field contents, the client public key is searched according to the field contents of the username field;
Generation module 523 logs in challenge message for generating the user according to the client public key, and returns to the use Family logs in challenge message to the client.
In one preferred embodiment of the invention, the generation module 523, for generating server random number and service Device symmetric key;Cryptographic operation is carried out to the server symmetric key using the client public key, it is symmetrically close to obtain server Key ciphertext;The user, which is generated, according to the server random number and the server symmetric key ciphertext logs in challenge message.
In one preferred embodiment of the invention, user's login challenge message includes: secure interactive process version Field, server security configuration field, server random number field and symmetric key ciphertext field;The server random number word The field contents of section include the server random number, and the field contents of the symmetric key ciphertext field include the server Symmetric key ciphertext;
The client be used to judge the user log in the secure interactive process version field in challenge message and Whether the server security configuration field includes corresponding default second field contents;
The client be also used to the user log in challenge message in the secure interactive process version field and When the server security configuration field includes corresponding default second field contents, using the private key for user to described The field contents of symmetric key ciphertext field are decrypted, and obtain user's decrypted result;
The client be also used to according to user's decrypted result, the server random number field field contents and User password generates user's login response message.
In one preferred embodiment of the invention, the client is also used to using user's decrypted result to described The exclusive or value of the field contents of server random number field and the user password is encrypted, and user password ciphertext is obtained.
In one preferred embodiment of the invention, user's login response message includes: secure interactive process version Field, user security configuration field and user password ciphertext field, the field contents of the user password ciphertext field include institute State user password ciphertext;
The judgment module 521 is also used to judge the secure interactive process version in user's login response message Whether this field and the user security configuration field include corresponding default third field contents;
The authentication module 52, further includes:
Deciphering module 524, in user's login response message the secure interactive process version field and When the user security configuration field includes the corresponding default third field contents, the server symmetric key pair is utilized The field contents of the user password ciphertext field are decrypted, and obtain server decrypted result;
Exclusive or module 525 is obtained for the server decrypted result to be carried out xor operation with the server random number To the user password;
Comparison module 526, it is whether consistent for the user password and the key;
Determining module 527, for determining that user's login response disappears in the user password and the key agreement Breath is verified.
For device embodiment, since it is basically similar to the method embodiment, related so being described relatively simple Place illustrates referring to the part of embodiment of the method.
The embodiment of the invention also provides a kind of devices, comprising:
One or more processors;With
One or more machine readable medias of instruction are stored thereon with, are executed when by one or more of processors When, so that described device executes the authentication method of one or more users as described in the embodiments of the present invention.
The embodiment of the invention also provides the computer programs of a kind of computer readable storage medium, storage to handle Device executes the authentication method of user as described in the embodiments of the present invention.
All the embodiments in this specification are described in a progressive manner, the highlights of each of the examples are with The difference of other embodiments, the same or similar parts between the embodiments can be referred to each other.
Embodiment in order to enable those skilled in the art to better understand the present invention is introduced to depending on networking below:
It is the important milestone of network Development depending on networking, is a real-time network, can be realized HD video real-time Transmission, Push numerous Internet applications to HD video, high definition is face-to-face.
Real-time high-definition video switching technology is used depending on networking, it can be such as high in a network platform by required service Clear video conference, Intellectualized monitoring analysis, emergency command, digital broadcast television, delay TV, the Web-based instruction, shows video monitoring Field live streaming, VOD program request, TV Mail, individual character records (PVR), Intranet (manages) channel by oneself, intelligent video Broadcast Control, information publication All be incorporated into a system platform etc. services such as tens of kinds of videos, voice, picture, text, communication, data, by TV or Computer realizes that high-definition quality video plays.
Depending on networking, applied portion of techniques is as described below:
Network technology (Network Technology)
Traditional ethernet (Ethernet) is improved depending on the network technology innovation networked, with potential huge on network Video flow.(Circuit is exchanged different from simple network packet packet switch (Packet Switching) or lattice network Switching), Streaming demand is met using Packet Switching depending on networking technology.Has grouping depending on networking technology Flexible, the simple and low price of exchange, is provided simultaneously with the quality and safety assurance of circuit switching, it is virtually electric to realize the whole network switch type The seamless connection of road and data format.
Switching technology (Switching Technology)
Two advantages of asynchronous and packet switch that Ethernet is used depending on networking eliminate Ethernet under the premise of complete compatible and lack It falls into, has the end-to-end seamless connection of the whole network, direct user terminal, directly carrying IP data packet.User data is in network-wide basis It is not required to any format conversion.It is the more advanced form of Ethernet depending on networking, is a real-time exchange platform, can be realized at present mutually The whole network large-scale high-definition realtime video transmission that networking cannot achieve pushes numerous network video applications to high Qinghua, unitizes.
Server technology (Server Technology)
It is different from traditional server, its Streaming Media depending on the server technology in networking and unified video platform Transmission be built upon it is connection-oriented on the basis of, data-handling capacity is unrelated with flow, communication time, single network layer energy Enough transmitted comprising signaling and data.For voice and video business, handled depending on networking and unified video platform Streaming Media Complexity many simpler than data processing, efficiency substantially increase hundred times or more than traditional server.
Reservoir technology (Storage Technology)
The ultrahigh speed reservoir technology of unified video platform in order to adapt to the media content of vast capacity and super-flow and Using state-of-the-art real time operating system, the programme information in server instruction is mapped to specific hard drive space, media Content is no longer pass through server, and moment is directly delivered to user terminal, and user waits typical time less than 0.2 second.It optimizes Sector distribution greatly reduces the mechanical movement of hard disc magnetic head tracking, and resource consumption only accounts for the 20% of the internet ad eundem IP, but The concurrent flow greater than 3 times of traditional disk array is generated, overall efficiency promotes 10 times or more.
Network security technology (Network Security Technology)
Depending on the structural design networked by servicing independent licence system, equipment and the modes such as user data is completely isolated every time The network security problem that puzzlement internet has thoroughly been eradicated from structure, does not need antivirus applet, firewall generally, has prevented black The attack of visitor and virus, structural carefree secure network is provided for user.
It services innovative technology (Service Innovation Technology)
Business and transmission are fused together by unified video platform, whether single user, private user or a net The sum total of network is all only primary automatic connection.User terminal, set-top box or PC are attached directly to unified video platform, obtain rich The multimedia video service of rich colorful various forms.Unified video platform is traditional to substitute with table schema using " menu type " Complicated applications programming, considerably less code, which can be used, can be realized complicated application, realize the new business innovation of " endless ".
Networking depending on networking is as described below:
It is a kind of central controlled network structure depending on networking, which can be Tree Network, Star network, ring network etc. class Type, but centralized control node is needed to control whole network in network on this basis.
As shown in fig. 6, being divided into access net and Metropolitan Area Network (MAN) two parts depending on networking.
The equipment of access mesh portions can be mainly divided into 3 classes: node server, access switch, terminal (including various machines Top box, encoding board, memory etc.).Node server is connected with access switch, and access switch can be with multiple terminal phases Even, and it can connect Ethernet.
Wherein, node server is the node that centralized control functions are played in access net, can control access switch and terminal. Node server can directly be connected with access switch, can also directly be connected with terminal.
Similar, the equipment of metropolitan area mesh portions can also be divided into 3 classes: metropolitan area server, node switch, node serve Device.Metropolitan area server is connected with node switch, and node switch can be connected with multiple node servers.
Wherein, node server is the node server for accessing mesh portions, i.e. node server had both belonged to access wet end Point, and belong to metropolitan area mesh portions.
Metropolitan area server is the node that centralized control functions are played in Metropolitan Area Network (MAN), can control node switch and node serve Device.Metropolitan area server can be directly connected to node switch, can also be directly connected to node server.
It can be seen that be entirely a kind of central controlled network structure of layering depending on networking network, and node server and metropolitan area The network controlled under server can be the various structures such as tree-shaped, star-like, cyclic annular.
Visually claim, access mesh portions can form unified video platform (part in virtual coil), and multiple unified videos are flat Platform can form view networking;Each unified video platform can be interconnected by metropolitan area and wide area depending on networking.
Classify depending on networked devices
1.1 embodiment of the present invention can be mainly divided into 3 classes: server depending on the equipment in networking, interchanger (including ether Net gateway), terminal (including various set-top boxes, encoding board, memory etc.).Depending on networking can be divided on the whole Metropolitan Area Network (MAN) (or National net, World Wide Web etc.) and access net.
1.2 equipment for wherein accessing mesh portions can be mainly divided into 3 classes: node server, access switch (including ether Net gateway), terminal (including various set-top boxes, encoding board, memory etc.).
The specific hardware structure of each access network equipment are as follows:
Node server:
As shown in fig. 7, mainly including Network Interface Module 701, switching engine module 702, CPU module 703, disk array Module 704;
Wherein, Network Interface Module 701, the Bao Jun that CPU module 703, disk array module 704 are come in enter switching engine Module 702;Switching engine module 702 look into the operation of address table 705 to the packet come in, to obtain the navigation information of packet; And the packet is stored according to the navigation information of packet the queue of corresponding pack buffer 706;If the queue of pack buffer 706 is close It is full, then it abandons;All pack buffer queues of 702 poll of switching engine mould, are forwarded: 1) port if meeting the following conditions It is less than to send caching;2) the queue package counting facility is greater than zero.Disk array module 704 mainly realizes the control to hard disk, including The operation such as initialization, read-write to hard disk;CPU module 703 is mainly responsible between access switch, terminal (not shown) Protocol processes, to address table 705 (including descending protocol packet address table, uplink protocol package address table, data packet addressed table) Configuration, and, the configuration to disk array module 704.
Access switch:
As shown in figure 8, mainly including Network Interface Module (downstream network interface module 801, uplink network interface module 802), switching engine module 803 and CPU module 804;
Wherein, the packet (upstream data) that downstream network interface module 801 is come in enters packet detection module 805;Packet detection mould Whether mesh way address (DA), source address (SA), type of data packet and the packet length of the detection packet of block 805 meet the requirements, if met, It then distributes corresponding flow identifier (stream-id), and enters switching engine module 803, otherwise abandon;Uplink network interface mould The packet (downlink data) that block 802 is come in enters switching engine module 803;The data packet that CPU module 804 is come in enters switching engine Module 803;Switching engine module 803 look into the operation of address table 806 to the packet come in, to obtain the navigation information of packet; If the packet into switching engine module 803 is that downstream network interface is gone toward uplink network interface, in conjunction with flow identifier (stream-id) packet is stored in the queue of corresponding pack buffer 807;If the queue of the pack buffer 807 is close full, It abandons;If the packet into switching engine module 803 is not that downstream network interface is gone toward uplink network interface, according to packet Navigation information is stored in the data packet queue of corresponding pack buffer 807;If the queue of the pack buffer 807 is close full, Then abandon.
All pack buffer queues of 803 poll of switching engine module, are divided to two kinds of situations in embodiments of the present invention:
If the queue is that downstream network interface is gone toward uplink network interface, meets the following conditions and be forwarded: 1) It is less than that the port sends caching;2) the queue package counting facility is greater than zero;3) token that rate control module generates is obtained;
If the queue is not that downstream network interface is gone toward uplink network interface, meets the following conditions and is forwarded: 1) it is less than to send caching for the port;2) the queue package counting facility is greater than zero.
Rate control module 808 is configured by CPU module 804, to all downlink networks in programmable interval Interface generates token toward the pack buffer queue that uplink network interface is gone, to control the code rate of forwarded upstream.
CPU module 804 is mainly responsible for the protocol processes between node server, the configuration to address table 806, and, Configuration to rate control module 808.
Ethernet association turns gateway:
As shown in figure 9, mainly including Network Interface Module (downstream network interface module 901, uplink network interface module 902), switching engine module 903, CPU module 904, packet detection module 905, rate control module 908, address table 906, Bao Huan Storage 907 and MAC adding module 909, MAC removing module 910.
Wherein, the data packet that downstream network interface module 901 is come in enters packet detection module 905;Packet detection module 905 is examined Ethernet mac DA, ethernet mac SA, Ethernet length or frame type, the view networking mesh way address of measured data packet DA, whether meet the requirements depending on networking source address SA, depending on networking data Packet type and packet length, corresponding stream is distributed if meeting Identifier (stream-id);Then, MAC DA, MAC SA, length or frame type are subtracted by MAC removing module 910 (2byte), and enter corresponding receive and cache, otherwise abandon;
Downstream network interface module 901 detects the transmission caching of the port, according to the view of packet networking mesh if there is Bao Ze Address D A knows the ethernet mac DA of corresponding terminal, adds the ethernet mac DA of terminal, Ethernet assists the MAC for turning gateway SA, Ethernet length or frame type, and send.
The function that Ethernet association turns other modules in gateway is similar with access switch.
Terminal:
It mainly include Network Interface Module, Service Processing Module and CPU module;For example, set-top box mainly connects including network Mouth mold block, video/audio encoding and decoding engine modules, CPU module;Encoding board mainly includes Network Interface Module, video encoding engine Module, CPU module;Memory mainly includes Network Interface Module, CPU module and disk array module.
The equipment of 1.3 metropolitan area mesh portions can be mainly divided into 2 classes: node server, node switch, metropolitan area server. Wherein, node switch mainly includes Network Interface Module, switching engine module and CPU module;Metropolitan area server mainly includes Network Interface Module, switching engine module and CPU module are constituted.
2, networking data package definition is regarded
2.1 access network data package definitions
Access net data packet mainly include following sections: destination address (DA), source address (SA), reserve bytes, payload(PDU)、CRC。
As shown in the table, the data packet for accessing net mainly includes following sections:
DA SA Reserved Payload CRC
Wherein:
Destination address (DA) is made of 8 bytes (byte), and first character section indicates type (such as the various associations of data packet Discuss packet, multicast packet, unicast packet etc.), be up to 256 kinds of possibility, the second byte to the 6th byte is metropolitan area net address, Seven, the 8th bytes are access net address;
Source address (SA) is also to be made of 8 bytes (byte), is defined identical as destination address (DA);
Reserve bytes are made of 2 bytes;
The part payload has different length according to the type of different datagrams, is if it is various protocol packages 64 bytes are 32+1024=1056 bytes if it is single group unicast packets words, are not restricted to above 2 kinds certainly;
CRC is made of 4 bytes, and calculation method follows the Ethernet CRC algorithm of standard.
2.2 Metropolitan Area Network (MAN) packet definitions
The topology of Metropolitan Area Network (MAN) is pattern, may there is 2 kinds, connection even of more than two kinds, i.e. node switching between two equipment It can all can exceed that 2 kinds between machine and node server, node switch and node switch, node switch and node server Connection.But the metropolitan area net address of metropolitan area network equipment is uniquely, to close to accurately describe the connection between metropolitan area network equipment System, introduces parameter in embodiments of the present invention: label, uniquely to describe a metropolitan area network equipment.
(Multi-Protocol Label Switch, multiprotocol label are handed over by the definition of label and MPLS in this specification Change) label definition it is similar, it is assumed that between equipment A and equipment B there are two connection, then data packet from equipment A to equipment B just There are 2 labels, data packet also there are 2 labels from equipment B to equipment A.Label is divided into label, outgoing label, it is assumed that data packet enters The label (entering label) of equipment A is 0x0000, and the label (outgoing label) when this data packet leaves equipment A may reform into 0x0001.The networking process of Metropolitan Area Network (MAN) is to enter network process under centralized control, also means that address distribution, the label of Metropolitan Area Network (MAN) Distribution be all to be dominated by metropolitan area server, node switch, node server be all passively execute, this point with The label distribution of MPLS is different, and the distribution of the label of MPLS is the result that interchanger, server are negotiated mutually.
As shown in the table, the data packet of Metropolitan Area Network (MAN) mainly includes following sections:
DA SA Reserved Label Payload CRC
That is destination address (DA), source address (SA), reserve bytes (Reserved), label, payload (PDU), CRC.Its In, the format of label, which can refer to, such as gives a definition: label is 32bit, wherein high 16bit retains, only with low 16bit, its position Set is between the reserve bytes and payload of data packet.
It should be understood by those skilled in the art that, the embodiment of the embodiment of the present invention can provide as method, apparatus or calculate Machine program product.Therefore, the embodiment of the present invention can be used complete hardware embodiment, complete software embodiment or combine software and The form of the embodiment of hardware aspect.Moreover, the embodiment of the present invention can be used one or more wherein include computer can With in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code The form of the computer program product of implementation.
The embodiment of the present invention be referring to according to the method for the embodiment of the present invention, terminal device (system) and computer program The flowchart and/or the block diagram of product describes.It should be understood that flowchart and/or the block diagram can be realized by computer program instructions In each flow and/or block and flowchart and/or the block diagram in process and/or box combination.It can provide these Computer program instructions are set to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing terminals Standby processor is to generate a machine, so that being held by the processor of computer or other programmable data processing terminal devices Capable instruction generates for realizing in one or more flows of the flowchart and/or one or more blocks of the block diagram The device of specified function.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing terminal devices In computer-readable memory operate in a specific manner, so that instruction stored in the computer readable memory generates packet The manufacture of command device is included, which realizes in one side of one or more flows of the flowchart and/or block diagram The function of being specified in frame or multiple boxes.
These computer program instructions can also be loaded into computer or other programmable data processing terminal devices, so that Series of operation steps are executed on computer or other programmable terminal equipments to generate computer implemented processing, thus The instruction executed on computer or other programmable terminal equipments is provided for realizing in one or more flows of the flowchart And/or in one or more blocks of the block diagram specify function the step of.
Although the preferred embodiment of the embodiment of the present invention has been described, once a person skilled in the art knows bases This creative concept, then additional changes and modifications can be made to these embodiments.So the following claims are intended to be interpreted as Including preferred embodiment and fall into all change and modification of range of embodiment of the invention.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning Covering non-exclusive inclusion, so that process, method, article or terminal device including a series of elements not only wrap Those elements are included, but also including other elements that are not explicitly listed, or further includes for this process, method, article Or the element that terminal device is intrinsic.In the absence of more restrictions, being wanted by what sentence "including a ..." limited Element, it is not excluded that there is also other identical elements in process, method, article or the terminal device for including the element.
Above to a kind of authentication method of user provided by the present invention, device and a kind of computer readable storage medium, It is described in detail, used herein a specific example illustrates the principle and implementation of the invention, the above reality The explanation for applying example is merely used to help understand method and its core concept of the invention;Meanwhile for the general technology of this field Personnel, according to the thought of the present invention, there will be changes in the specific implementation manner and application range, in conclusion this theory Bright book content should not be construed as limiting the invention.

Claims (16)

1. a kind of authentication method of user, which is characterized in that be applied to Verification System, the Verification System includes: node serve Device and client, wherein the node server and the client are set in view networking, the node server with it is described Client communication connection, which comprises
The node server receives the user's registration request message from the client, the user's registration request message packet Include: user name, password and client public key, the client are used to generate for the user name and the password including the user User's unsymmetrical key of public key and private key for user;
The node server carries out verification operation to the user name and the password, and stores in the case where being verified The user name, the password and the client public key;
The node server receives user's login request message from the client;
The node server to user's login request message carry out verification operation, generate and return user log in challenge disappear Breath carries out verification operation so that the client logs in challenge message to the user, generates and return to use to the client Family login response message is to the node server;
The node server carries out verification operation to user's login response message, and allows in the case where being verified The user of the client logs on to the node server.
2. the authentication method of user according to claim 1, which is characterized in that be equipped with UKey, institute in the client It is that the user name and the password generation user are asymmetric that client, which is stated, for calling the Predistribution Algorithm in the UKey Key;The client is also used to store the private key for user into the UKey.
3. the authentication method of user according to claim 1, which is characterized in that user's login request message includes: Secure interactive process version field, user security configuration field and username field;
The node server to user's login request message carry out verification operation, generate and return user log in challenge disappear The step of breath to client, comprising:
The node server judge the secure interactive process version field and the user security configuration field whether include Corresponding default first field contents;
The node server includes corresponding in the secure interactive process version field and the user security configuration field When default first field contents, the client public key is searched according to the field contents of the username field;
The node server generates the user according to the client public key and logs in challenge message, and returns to the user and log in Challenge message is to the client.
4. the authentication method of user according to claim 3, which is characterized in that the node server is according to the user Public key generates the step of user logs in challenge message, comprising:
The node server generates server random number and server symmetric key;
The node server carries out cryptographic operation to the server symmetric key using the client public key, obtains server Symmetric key ciphertext;
The node server generates the user according to the server random number and the server symmetric key ciphertext and steps on Record challenge message.
5. the authentication method of user according to claim 4, which is characterized in that the user logs in challenge message and includes: Secure interactive process version field, server security configuration field, server random number field and symmetric key ciphertext field;Institute The field contents for stating server random number field include the server random number, in the field of the symmetric key ciphertext field Holding includes the server symmetric key ciphertext;
The client is used to judge that the user to log in the secure interactive process version field in challenge message and described Whether server security configuration field includes corresponding default second field contents;
The client is also used to log in the secure interactive process version field and described in challenge message in the user When server security configuration field includes corresponding default second field contents, using the private key for user to described symmetrical The field contents of key ciphertext field are decrypted, and obtain user's decrypted result;
The client is also used to according to user's decrypted result, the field contents of the server random number field and user User's login response message described in password generated.
6. the authentication method of user according to claim 5, which is characterized in that the client is also used to utilize the use Family decrypted result encrypts the field contents of the server random number field and the exclusive or value of the user password, obtains User password ciphertext.
7. the authentication method of user according to claim 5, which is characterized in that user's login response message includes: Secure interactive process version field, user security configuration field and user password ciphertext field, the user password ciphertext field Field contents include the user password ciphertext;
The step of node server carries out verification operation to user's login response message, comprising:
The node server judges the secure interactive process version field in user's login response message and described Whether user security configuration field includes corresponding default third field contents;
The secure interactive process version field and the use of the node server in user's login response message When family security configuration field includes the corresponding default third field contents, using the server symmetric key to the use The registered permanent residence enables the field contents of ciphertext field be decrypted, and obtains server decrypted result;
The node server obtains the server decrypted result and server random number progress xor operation described User password;
Whether the node server user password and the key are consistent;
The node server determines user's login response information authentication in the user password and the key agreement Pass through.
8. a kind of authentication device of user, which is characterized in that applied to the node server in Verification System, the node serve Device is connect with the client communication in the Verification System, and the node server and the client are set in view networking, Described device includes:
Receiving module, for receiving the user's registration request message from the client, the user's registration request message packet Include: user name, password and client public key, the client are used to generate for the user name and the password including the user User's unsymmetrical key of public key and private key for user;
Authentication module, for carrying out verification operation to the user name and the password;
Memory module, for storing institute in the case where the authentication module passes through the user name and the password authentification State user name, the password and the client public key;
The receiving module is also used to receive user's login request message from the client;
The authentication module is also used to carry out verification operation to user's login request message, generates and returns to user's login Challenge message carries out verification operation so that the client logs in challenge message to the user, generates simultaneously to the client User's login response message is returned to the node server;
The authentication module is also used to carry out verification operation to user's login response message;
Login module, for allowing institute in the case where the authentication module passes through user's login response information authentication The user for stating client logs on to the node server.
9. the authentication device of user according to claim 8, which is characterized in that be equipped with UKey, institute in the client It is that the user name and the password generation user are asymmetric that client, which is stated, for calling the Predistribution Algorithm in the UKey Key;The client is also used to store the private key for user into the UKey.
10. the authentication device of user according to claim 8, which is characterized in that user's login request message includes: Secure interactive process version field, user security configuration field and username field;
The authentication module, comprising:
Judgment module, for judging whether the secure interactive process version field and the user security configuration field include pair Default first field contents answered;
Searching module, for including corresponding institute in the secure interactive process version field and the user security configuration field When stating default first field contents, the client public key is searched according to the field contents of the username field;
Generation module logs in challenge message for generating the user according to the client public key, and returns to the user and log in Challenge message is to the client.
11. the authentication device of user according to claim 10, which is characterized in that the generation module, for generating clothes Device random number of being engaged in and server symmetric key;Cryptographic operation is carried out to the server symmetric key using the client public key, Obtain server symmetric key ciphertext;The use is generated according to the server random number and the server symmetric key ciphertext Family logs in challenge message.
12. the authentication device of user according to claim 11, which is characterized in that the user logs in challenge message It includes: secure interactive process version field, server security configuration field, server random number field and symmetric key ciphertext word Section;The field contents of the server random number field include the server random number, the symmetric key ciphertext field Field contents include the server symmetric key ciphertext;
The client is used to judge that the user to log in the secure interactive process version field in challenge message and described Whether server security configuration field includes corresponding default second field contents;
The client is also used to log in the secure interactive process version field and described in challenge message in the user When server security configuration field includes corresponding default second field contents, using the private key for user to described symmetrical The field contents of key ciphertext field are decrypted, and obtain user's decrypted result;
The client is also used to according to user's decrypted result, the field contents of the server random number field and user User's login response message described in password generated.
13. the authentication device of user according to claim 12, which is characterized in that the client is also used to using described User's decrypted result encrypts the field contents of the server random number field and the exclusive or value of the user password, obtains To user password ciphertext.
14. the authentication device of user according to claim 12, which is characterized in that user's login response message package It includes: secure interactive process version field, user security configuration field and user password ciphertext field, the user password ciphertext word The field contents of section include the user password ciphertext;
The judgment module, be also used to judge the secure interactive process version field in user's login response message and Whether the user security configuration field includes corresponding default third field contents;
The authentication module, further includes:
Deciphering module, in user's login response message the secure interactive process version field and the user When security configuration field includes the corresponding default third field contents, using the server symmetric key to the user The field contents of password ciphertext field are decrypted, and obtain server decrypted result;
Exclusive or module obtains the use for the server decrypted result and the server random number to be carried out xor operation The registered permanent residence enables;
Comparison module, it is whether consistent for the user password and the key;
Determining module, for determining user's login response information authentication in the user password and the key agreement Pass through.
15. a kind of device characterized by comprising
One or more processors;With
One or more machine readable medias of instruction are stored thereon with, when being executed by one or more of processors, are made Obtain the authentication method for one or more users that described device is executed as described in claim 1 to 7.
16. a kind of computer readable storage medium, which is characterized in that its computer program stored executes processor as weighed Benefit requires the authentication method of 1 to 7 described in any item users.
CN201910804695.1A 2019-08-28 2019-08-28 User authentication method, device and storage medium Active CN110535856B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910804695.1A CN110535856B (en) 2019-08-28 2019-08-28 User authentication method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910804695.1A CN110535856B (en) 2019-08-28 2019-08-28 User authentication method, device and storage medium

Publications (2)

Publication Number Publication Date
CN110535856A true CN110535856A (en) 2019-12-03
CN110535856B CN110535856B (en) 2022-04-26

Family

ID=68664838

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910804695.1A Active CN110535856B (en) 2019-08-28 2019-08-28 User authentication method, device and storage medium

Country Status (1)

Country Link
CN (1) CN110535856B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147471A (en) * 2019-12-20 2020-05-12 视联动力信息技术股份有限公司 Terminal network access authentication method, device, system and storage medium
CN114679293A (en) * 2021-06-15 2022-06-28 腾讯云计算(北京)有限责任公司 Access control method, device and storage medium based on zero trust security

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160209062A1 (en) * 2015-01-19 2016-07-21 Lennox Industries Inc. Server integration with a heating, ventilation, and air conditioning system
CN107911337A (en) * 2017-10-11 2018-04-13 海信集团有限公司 A kind of apparatus bound method, server and equipment
CN109347835A (en) * 2018-10-24 2019-02-15 苏州科达科技股份有限公司 Information transferring method, client, server and computer readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160209062A1 (en) * 2015-01-19 2016-07-21 Lennox Industries Inc. Server integration with a heating, ventilation, and air conditioning system
CN107911337A (en) * 2017-10-11 2018-04-13 海信集团有限公司 A kind of apparatus bound method, server and equipment
CN109347835A (en) * 2018-10-24 2019-02-15 苏州科达科技股份有限公司 Information transferring method, client, server and computer readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
老刘: "一个故事讲完https", 《HTTPS://MP.WEIXIN.QQ.COM/S/STQQAFHEPLBKWAPQZG3NRA》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147471A (en) * 2019-12-20 2020-05-12 视联动力信息技术股份有限公司 Terminal network access authentication method, device, system and storage medium
CN111147471B (en) * 2019-12-20 2023-02-28 视联动力信息技术股份有限公司 Terminal network access authentication method, device, system and storage medium
CN114679293A (en) * 2021-06-15 2022-06-28 腾讯云计算(北京)有限责任公司 Access control method, device and storage medium based on zero trust security

Also Published As

Publication number Publication date
CN110535856B (en) 2022-04-26

Similar Documents

Publication Publication Date Title
CN110430043A (en) A kind of authentication method, system and device and storage medium
CN108418778A (en) A kind of internet and method, apparatus and interactive system regarding connected network communication
CN108173803B (en) A kind of networked by view accesses the method and view connection cat server-side of internet
CN108023858B (en) A kind of view networking network management safety certifying method and its system
CN108632238A (en) A kind of method and apparatus of permission control
CN108965224A (en) A kind of method and apparatus of video on demand
CN109120897A (en) A kind of view networking monitoring videogram sharing method and device
CN109672664A (en) A kind of authentication method and system regarding networked terminals
CN109769123A (en) A kind of processing method and system regarding networking data
CN109743170A (en) A kind of Streaming Media logs in and the method and apparatus of data transmission encryption
CN109462594A (en) A kind of data processing method and system based on view networking
CN110062195A (en) A kind of video conference cut-in method and system
CN109977137A (en) A kind of data query method and apparatus
CN109447625A (en) A kind of two dimensional code method of payment and system
CN110661784B (en) User authentication method, device and storage medium
CN110535856A (en) A kind of authentication method of user, device and storage medium
CN108965941A (en) A kind of data capture method and view networking management system
CN110493193A (en) Data transmission method and device
CN110351080A (en) A kind of key exchange method and device
CN108881791B (en) A kind of conference control method and Conference control device based on view networking
CN110012063A (en) A kind of processing method and system of data packet
CN109376507A (en) A kind of data safety control method and system
CN110445759A (en) A kind of electronic whiteboard sharing method and device
CN110149497A (en) A kind of view networked data transmission method, apparatus, system and readable storage medium storing program for executing
CN109586851A (en) Data transmission method and device based on view networking

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Zhao Hailiang

Inventor after: Sun Shaomin

Inventor after: Liang Hao

Inventor after: Yang Chunhui

Inventor before: Zhao Hailiang

Inventor before: Sun Shaomin

Inventor before: Liang Hao

Inventor before: Yang Chunhui