CN110933109B - Dynamic small program authentication method and device - Google Patents
Dynamic small program authentication method and device Download PDFInfo
- Publication number
- CN110933109B CN110933109B CN201911298587.8A CN201911298587A CN110933109B CN 110933109 B CN110933109 B CN 110933109B CN 201911298587 A CN201911298587 A CN 201911298587A CN 110933109 B CN110933109 B CN 110933109B
- Authority
- CN
- China
- Prior art keywords
- key
- identity authentication
- identification
- service request
- authentication key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Abstract
An applet dynamic authentication method and device, the method comprising: randomly generating an identity authentication key through a random string, storing the identity authentication key to the local, encrypting user identification and signature information through the identity authentication key to generate identity information, and generating an authentication request instruction according to the identity information and the identity authentication key; sending the authentication request instruction to a server to obtain key exchange information fed back by the server; the key exchange information comprises an identification key value produced by the server according to a unique identification code algorithm, a user identification and an authentication key; decrypting the key exchange information through the identity authentication key to obtain the identification key value; generating a service request instruction by replacing the user identifier in the service logic request parameter through the identifier key value, and sending the service request instruction to a server to obtain service data fed back by the server; and the service data fed back by the server side is decrypted through the identity authentication key to complete the service request.
Description
Technical Field
The present invention relates to the field of data security, and in particular, to a dynamic applet authentication method and apparatus.
Background
The Mini Program is a lightweight app, can basically realize all things that the app can do, is an innovation of an application Program, and is an application which can be used without downloading and installing. The applet realizes the dream of 'reach by touch' of the application, and the user can open the application through convenient code scanning or searching operation. As a large number of internet companies successively launch applet open platforms, applets have attracted developers from various industries, including banks, to join due to their lightness and traffic advantages. Due to the gradual perfection of the applet development platform and the particularity of the operating environment (operating in the internet environment, operating system differences do not need to be distinguished), the development difficulty is far less than that of APP development, and the threshold of developers is greatly reduced. However, the security problem of the applet, especially related to the financial transaction scenario, is accompanied by more security challenges along with the convenient development mode, whether identity identification or data security.
In the current network security testing link, a developed small program is provided as a defender for an attacker to carry out penetration attack. In the design process of the small program, various measures are adopted for the safety problem, such as front-end and back-end data interaction whole-process encryption processing, small program front-end code protection, sensitive data desensitization processing, cache information encryption processing and the like. In the security test process, an attacker grabs the source code of the front end of the applet, and even if the applet adopts code protection (a code protection mechanism provided by a platform) before release, the attacker restores the front end source code. The leakage of the front-end source code of the applet marks that all interfaces interacting with the background are also exposed to the outside, the protection of the encryption algorithm is invalid (a symmetric encryption algorithm designed at that time), and under the condition of being attacked maliciously, risks such as request parameter leakage and service logic leakage are further brought.
Disclosure of Invention
The invention aims to provide a method and a device for dynamic authentication of small programs, which are based on an authentication method derived from an actual security requirement scene, utilize dynamic KEY to be respectively stored in a user side cache and a server side cache, and do not carry the KEY in the whole data transmission interaction process; therefore, after the small program is added into the dynamic authentication, even if the front-end source code is cracked, an attacker still cannot decrypt data interactively transmitted by the front end and the back end, and the safety of the small program is greatly improved.
To achieve the above object, the present invention provides a dynamic applet authentication method, which specifically includes: randomly generating an identity authentication key through a random string, storing the identity authentication key to the local, encrypting user identification and signature information through the identity authentication key to generate identity information, and generating an authentication request instruction according to the identity information and the identity authentication key; sending the authentication request instruction to a server to obtain key exchange information fed back by the server; the key exchange information comprises an identification key value produced by the server according to a unique identification code algorithm, a user identification and an authentication key; decrypting the key exchange information through the identity authentication key to obtain the identification key value; generating a service request instruction by replacing the user identifier in the service logic request parameter through the identifier key value, and sending the service request instruction to a server to obtain service data fed back by the server; and the service data fed back by the server side is decrypted through the identity authentication key to complete the service request.
In the above dynamic applet authentication method, preferably, the service request command includes: signature information, the identification key value encrypted by the public key of the identity authentication key, the identification key value encrypted by adopting a symmetric encryption algorithm according to the identity authentication key, a service request parameter encrypted symmetrically and a signature random string.
In the above dynamic applet authentication method, preferably, the service request command further includes: updating the identity authentication key encrypted by adopting a symmetric encryption algorithm according to the identity authentication key; the updated identity authentication key is randomly generated through a random string.
The invention also provides a dynamic authentication method for the small program, which comprises the following steps: receiving an authentication request instruction uploaded by a client, and matching the signature information in the authentication request instruction with pre-stored signature information; when the matching is passed, the authentication request instruction is decrypted to obtain an identity authentication key and a user identification; obtaining an identification key value through calculation of a unique identification code algorithm according to the identity authentication key and the user identification, and correspondingly storing the identification key value, the identity authentication key and the user identification to the local; encrypting the identification key value by adopting a symmetric encryption algorithm through the identity authentication key to obtain key exchange information, and sending the key exchange information to a client; receiving a service request instruction with the identification key value uploaded by a client, and comparing the identification key value in the service request instruction with the locally stored identification key value; when the comparison is passed, the service request parameters in the service request instruction are decrypted through the identity authentication key; and processing the service request parameters to generate service data, and feeding the service data back to the client.
In the above dynamic applet authentication method, preferably, the receiving a service request instruction with the identification key value uploaded by a client, and comparing the identification key value in the service request instruction with the locally stored identification key value includes: receiving a service request instruction with the identification key value uploaded by a client, and matching the signature information in the service request instruction with pre-stored signature information; and after the matching is passed, acquiring a corresponding identity authentication key through the identification key value in the service request instruction, decrypting the identification key value in the service request instruction according to the identity authentication key, and comparing the decrypted identification key value with the locally stored identification key value.
In the above applet dynamic authentication method, preferably, the storing the identification key value, the identity authentication key and the user identification locally further includes: setting the aging period of the identity authentication key according to a preset rule; and setting the cache duration of the corresponding storage of the identification key value, the identity authentication key and the user identification to the local according to a preset rule.
In the above applet dynamic authentication method, preferably, decrypting the service request parameter in the service request command by the identity authentication key further includes: when an updated identity authentication key exists in the service request instruction, updating the locally stored identity authentication key and the corresponding aging period according to the updated identity authentication key; and when the service request instruction does not contain the updated identity authentication key, updating the aging period corresponding to the locally stored identity authentication key.
The invention also provides a dynamic small program authentication device, which comprises an authentication module, a request sending module, an encryption and decryption module and a processing module; the authentication module is used for randomly generating an identity authentication key through a random string and storing the identity authentication key to the local, encrypting user identification and signature information through the identity authentication key to generate identity information, and generating an authentication request instruction according to the identity information and the identity authentication key; the request sending module is used for sending the authentication request instruction to the server to obtain key exchange information fed back by the server; the key exchange information comprises an identification key value produced by the server according to a unique identification code algorithm, a user identification and an authentication key; the encryption and decryption module is used for decrypting the secret key exchange information through the identity authentication key to obtain the identification key value; generating a service request instruction by replacing the user identifier in the service logic request parameter through the identifier key value, and sending the service request instruction to a server to obtain service data fed back by the server; the processing module is used for decrypting the service data fed back by the server side through the identity authentication key to complete the service request.
The invention also provides a dynamic small program authentication device, which comprises a verification module, a calculation module, a feedback module, a comparison module and a processing module; the verification module is used for receiving an authentication request instruction uploaded by a client and matching the signature information in the authentication request instruction with pre-stored signature information; the computing module is used for decrypting the authentication request instruction to obtain an identity authentication key and a user identifier after the matching is passed; obtaining an identification key value through calculation of a unique identification code algorithm according to the identity authentication key and the user identification, and correspondingly storing the identification key value, the identity authentication key and the user identification to the local; the feedback module is used for encrypting the identification key value by adopting a symmetric encryption algorithm through the identity authentication key to obtain key exchange information and sending the key exchange information to the client; the comparison module is used for receiving a service request instruction with the identification key value uploaded by a client and comparing the identification key value in the service request instruction with the locally stored identification key value; the processing module is used for decrypting the service request parameter in the service request instruction through the identity authentication key after the comparison is passed; and processing the service request parameters to generate service data, and feeding the service data back to the client.
The invention also provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method when executing the computer program.
The present invention also provides a computer-readable storage medium storing a computer program for executing the above method.
The invention has the beneficial technical effects that: the data security of the small program is improved to a greater extent, and under the condition that the front-end source code is leaked, the business logic and the user data can still be guaranteed not to be leaked.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:
fig. 1 is a flowchart illustrating a dynamic applet authentication method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a dynamic authentication method for an applet according to an embodiment of the present invention;
fig. 3 is a timing flow diagram illustrating a dynamic authentication method for an applet according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an applet dynamic authentication apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an applet dynamic authentication apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;
Detailed Description
The following detailed description of the embodiments of the present invention will be provided with reference to the drawings and examples, so that how to apply the technical means to solve the technical problems and achieve the technical effects can be fully understood and implemented. It should be noted that, unless otherwise specified, the embodiments and features of the embodiments of the present invention may be combined with each other, and the technical solutions formed are within the scope of the present invention.
Additionally, the steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions and, although a logical order is illustrated in the flow charts, in some cases, the steps illustrated or described may be performed in an order different than here.
Referring to fig. 1, the applet dynamic authentication method provided by the present invention specifically includes: s101, randomly generating an identity authentication key through a random string, storing the identity authentication key to the local, encrypting user identification and signature information through the identity authentication key to generate identity information, and generating an authentication request instruction according to the identity information and the identity authentication key; s102, the authentication request instruction is sent to a server side, and key exchange information fed back by the server side is obtained; the key exchange information comprises an identification key value produced by the server according to a unique identification code algorithm, a user identification and an authentication key; s103, decrypting the key exchange information by the identity authentication key to obtain the identification key value; s104, generating a service request instruction by replacing the user identifier in the service logic request parameter through the identifier key value, and sending the service request instruction to a server to obtain service data fed back by the server; s105, the service data fed back by the server side is decrypted through the identity authentication key, and the service request is completed. Therefore, in actual work, the small program side can send the dynamic identity authentication KEY (KEY) to the server side in advance through the embodiment, and then the small program side communicates with the server side through the identification KEY value fed back by the server side, so that illegal persons can be prevented from acquiring user data of the background server in a front-section source code intrusion mode; the technology of randomly generating KEY according to random strings is a common technology, and meanwhile, a unique identification code algorithm (UUID) can be realized through the prior art, so that the invention is not detailed one by one; the identification key value can be a token in the existing encryption algorithm, the token serves as an identity distributed to the applet by the server and serves as a data interaction identification, locally stored associated information serves as a corresponding table, and the risk of user information leakage can be effectively overcome on the premise that the applet and the server interact.
In the above embodiment, the service request instruction includes: signature information, the identification key value encrypted by the public key of the identity authentication key, the identification key value encrypted by adopting a symmetric encryption algorithm according to the identity authentication key, a symmetrically encrypted service request parameter and a signature random string; in an embodiment, the service request instruction may further include: updating the identity authentication key encrypted by adopting a symmetric encryption algorithm according to the identity authentication key; the updated identity authentication key is randomly generated through a random string. The specific application of these parameters can be referred to the following overall description, and the present invention is not described in detail herein.
Referring to fig. 2, the present invention further provides a dynamic applet authentication method, including: s201, receiving an authentication request instruction uploaded by a client, and matching signature information in the authentication request instruction with pre-stored signature information; s202, after the matching is passed, the authentication request instruction is decrypted to obtain an identity authentication key and a user identification; s203, obtaining an identification key value through calculation of a unique identification code algorithm according to the identity authentication key and the user identification, and correspondingly storing the identification key value, the identity authentication key and the user identification to the local; s204, encrypting the identification key value by the identity authentication key through a symmetric encryption algorithm to obtain key exchange information, and sending the key exchange information to a client; s205, receiving a service request instruction with the identification key value uploaded by a client, and comparing the identification key value in the service request instruction with the identification key value stored locally; s206, after the comparison is passed, decrypting the service request parameter in the service request instruction through the identity authentication key; s207 processes the service request parameter to generate service data, and feeds the service data back to the client. In actual work, the embodiment is mainly applied to a server side, the server side needs to generate a unique identification key value token according to the identity of the applet in the applet authentication, and then the correspondence between the token and the identity of the applet is used for verifying whether a service logic initiated by a subsequent applet is legal or not, so that the risk of user information leakage in the applet interaction process is overcome.
In the above embodiment, the receiving, by the client, the service request instruction with the identification key value uploaded by the client in step S205, and comparing the identification key value in the service request instruction with the locally stored identification key value includes: receiving a service request instruction with the identification key value uploaded by a client, and matching the signature information in the service request instruction with pre-stored signature information; and after the matching is passed, acquiring a corresponding identity authentication key through the identification key value in the service request instruction, decrypting the identification key value in the service request instruction according to the identity authentication key, and comparing the decrypted identification key value with the locally stored identification key value.
In another embodiment, the step S201 of storing the identification key value, the identity authentication key and the user identifier locally further includes: setting the aging period of the identity authentication key according to a preset rule; and setting the cache duration of the corresponding storage of the identification key value, the identity authentication key and the user identification to the local according to a preset rule. Therefore, in the subsequent step S206, decrypting the service request parameter in the service request command by the identity authentication key may further include: when an updated identity authentication key exists in the service request instruction, updating the locally stored identity authentication key and the corresponding aging period according to the updated identity authentication key; and when the service request instruction does not contain the updated identity authentication key, updating the aging period corresponding to the locally stored identity authentication key.
In order to more clearly illustrate the actual usage flow of the above embodiments, please refer to fig. 3, which is a general description of the above embodiments, and it should be understood by those skilled in the art that the information of specific parameters, specific data types, etc. listed in the embodiment is only for facilitating understanding of the dynamic authentication method of the applet provided by the present invention, and is not limited thereto.
Referring to fig. 3, when the above dynamic authentication method for small programs is applied, the method is mainly implemented in 6 steps, which specifically includes:
1. the front end of the applet randomly generates a dynamic authentication KEY by using a random string, stores the KEY in a cache, carries a user identifier (openid) and a signature, and requests a server interface after public KEY encryption.
2. And after receiving the request of the front end, the server performs AES key exchange. And firstly, verifying the signature, and decrypting by adopting a private KEY to obtain openid and KEY. And (3) producing the tokenid by adopting a UUID algorithm, storing the tokenid as a KEY and the openid and the KEY as values in a cache database, and setting timeliness. And encrypting the token with the current KEY by adopting a symmetric encryption algorithm and returning the token to the front end of the applet.
3. And the front end of the small program receives the response of the server and decrypts by adopting the KEY in the cache to obtain the token.
The above process will complete the exchange of KEY and set the timeliness of KEY when the user enters the applet onload.
4. And in the process of carrying out service logic processing on the front end and the back end of the small program, carrying out token and carrying out openid. The service logic request carrying parameters are as follows: signature, public KEY encrypted token, symmetric encrypted new KEY (if the KEY is not changed, the parameter does not exist, if the KEY is changed, the parameter exists, and the client cache needs to be updated to the new KEY), symmetric encrypted token, symmetric encrypted request service parameter, and signature random string. And initiating a service logic interface request to the backend service.
5. The service backend receiving request post-processing process is as follows:
(1) verifying the signature;
(2) verifying whether the two parts of tokenid are consistent after decryption:
(21) decrypting the token [ parameter 2 ] encrypted by the public key by using the private key;
(22) according to tokenid, extracting information of a cache database, if the information does not exist, the server side does not have current user session information, and a first process is repeated by needing handshake to return specific information;
(23) decrypting the symmetrically encrypted token [ parameter 4 ] by using the extracted KEY;
(24) comparing whether the tokenid is consistent or not, if not, informing the front end to handshake again, and repeating the first process;
(25) if yes, judging whether the front end request requires to change the KEY (parameter 3), if yes, updating the KEY and the effective time, and if not, only updating the effective time;
(26) extracting service parameters, and decrypting the symmetrically encrypted service parameters by using KEY;
(3) processing business logic;
(4) and symmetrically encrypting the service data returned to the front end by using the KEY.
6. And the front end of the small program receives the data returned by the back end of the service, and decrypts the data returned by the service end by using the KEY in the memory.
Therefore, data interaction between the small program and the server can be completed through the six steps, the data security of the small program is improved to a large extent, and under the condition that the front-end source code is leaked, the business logic and the user data can still be guaranteed not to be leaked.
Referring to fig. 4, the present invention further provides an applet dynamic authentication apparatus, which includes an authentication module, a request sending module, an encryption/decryption module, and a processing module; the authentication module is used for randomly generating an identity authentication key through a random string and storing the identity authentication key to the local, encrypting user identification and signature information through the identity authentication key to generate identity information, and generating an authentication request instruction according to the identity information and the identity authentication key; the request sending module is used for sending the authentication request instruction to the server to obtain key exchange information fed back by the server; the key exchange information comprises an identification key value produced by the server according to a unique identification code algorithm, a user identification and an authentication key; the encryption and decryption module is used for decrypting the secret key exchange information through the identity authentication key to obtain the identification key value; generating a service request instruction by replacing the user identifier in the service logic request parameter through the identifier key value, and sending the service request instruction to a server to obtain service data fed back by the server; the processing module is used for decrypting the service data fed back by the server side through the identity authentication key to complete the service request.
Referring to fig. 5, the present invention further provides an applet dynamic authentication apparatus, which includes a verification module, a calculation module, a feedback module, a comparison module and a processing module; the verification module is used for receiving an authentication request instruction uploaded by a client and matching the signature information in the authentication request instruction with pre-stored signature information; the computing module is used for decrypting the authentication request instruction to obtain an identity authentication key and a user identifier after the matching is passed; obtaining an identification key value through calculation of a unique identification code algorithm according to the identity authentication key and the user identification, and correspondingly storing the identification key value, the identity authentication key and the user identification to the local; the feedback module is used for encrypting the identification key value by adopting a symmetric encryption algorithm through the identity authentication key to obtain key exchange information and sending the key exchange information to the client; the comparison module is used for receiving a service request instruction with the identification key value uploaded by a client and comparing the identification key value in the service request instruction with the locally stored identification key value; the processing module is used for decrypting the service request parameter in the service request instruction through the identity authentication key after the comparison is passed; and processing the service request parameters to generate service data, and feeding the service data back to the client.
The invention also provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method when executing the computer program.
The present invention also provides a computer-readable storage medium storing a computer program for executing the above method.
The invention has the beneficial technical effects that: the data security of the small program is improved to a greater extent, and under the condition that the front-end source code is leaked, the business logic and the user data can still be guaranteed not to be leaked.
As shown in fig. 6, the electronic device 600 may further include: communication module 110, input unit 120, audio processing unit 130, display 160, power supply 170. It is noted that the electronic device 600 does not necessarily include all of the components shown in FIG. 6; furthermore, the electronic device 600 may also comprise components not shown in fig. 6, which may be referred to in the prior art.
As shown in fig. 6, the central processor 100, sometimes referred to as a controller or operational control, may include a microprocessor or other processor device and/or logic device, the central processor 100 receiving input and controlling the operation of the various components of the electronic device 600.
The memory 140 may be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processing unit 100 may execute the program stored in the memory 140 to realize information storage or processing, etc.
The input unit 120 provides input to the cpu 100. The input unit 120 is, for example, a key or a touch input device. The power supply 170 is used to provide power to the electronic device 600. The display 160 is used to display an object to be displayed, such as an image or a character. The display may be, for example, an LCD display, but is not limited thereto.
The memory 140 may be a solid state memory such as Read Only Memory (ROM), Random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes called an EPROM or the like. The memory 140 may also be some other type of device. Memory 140 includes buffer memory 141 (sometimes referred to as a buffer). The memory 140 may include an application/function storage section 142, and the application/function storage section 142 is used to store application programs and function programs or a flow for executing the operation of the electronic device 600 by the central processing unit 100.
The memory 140 may also include a data store 143, the data store 143 for storing data, such as contacts, digital data, pictures, sounds, and/or any other data used by the electronic device. The driver storage portion 144 of the memory 140 may include various drivers of the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging application, address book application, etc.).
The communication module 110 is a transmitter/receiver 110 that transmits and receives signals via an antenna 111. The communication module (transmitter/receiver) 110 is coupled to the central processor 100 to provide an input signal and receive an output signal, which may be the same as in the case of a conventional mobile communication terminal.
Based on different communication technologies, a plurality of communication modules 110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, may be provided in the same electronic device. The communication module (transmitter/receiver) 110 is also coupled to a speaker 131 and a microphone 132 via an audio processor 130 to provide audio output via the speaker 131 and receive audio input from the microphone 132 to implement general telecommunications functions. Audio processor 130 may include any suitable buffers, decoders, amplifiers and so forth. In addition, an audio processor 130 is also coupled to the central processor 100, so that recording on the local can be enabled through a microphone 132, and so that sound stored on the local can be played through a speaker 131.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (11)
1. A dynamic applet authentication method, the method comprising:
randomly generating an identity authentication key through a random string, storing the identity authentication key to the local, encrypting user identification and signature information through the identity authentication key to generate identity information, and generating an authentication request instruction according to the identity information and the identity authentication key;
sending the authentication request instruction to a server to obtain key exchange information fed back by the server; the key exchange information comprises an identification key value produced by the server according to a unique identification code algorithm, a user identification and an authentication key;
decrypting the key exchange information through the identity authentication key to obtain the identification key value;
generating a service request instruction by replacing the user identifier in the service logic request parameter through the identifier key value, and sending the service request instruction to a server to obtain service data fed back by the server;
and the service data fed back by the server side is decrypted through the identity authentication key to complete the service request.
2. The dynamic applet authentication method according to claim 1, characterized in that the service request command comprises: signature information, the identification key value encrypted by the public key of the identity authentication key, the identification key value encrypted by adopting a symmetric encryption algorithm according to the identity authentication key, a service request parameter encrypted symmetrically and a signature random string.
3. The dynamic applet authentication method according to claim 2, characterized in that the service request command further comprises: updating the identity authentication key encrypted by adopting a symmetric encryption algorithm according to the identity authentication key; the updated identity authentication key is randomly generated through a random string.
4. A dynamic applet authentication method, the method comprising:
receiving an authentication request instruction uploaded by a client, and matching the signature information in the authentication request instruction with pre-stored signature information;
when the matching is passed, the authentication request instruction is decrypted to obtain an identity authentication key and a user identification; obtaining an identification key value through calculation of a unique identification code algorithm according to the identity authentication key and the user identification, and correspondingly storing the identification key value, the identity authentication key and the user identification to the local;
encrypting the identification key value by adopting a symmetric encryption algorithm through the identity authentication key to obtain key exchange information, and sending the key exchange information to a client;
receiving a service request instruction with the identification key value uploaded by a client, and comparing the identification key value in the service request instruction with the locally stored identification key value;
when the comparison is passed, the service request parameters in the service request instruction are decrypted through the identity authentication key;
and processing the service request parameters to generate service data, and feeding the service data back to the client.
5. The dynamic applet authentication method according to claim 4, wherein receiving a service request command with the identification key value uploaded by a client, and comparing the identification key value in the service request command with the locally stored identification key value comprises:
receiving a service request instruction with the identification key value uploaded by a client, and matching the signature information in the service request instruction with pre-stored signature information;
and after the matching is passed, acquiring a corresponding identity authentication key through the identification key value in the service request instruction, decrypting the identification key value in the service request instruction according to the identity authentication key, and comparing the decrypted identification key value with the locally stored identification key value.
6. The applet dynamic authentication method according to claim 4, wherein the storing the identity key value locally in correspondence with the identity authentication key and the user identity further comprises: setting the aging period of the identity authentication key according to a preset rule; and setting the cache duration of the corresponding storage of the identification key value, the identity authentication key and the user identification to the local according to a preset rule.
7. The dynamic applet authentication method according to claim 6, wherein decrypting the service request parameters in the service request command by the identity authentication key further comprises:
when an updated identity authentication key exists in the service request instruction, updating the locally stored identity authentication key and the corresponding aging period according to the updated identity authentication key;
and when the service request instruction does not contain the updated identity authentication key, updating the aging period corresponding to the locally stored identity authentication key.
8. The dynamic small program authentication device is characterized by comprising an authentication module, a request sending module, an encryption and decryption module and a processing module;
the authentication module is used for randomly generating an identity authentication key through a random string and storing the identity authentication key to the local, encrypting user identification and signature information through the identity authentication key to generate identity information, and generating an authentication request instruction according to the identity information and the identity authentication key;
the request sending module is used for sending the authentication request instruction to the server to obtain key exchange information fed back by the server; the key exchange information comprises an identification key value produced by the server according to a unique identification code algorithm, a user identification and an authentication key;
the encryption and decryption module is used for decrypting the secret key exchange information through the identity authentication key to obtain the identification key value; generating a service request instruction by replacing the user identifier in the service logic request parameter through the identifier key value, and sending the service request instruction to a server to obtain service data fed back by the server;
the processing module is used for decrypting the service data fed back by the server side through the identity authentication key to complete the service request.
9. The dynamic small program authentication device is characterized by comprising a verification module, a calculation module, a feedback module, a comparison module and a processing module;
the verification module is used for receiving an authentication request instruction uploaded by a client and matching the signature information in the authentication request instruction with pre-stored signature information;
the computing module is used for decrypting the authentication request instruction to obtain an identity authentication key and a user identifier after the matching is passed; obtaining an identification key value through calculation of a unique identification code algorithm according to the identity authentication key and the user identification, and correspondingly storing the identification key value, the identity authentication key and the user identification to the local;
the feedback module is used for encrypting the identification key value by adopting a symmetric encryption algorithm through the identity authentication key to obtain key exchange information and sending the key exchange information to the client;
the comparison module is used for receiving a service request instruction with the identification key value uploaded by a client and comparing the identification key value in the service request instruction with the locally stored identification key value;
the processing module is used for decrypting the service request parameter in the service request instruction through the identity authentication key after the comparison is passed; and processing the service request parameters to generate service data, and feeding the service data back to the client.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 7 when executing the computer program.
11. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911298587.8A CN110933109B (en) | 2019-12-17 | 2019-12-17 | Dynamic small program authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911298587.8A CN110933109B (en) | 2019-12-17 | 2019-12-17 | Dynamic small program authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110933109A CN110933109A (en) | 2020-03-27 |
| CN110933109B true CN110933109B (en) | 2022-03-29 |
Family
ID=69863995
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911298587.8A Active CN110933109B (en) | 2019-12-17 | 2019-12-17 | Dynamic small program authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110933109B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111709747B (en) * | 2020-06-10 | 2023-08-18 | 中国工商银行股份有限公司 | Intelligent terminal authentication method and system |
| CN112953965B (en) * | 2021-03-18 | 2022-11-01 | 杭州网易云音乐科技有限公司 | Client login method and system, client, medium and computing device |
| CN113971274B (en) * | 2021-12-02 | 2022-12-27 | 国家石油天然气管网集团有限公司 | Identity recognition method and device |
| CN114338682A (en) * | 2021-12-24 | 2022-04-12 | 北京字节跳动网络技术有限公司 | Flow identity mark transmission method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105391549A (en) * | 2015-12-10 | 2016-03-09 | 四川长虹电器股份有限公司 | Method for realizing communication dynamic keys between client and server |
| CN108810029A (en) * | 2018-07-23 | 2018-11-13 | 珠海宏桥高科技有限公司 | Right discriminating system and optimization method between a kind of micro services infrastructure services |
| CN109522726A (en) * | 2018-10-16 | 2019-03-26 | 平安万家医疗投资管理有限责任公司 | Method for authenticating, server and the computer readable storage medium of small routine |
| CN109639687A (en) * | 2016-09-14 | 2019-04-16 | 甲骨文国际公司 | For providing system, method and the medium of identity based on cloud and access management |
| CN110086822A (en) * | 2019-05-07 | 2019-08-02 | 北京智芯微电子科技有限公司 | The realization method and system of unified identity authentication strategy towards micro services framework |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10715564B2 (en) * | 2018-01-29 | 2020-07-14 | Oracle International Corporation | Dynamic client registration for an identity cloud service |
-
2019
- 2019-12-17 CN CN201911298587.8A patent/CN110933109B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105391549A (en) * | 2015-12-10 | 2016-03-09 | 四川长虹电器股份有限公司 | Method for realizing communication dynamic keys between client and server |
| CN109639687A (en) * | 2016-09-14 | 2019-04-16 | 甲骨文国际公司 | For providing system, method and the medium of identity based on cloud and access management |
| CN108810029A (en) * | 2018-07-23 | 2018-11-13 | 珠海宏桥高科技有限公司 | Right discriminating system and optimization method between a kind of micro services infrastructure services |
| CN109522726A (en) * | 2018-10-16 | 2019-03-26 | 平安万家医疗投资管理有限责任公司 | Method for authenticating, server and the computer readable storage medium of small routine |
| CN110086822A (en) * | 2019-05-07 | 2019-08-02 | 北京智芯微电子科技有限公司 | The realization method and system of unified identity authentication strategy towards micro services framework |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110933109A (en) | 2020-03-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110933109B (en) | Dynamic small program authentication method and device | |
| US10601801B2 (en) | Identity authentication method and apparatus | |
| EP3723399A1 (en) | Identity verification method and apparatus | |
| CN101051904B (en) | Method for landing by account number cipher for protecting network application sequence | |
| CN111404696B (en) | Collaborative signature method, security service middleware, related platform and system | |
| CN110690956B (en) | Bidirectional authentication method and system, server and terminal | |
| CN111130798B (en) | Request authentication method and related equipment | |
| CN111931209B (en) | Contract information verification method and device based on zero knowledge proof | |
| CN112291201B (en) | Service request transmission method and device and electronic equipment | |
| CN106470103B (en) | Method and system for sending encrypted URL request by client | |
| CN111949958B (en) | Authorization authentication method and device in Oauth protocol | |
| CN111475845A (en) | Unstructured data identity authorization access system and method | |
| CN112118098A (en) | Method, device and system for enhancing digital envelope by post-quantum security | |
| EP4037250A1 (en) | Message transmitting system with hardware security module | |
| KR102364649B1 (en) | APPARATUS AND METHOD FOR AUTHENTICATING IoT DEVICE BASED ON PUF | |
| CN111431922A (en) | Internet of things data encryption transmission method and system | |
| CN111464295B (en) | Bank card making method and device | |
| CN111709747B (en) | Intelligent terminal authentication method and system | |
| CN110401526B (en) | Client information security interaction method based on small program, terminal and server | |
| CN103559430A (en) | Application account management method and device based on android system | |
| CN115567297A (en) | Cross-site request data processing method and device | |
| CN105430022B (en) | A kind of data input control method and terminal device | |
| CN114549206A (en) | Transaction anti-repudiation method, system, electronic equipment and readable storage medium | |
| CN113190868A (en) | Payment information viewing method and node based on block chain system | |
| CN111464293A (en) | Data sending method, data receiving method, storage medium and terminal equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221008 Address after: 12 / F, 15 / F, 99 Yincheng Road, Pudong New Area pilot Free Trade Zone, Shanghai, 200120 Patentee after: Jianxin Financial Science and Technology Co.,Ltd. Address before: 25 Financial Street, Xicheng District, Beijing 100033 Patentee before: CHINA CONSTRUCTION BANK Corp. Patentee before: Jianxin Financial Science and Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right |