Disclosure of Invention
In order to solve the above problems, it is necessary to provide an offline remote authorization authentication method and system.
The invention provides an off-line remote authorization authentication method in a first aspect, which comprises the following steps:
the authorized device and the authorization device are communicated in advance and synchronously obtain a secret key seed;
the authorized device and the authorization device respectively use the same algorithm to calculate the secret key seed and generate the same ordered random array for pre-storage, wherein the ordered random array is expressed as
;
When the authorized device and the authorization device cannot communicate and authorization authentication is needed, the user of the authorized device requests authorization from an administrator through a third-party path;
after the administrator verifies the user identity, the administrator looks up and obtains one random number in the ordered random number group from the authorization equipment based on the user identity
Wherein
;
The administrator passes the random number through the third party path
Notifying a user of the authorized device;
the user acquires the random number
And input it into the authorized device;
the authorized device is based on the input random number
Searching and comparing in a pre-stored ordered random array, and if the random number can not be found
If the random number is found, the authorization authentication fails
Then the authorization authentication is successful.
Further, after the authorization authentication is successful, the method further includes:
the authorized device clears the random numbers in the ordered random array
And the random number
Previous random number
。
Further, after the administrator consults the authorization device to obtain one random number in the ordered random number group based on the user identity, the method further comprises:
the authorization equipment clears the random numbers in the ordered random array
And the random number
Previous random number
。
Further, the authorized device and the authorization device communicate in advance, and synchronously obtain a key seed, which specifically includes:
the authorized device sends the identification information of the authorized device to the authorization device;
the authorization equipment randomly generates a secret key seed according to the identification information, and binds and prestores the secret key seed and the identification information;
and the authorization equipment synchronizes the key seed to the authorized equipment.
Further, the administrator looks up a random number in the ordered random number array from the authorizing device based on the user identity
The method specifically comprises the following steps:
the authorization device prestores an association table of a user and an authorized device, and the administrator searches the association table based on the user identity to obtain the identification information of the authorized device;
the authorization equipment refers to and obtains an ordered random array with a binding relation with the identification information according to the identification information;
the administrator selects a random number from the ordered random array
Further, after the authorization authentication fails or succeeds, the method further includes:
if the authorized device and the authorization device can communicate, and the ordered random array
If the key is exhausted, the authorized device and the authorization device synchronously obtain a new key seed, and respectively generate a new ordered random array according to the new key seed;
if the authorized device and the authorization device can communicate and a preset updating period is reached, the authorized device and the authorization device synchronously obtain a new secret key seed, and a new ordered random array is respectively generated according to the new secret key seed.
Further, the algorithm is any one or more of an RC4 algorithm, an RC5 algorithm, an RC6 algorithm, a DES algorithm and an AES algorithm.
Further, the third party path includes any one or more of short message, telephone, mail and instant communication.
The second aspect of the present invention further provides an offline remote authorization and authentication system, configured to implement the above offline remote authorization and authentication method, where the system includes an authorization device and an authorized device;
the authorization equipment comprises a first communication module and a password management module;
the authorized device comprises a second communication module, a secret key management module and an access control module;
the authorization device and the authorized device are respectively communicated in advance through the first communication module and the second communication module, and a secret key seed is synchronously obtained;
the password management module and the secret key management module respectively use the same algorithm to calculate the secret key seeds and generate the same ordered random array for pre-storage, and the ordered random array is expressed as
;
When the first communication module and the second communication module cannot communicate and the authorized device needs authorization authentication, the user of the authorized device requests authorization from an administrator through a third-party path; after the administrator verifies the user identity, the administrator looks up and obtains one random number in the ordered random number group from the password management module based on the user identity
Wherein
(ii) a The administrator passes the random number through the third party path
Notifying a user of the authorized device; the user acquires the random number
And input it into the authorized device; the access control module is used for controlling access according to the input random number
Searching and comparing in the key management module, if the random number can not be found
If the random number is found, the authorization authentication fails
Then give priority toThe right authentication is successful.
Further, the authorization device further includes a user information module, where the user information module is configured to store the key seed, the identification information of the authorized device, and the user identity information in an associated manner.
The invention can realize remote authorization and password authentication of the authorized equipment under the offline condition. Meanwhile, the method and the device can be suitable for a multi-device scene, each authorized device has different offline authorization authentication passwords, and each password of the same authorized device is only valid once, so that the dynamic password is realized under the offline condition, and the safety is improved.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.
Fig. 1 shows a flowchart of an offline remote authorization authentication method according to the present invention.
As shown in fig. 1, a first aspect of the present invention provides an offline remote authorization authentication method, including the following steps:
s101, the authorized device and the authorization device are communicated in advance, and a secret key seed is obtained synchronously;
s102, the authorized device and the authorization device respectively use the same algorithm to calculate the secret key seed, and generate the same ordered random array for pre-storage, wherein the ordered random array is expressed as
;
S103, when the authorized device and the authorization device cannot communicate and authorization authentication is needed, the user of the authorized device requests authorization from an administrator through a third-party path;
s104, after the administrator verifies the user identity, the administrator looks up and obtains one random number in the ordered random number group from the authorization equipment based on the user identity
Wherein
;
S105, the administrator sends the random number to the server through the third party path
Notifying a user of the authorized device;
s106, the user obtains the random number
And input it into the authorized device;
s107, the authorized device inputs the random number according to the input
Searching and comparing the pre-stored ordered random array, and if the random array cannot be found
If the random number is found, the authorization authentication fails
Then the authorization authentication is successful.
Specifically, the authorized device and the authorization device may be a mobile phone, an IPAD, a PC, or the like.
It can be understood that the authorization authentication of the authorized device by the present invention can be based on the authorization unlocking authentication of the functional module of the authorized device itself, for example: unlocking and authenticating a screen of the authorized equipment, unlocking and authenticating a camera of the authorized equipment and the like; authentication may also be authorized based on application software installed on the authorized device. But is not limited thereto.
Preferably, the ordered random array generated from the key seed includes 100 random numbers, but is not limited thereto.
Preferably, the algorithm is any one or more of an RC4 algorithm, an RC5 algorithm, an RC6 algorithm, a DES algorithm and an AES algorithm. But is not limited thereto.
Preferably, the third party path includes any one or more of short message, telephone, mail and instant communication. But is not limited thereto.
It can be understood that the third-party path may be an available communication path on the authorized device, for example, in a specific application, a camera of the authorized device is locked, and authorization unlocking authentication needs to be performed on the camera of the authorized device, however, communication paths such as a short message and a telephone of the authorized device are still available, and then the user may request authorization authentication by calling or sending a short message to an administrator through the authorized device; the third party path may also be a communication path of the other device, for example, when the screen of the authorized device is locked, since the user can no longer enable the authorized device, authorization authentication of the authorized device may be requested from the administrator by means of the other device.
Further, after the authorization authentication is successful, the method further includes:
the authorized device clears the random numbers in the ordered random array
And the random number
Previous random number
。
Since the user knows the random number and uses the random number to perform an offline authorization authentication. In order to prevent the authorized device from using the same random number when the authorized device needs authorization authentication next time, the authorized device of the invention carries out clearing processing on the pre-stored random number, thereby effectively preventing the random number from being used repeatedly. Furthermore, if the user knows the random number, the user can easily deduce the previous random number, so the authorized device of the present invention still needs to clear the pre-stored previous random number, thereby greatly improving the security and reliability of the offline authorization and authentication of the authorized device.
Further, after the administrator consults the authorization device to obtain one random number in the ordered random number group based on the user identity, the method further comprises:
the authorization equipment clears the random numbers in the ordered random array
And the random number
Previous random number
。
If the authorized device does not perform the clearing process, the administrator is likely to refer again, but will cause the authorization authentication to fail because the authorized device has already cleared it. The invention not only clears the random number in the authorized equipment, but also clears the random number in the authorized equipment, thereby keeping the random numbers reserved in the authorized equipment and the authorized equipment consistent.
Further, the authorized device and the authorization device communicate in advance, and synchronously obtain a key seed, which specifically includes:
the authorized device sends the identification information of the authorized device to the authorization device;
the authorization equipment randomly generates a secret key seed according to the identification information, and binds and prestores the secret key seed and the identification information;
and the authorization equipment synchronizes the key seed to the authorized equipment.
Preferably, the identification information may be an ID number, an IP address, a mobile phone number, and the like of the authorized device.
Further, the administrator looks up a random number in the ordered random number array from the authorizing device based on the user identity
The method specifically comprises the following steps:
the authorization device prestores an association table of a user and an authorized device, and the administrator searches the association table based on the user identity to obtain the identification information of the authorized device;
the authorization equipment refers to and obtains an ordered random array with a binding relation with the identification information according to the identification information;
the administrator selects a random number from the ordered random array
。
Further, after the authorization authentication fails or succeeds, the method further includes:
if the authorized device and the authorization device can communicate, and the ordered random array
If the key is exhausted, the authorized device and the authorization device synchronously obtain a new key seed, and respectively generate a new ordered random array according to the new key seed;
if the authorized device and the authorization device can communicate and a preset updating period is reached, the authorized device and the authorization device synchronously obtain a new secret key seed, and a new ordered random array is respectively generated according to the new secret key seed.
It will be appreciated that in the authorized device offline state, authorization authentication may be required more than once, for example: after the authorized device screen is successfully authorized and unlocked, the screen may be locked again due to illegal operation of the user, and at this time, the authorized device still needs to be subjected to secondary authorization and authentication. And each time of authorization authentication needs to consume one random number, when the ordered random number group is exhausted, the authorized device can not be subjected to off-line authorization authentication any more, and the authorization device and the authorized device can be continuously used as long as a new secret key seed is synchronously generated again before the ordered random number group is exhausted.
It can be understood that, when the authorized device and the authorization device can communicate with each other, the ordered random array may not be exhausted yet, and in order to further increase the difficulty of illegally obtaining the ordered random array, the authorization device and the authorized device of the present invention synchronously update the key seed according to a preset time period (such as one week, one month, etc.), and generate a new ordered random array based on the updated key seed, thereby further improving the security and reliability of the authorization authentication.
Fig. 2 shows a block diagram of an offline remote authorization authentication system of the present invention.
As shown in fig. 2, the second aspect of the present invention further provides an offline remote authorization and authentication system, for implementing the above offline remote authorization and authentication method, where the system includes an authorization device and an authorized device;
the authorization equipment comprises a first communication module and a password management module;
the authorized device comprises a second communication module, a secret key management module and an access control module;
the authorization device and the authorized device are respectively communicated in advance through the first communication module and the second communication module, and a secret key seed is synchronously obtained;
the password management module and the secret key management module respectively use the same algorithm to calculate the secret key seeds and generate the same ordered random array for pre-storage, and the ordered random array is expressed as
;
When the first communication module and the second communication module cannot communicate and the authorized device needs authorization authentication, the user of the authorized device requests authorization from an administrator through a third-party path; after the administrator verifies the user identity, the administrator looks up and obtains one random number in the ordered random number group from the password management module based on the user identity
Wherein
(ii) a The administrator passes the random number through the third party path
Notifying a user of the authorized device; the user acquires the random number
And input it into the authorized device; the access control module is used for controlling access according to the input random number
Searching and comparing in the key management module, if the random number can not be found
If the random number is found, the authorization authentication fails
Then the authorization authentication is successful.
Specifically, the first communication module and the second communication module may communicate through a wireless network or a wired network, and the wireless network may be a 4G network, a 5G network, or the like.
Preferably, the algorithm is any one or more of an RC4 algorithm, an RC5 algorithm, an RC6 algorithm, a DES algorithm and an AES algorithm. But is not limited thereto.
Preferably, the third party path includes any one or more of short message, telephone, mail and instant communication. But is not limited thereto.
Further, after the authorization authentication is successful, the authorized device clears the random numbers in the ordered random number group
And a random number preceding the random number
。
Further, after the administrator refers to and obtains one random number in the ordered random number group from the authorization device based on the user identity, the authorization device clears the random number in the ordered random number group
And a random number preceding the random number
。
Further, the authorization device further includes a user information module, where the user information module is configured to store the key seed, the identification information of the authorized device, and the user identity information in an associated manner.
Specifically, the authorized device sends its identification information to the authorizing device; the authorization equipment randomly generates a secret key seed according to the identification information, binds the secret key seed and the identification information and prestores the secret key seed and the identification information in a user information module; and the authorization equipment synchronizes the key seed to the authorized equipment.
The user information module is prestored with an association table of a user and authorized equipment, and the administrator searches the association table of the user information module based on the user identity to obtain the identification information of the authorized equipment; then according to the identification information, looking up and obtaining an ordered random array having a binding relationship with the identification information; the administrator selects a random number from the ordered random array
。
Further, after the authorization authentication fails or succeeds, if the authorized device and the authorization device can communicate, the ordered random array
If the key is exhausted, the authorized device and the authorization device synchronously obtain a new key seed, and respectively generate a new ordered random array according to the new key seed;
if the authorized device and the authorization device can communicate and a preset updating period is reached, the authorized device and the authorization device synchronously obtain a new secret key seed, and a new ordered random array is respectively generated according to the new secret key seed.
The invention can realize remote authorization and password authentication of the authorized equipment under the offline condition. For example: when the authorized equipment is in a special environment or scene (for example, a remote area cannot be connected with a network), the method can be adopted to carry out offline remote authorization authentication, and the user requirements under the special scene are met.
The method and the device can be suitable for a multi-device scene, each authorized device has different offline authorization authentication passwords, and each password of the same authorized device is only valid once, so that the dynamism of the password is realized under the offline condition, and the safety is improved.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.