CN111147471B - Terminal network access authentication method, device, system and storage medium - Google Patents
Terminal network access authentication method, device, system and storage medium Download PDFInfo
- Publication number
- CN111147471B CN111147471B CN201911329898.6A CN201911329898A CN111147471B CN 111147471 B CN111147471 B CN 111147471B CN 201911329898 A CN201911329898 A CN 201911329898A CN 111147471 B CN111147471 B CN 111147471B
- Authority
- CN
- China
- Prior art keywords
- terminal
- server
- network access
- access authentication
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides a terminal network access authentication method, a device, a system and a storage medium, wherein the method comprises the following steps: calling a first function of the terminal middleware, generating network access authentication request information according to the network access authentication type, and sending the network access authentication request information to a server; calling a second function of the terminal middleware to verify the network access authentication response information returned by the server, if the verification is passed, generating network access authentication confirmation information, and sending the network access authentication confirmation information to the server; the input item of the first function comprises a handle of the first password device, and the output item comprises one or more of a terminal random number, a terminal signature certificate and security configuration information; the input item of the second function comprises the handle of the first password device and the network access authentication response information, and the output item comprises the network access authentication confirmation information. The embodiment of the invention improves the network access security of the terminal and meets the network access authentication requirements of terminals with different network access authentication types.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a system, and a storage medium for authenticating a terminal access to a network.
Background
At present, a video conference system generally emphasizes functional indexes such as the concurrency number of conferences, the definition of videos, the usability of the system, and the stability of the system. However, security issues with the system are ignored.
In the related art, a video conference terminal logs in to a video conference server using a registered account and a password. The account and the password are easy to forget and steal, so that great potential safety hazards are caused to a video conference system, and the security of the network access authentication of the video conference terminal is low.
Disclosure of Invention
In view of the above problems, embodiments of the present invention are proposed to provide a terminal network entry authentication method, apparatus, system and storage medium that overcome or at least partially solve the above problems.
In order to solve the above problem, according to a first aspect of an embodiment of the present invention, a terminal network access authentication method is disclosed, which is applied to a terminal in a video network, where the terminal is in communication connection with a server in the video network, and the method includes: calling a first function of a pre-configured terminal middleware, generating network access authentication request information according to a network access authentication type of the terminal, wherein the network access authentication type comprises an entity terminal type, a virtual terminal type or a quick network access type, and sending the network access authentication request information to the server; calling a second function of the terminal middleware to verify the network access authentication response information returned by the server, generating network access authentication confirmation information under the condition of passing verification, and sending the network access authentication confirmation information to the server; wherein the input item of the first function comprises a handle of a first password device which is in communication connection with the terminal, and the output item of the first function comprises one or more of a terminal random number, a terminal signature certificate and security configuration information; and the input item of the second function comprises the handle of the first password device and the network access authentication response information, and the output item of the second function comprises the network access authentication confirmation information.
Optionally, the step of calling a first function of a pre-configured terminal middleware and generating network access authentication request information according to the network access authentication type of the terminal includes: calling the first function of the terminal middleware to read the terminal signature certificate from the first password device in communication connection with the terminal; and generating the network access authentication request information according to the terminal signature certificate, the terminal random number and the network access authentication type.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the step of generating the network access authentication request information according to the terminal signature certificate, the terminal random number, and the network access authentication type includes: calculating a terminal abstract value of the terminal random number by using a hash algorithm; signing the terminal digest value by using a terminal signature private key in the terminal signature certificate to obtain a terminal signature value; packaging the terminal signature certificate, the terminal abstract value and the terminal signature value into the network access authentication request information; when the network access authentication type is the fast network access type, the step of generating the network access authentication request information according to the terminal signature certificate, the terminal random number and the network access authentication type includes: calculating the terminal digest value of the terminal random number using the hash algorithm; signing the terminal digest value by using the terminal signature private key in the terminal signature certificate to obtain the terminal signature value; and packaging the terminal abstract value and the terminal signature value into the network access authentication request information.
Optionally, the step of calling the second function of the terminal middleware to verify the network access authentication response information returned by the server includes: and calling the second function of the terminal middleware to acquire a server signature certificate, and verifying the network access authentication response information according to the server signature certificate.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the step of calling the second function of the terminal middleware to obtain a server signature certificate, and verifying the network access authentication response information according to the server signature certificate includes: calling the second function of the terminal middleware to analyze the network access authentication response information to obtain the server signature certificate, the server abstract value and the server signature value; verifying whether the server signature certificate is legal and valid; under the condition that the server signature certificate is legal and effective, performing signature verification operation on the server signature value by using a server signature public key and the server digest value in the server signature certificate; when the network access authentication type is the fast network access type, the step of calling the second function of the terminal middleware to acquire a server signature certificate and verifying the network access authentication response information according to the server signature certificate comprises the following steps: calling the second function of the terminal middleware to read the server signature certificate from the first password equipment; calling the second function of the terminal middleware to analyze the network access authentication response information to obtain the server abstract value and the server signature value; and performing signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the step of generating network access authentication confirmation information includes: calling the second function of the terminal middleware to package the terminal signature certificate, the server signature certificate, the terminal abstract value, the server abstract value, the terminal signature value and the server signature value into the network access authentication confirmation information; when the network access authentication type is the fast network access type, the step of generating network access authentication confirmation information includes: and calling the second function of the terminal middleware to package the terminal abstract value, the server abstract value, the terminal signature value and the server signature value into the network access authentication confirmation information.
According to a second aspect of the embodiments of the present invention, there is also disclosed a terminal network access authentication method, applied to a server in a video network, where the server is in communication connection with a terminal in the video network, the method including: calling a third function of a pre-configured server middleware to verify the network access authentication request information from the terminal, wherein the network access authentication request information comprises a network access authentication type of the terminal, and the network access authentication type comprises an entity terminal type, a virtual terminal type or a quick network access type; under the condition that the network access authentication request information is verified, calling the third function of the server middleware, generating network access authentication response information according to the network access authentication type, and sending the network access authentication response information to the terminal; calling a fourth function of the server middleware to verify the access authentication confirmation information, and allowing the terminal to access the network under the condition that the access authentication confirmation information is verified; wherein, the input item of the third function comprises one or more of a handle of a second password device which is in communication connection with the server, a terminal random number and a terminal signature certificate, and the output item of the third function comprises the network access authentication response information; an input item of the fourth function comprises a handle of the second password device and the network access authentication confirmation information; the output item of the fourth function comprises a verification result of the network access authentication confirmation information.
Optionally, the step of calling a preconfigured third function of the server middleware to verify the network access authentication request information from the terminal includes: and calling the third function of the server middleware to acquire the terminal signature certificate, and verifying the network access authentication request information according to the terminal signature certificate.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the step of calling the third function of the server middleware to obtain the terminal signature certificate, and performing verification processing on the network access authentication request information according to the terminal signature certificate includes: calling the third function of the server middleware to analyze the network access authentication request information to obtain the terminal signature certificate, the terminal abstract value and the terminal signature value; verifying whether the terminal signature certificate is legal and valid; under the condition that the terminal signature certificate is legal and effective, carrying out signature verification operation on the terminal signature value by using a terminal signature public key and the terminal abstract value in the terminal signature certificate; when the network access authentication type is the fast network access type, the step of calling the third function of the server middleware to obtain the terminal signature certificate and verifying the network access authentication request information according to the terminal signature certificate includes: calling the third function of the server middleware to read the terminal signature certificate from the second password device; calling the third function of the server middleware to analyze the network access authentication request information to obtain the terminal abstract value and the terminal signature value; and carrying out signature verification operation on the terminal signature value by using the terminal signature public key and the terminal abstract value in the terminal signature certificate.
Optionally, the step of calling the third function of the server middleware and generating network access authentication response information according to the network access authentication type includes: calling the third function of the server middleware to read a server signature certificate from the second password device; and generating the network access authentication response information according to the server signature certificate, the server random number and the network access authentication type.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the step of generating the network access authentication response information according to the server signature certificate, the server random number, and the network access authentication type includes: calculating a server digest value of the server random number by using a hash algorithm; utilizing a server signature private key in the server signature certificate to perform signature operation on the server digest value to obtain a server signature value; packaging the server signature certificate, the server digest value and the server signature value into the network access authentication response information; when the network access authentication type is the fast network access type, the step of generating the network access authentication response information according to the server signature certificate, the server random number and the network access authentication type includes: calculating said server digest value of said server random number using said hash algorithm; utilizing the server signature private key in the server signature certificate to perform signature operation on the server digest value to obtain a server signature value; and packaging the server abstract value and the server signature value into the network access authentication response information.
Optionally, the step of calling a fourth function of the server middleware to verify the network access authentication confirmation information includes: and calling a fourth function of the server middleware to acquire the terminal signature certificate and the server signature certificate, and verifying the network access authentication confirmation information according to the terminal signature certificate and the server signature certificate.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the step of calling a fourth function of the server middleware to obtain the terminal signature certificate and the server signature certificate, and verifying the network access authentication confirmation information according to the terminal signature certificate and the server signature certificate includes: calling a fourth function of the server middleware to analyze the network access authentication confirmation information to obtain the terminal signature certificate, the server signature certificate, the terminal abstract value, the server abstract value, the terminal signature value and the server signature value; verifying whether the terminal signature certificate and the server signature certificate are legal and valid; under the condition that the terminal signature certificate and the server signature certificate are both legal and effective, performing signature verification operation on the terminal signature value by using the terminal signature public key and the terminal digest value in the terminal signature certificate, and performing signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate; when the network access authentication type is the fast network access type, the step of calling a fourth function of the server middleware to obtain the terminal signature certificate and the server signature certificate, and verifying the network access authentication confirmation information according to the terminal signature certificate and the server signature certificate includes: calling a fourth function of the server middleware to read the terminal signature certificate and the server signature certificate from the second password device; calling a fourth function of the server middleware to analyze the network access authentication confirmation information to obtain the terminal abstract value, the server abstract value, the terminal signature value and the server signature value; and performing signature verification operation on the terminal signature value by using the terminal signature public key and the terminal digest value in the terminal signature certificate, and performing signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate.
According to a third aspect of the embodiments of the present invention, there is also disclosed a terminal network access authentication apparatus, applied to a terminal in a video network, where the terminal is in communication connection with a server in the video network, the apparatus includes: the network access authentication request module is used for calling a first function of a terminal middleware configured in advance, generating network access authentication request information according to a network access authentication type of the terminal, wherein the network access authentication type comprises an entity terminal type, a virtual terminal type or a quick network access type, and sending the network access authentication request information to the server; the network access authentication confirmation module is used for calling a second function of the terminal middleware to verify the network access authentication response information returned by the server, generating network access authentication confirmation information under the condition of passing the verification, and sending the network access authentication confirmation information to the server; wherein the input item of the first function comprises a handle of a first password device which is in communication connection with the terminal, and the output item of the first function comprises one or more of a terminal random number, a terminal signature certificate and security configuration information; and the input item of the second function comprises the handle of the first password device and the network access authentication response information, and the output item of the second function comprises the network access authentication confirmation information.
Optionally, the network access authentication request module includes: the terminal signature certificate reading module is used for calling the first function of the terminal middleware to read the first password equipment in communication connection with the terminal to obtain the terminal signature certificate; and the request information generating module is used for generating the network access authentication request information according to the terminal signature certificate, the terminal random number and the network access authentication type.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the request information generating module includes: the first calculation module is used for calculating a terminal abstract value of the terminal random number by utilizing a hash algorithm; the first signature module is used for carrying out signature operation on the terminal abstract value by using a terminal signature private key in the terminal signature certificate to obtain a terminal signature value; the first encapsulation module is used for encapsulating the terminal signature certificate, the terminal abstract value and the terminal signature value into the network access authentication request information; when the network access authentication type is the fast network access type, the request information generation module includes: a second calculating module, configured to calculate the terminal digest value of the terminal random number by using the hash algorithm; the second signature module is used for carrying out signature operation on the terminal abstract value by using the terminal signature private key in the terminal signature certificate to obtain the terminal signature value; and the second packaging module is used for packaging the terminal abstract value and the terminal signature value into the network access authentication request information.
Optionally, the network access authentication confirming module is configured to call the second function of the terminal middleware to obtain a server signature certificate, and verify the network access authentication response information according to the server signature certificate.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the network access authentication confirming module includes: the first analysis module is used for calling the second function of the terminal middleware to analyze the network access authentication response information to obtain the server signature certificate, the server abstract value and the server signature value; the first checking module is used for checking whether the server signature certificate is legal and valid; the first signature verification module is used for verifying the signature of the server by using the server signature public key and the server digest value in the server signature certificate under the condition that the server signature certificate is legal and effective; when the network access authentication type is the fast network access type, the network access authentication confirmation module includes: the second reading module is used for calling the second function of the terminal middleware to read the server signature certificate from the first password device; the second analysis module is used for calling the second function of the terminal middleware to analyze the network access authentication response information to obtain the server abstract value and the server signature value; and the second signature verification module is used for verifying the signature of the server signature value by using the server signature public key and the server digest value in the server signature certificate.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the network access authentication confirmation module is configured to call the second function of the terminal middleware to package the terminal signature certificate, the server signature certificate, the terminal digest value, the server digest value, the terminal signature value, and the server signature value into the network access authentication confirmation information; and when the network access authentication type is the fast network access type, the network access authentication confirmation module is used for calling the second function of the terminal middleware to package the terminal abstract value, the server abstract value, the terminal signature value and the server signature value into the network access authentication confirmation information.
According to the fourth aspect of the embodiments of the present invention, there is also disclosed a terminal network access authentication apparatus, which is applied to a server in a video network, wherein the server is in communication connection with a terminal in the video network, and the apparatus includes: the network access authentication verification module is used for calling a third function of a pre-configured server middleware to verify network access authentication request information from the terminal, wherein the network access authentication request information comprises a network access authentication type of the terminal, and the network access authentication type comprises an entity terminal type, a virtual terminal type or a quick network access type; the network access authentication response module is used for calling the third function of the server middleware under the condition that the network access authentication request information is verified to pass, generating network access authentication response information according to the network access authentication type and sending the network access authentication response information to the terminal; the network access authentication verification module is further configured to invoke a fourth function of the server middleware to verify the network access authentication confirmation information, and allow the terminal to access the network if the network access authentication confirmation information is verified; wherein, the input item of the third function comprises one or more of a handle of a second password device which is connected with the server in a communication way, a terminal random number and a terminal signing certificate, and the output item of the third function comprises the network access authentication response information; an input item of the fourth function comprises a handle of the second password device and the network access authentication confirmation information; the output item of the fourth function contains the verification result of the network access authentication confirmation information.
Optionally, the network access authentication verifying module is configured to call the third function of the server middleware to obtain the terminal signature certificate, and verify the network access authentication request information according to the terminal signature certificate.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the network access authentication verification module includes: the third analysis module is used for calling the third function of the server middleware to analyze the network access authentication request information to obtain the terminal signature certificate, the terminal abstract value and the terminal signature value; the third checking module is used for checking whether the terminal signature certificate is legal and valid; the third signature verification module is used for verifying the signature of the terminal signature value by using the terminal signature public key and the terminal abstract value in the terminal signature certificate under the condition that the terminal signature certificate is legal and effective; when the network access authentication type is the fast network access type, the network access authentication verification module includes: a fourth reading module, configured to call the third function of the server middleware to read the terminal signature certificate from the second cryptographic device; the fourth analysis module is used for calling the third function of the server middleware to analyze the network access authentication request information to obtain the terminal abstract value and the terminal signature value; and the fourth signature verification module is used for performing signature verification operation on the terminal signature value by using the terminal signature public key and the terminal abstract value in the terminal signature certificate.
Optionally, the network access authentication response module includes: the server signature certificate reading module is used for calling the third function of the server middleware to read the server signature certificate from the second password device; and the response information generating module is used for generating the network access authentication response information according to the server signature certificate, the server random number and the network access authentication type.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the response information generating module includes: the third calculation module is used for calculating the server abstract value of the server random number by using a hash algorithm; the third signature module is used for carrying out signature operation on the server digest value by using a server signature private key in the server signature certificate to obtain a server signature value; a third encapsulation module, configured to encapsulate the server signature certificate, the server digest value, and the server signature value as the network access authentication response information; when the network access authentication type is the fast network access type, the response information generating module includes: a fourth calculation module, configured to calculate the server digest value of the server random number by using the hash algorithm; the fourth signature module is used for performing signature operation on the server digest value by using the server signature private key in the server signature certificate to obtain a server signature value; and the fourth packaging module is used for packaging the server abstract value and the server signature value into the network access authentication response information.
Optionally, the network access authentication verifying module is further configured to call a fourth function of the server middleware to obtain the terminal signature certificate and the server signature certificate, and verify the network access authentication confirmation information according to the terminal signature certificate and the server signature certificate.
Optionally, when the network access authentication type is the entity terminal type or the virtual terminal type, the third parsing module is further configured to invoke a fourth function of the server middleware to parse the network access authentication confirmation information to obtain the terminal signature certificate, the server signature certificate, the terminal digest value, the server digest value, the terminal signature value, and the server signature value; the third checking module is further configured to check whether the terminal signature certificate and the server signature certificate are legal and valid; the third signature verification module is further configured to, under the condition that the terminal signature certificate and the server signature certificate are both legal and valid, perform signature verification operation on the terminal signature value by using the terminal signature public key and the terminal digest value in the terminal signature certificate, and perform signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate; when the network access authentication type is the fast network access type, the fourth reading module is further configured to call a fourth function of the server middleware to read the terminal signature certificate and the server signature certificate from the second password device; the fourth analysis module is further configured to invoke a fourth function of the server middleware to analyze the network access authentication confirmation information to obtain the terminal digest value, the server digest value, the terminal signature value, and the server signature value; the fourth signature verification module is further configured to perform signature verification operation on the terminal signature value by using the terminal signature public key and the terminal digest value in the terminal signature certificate, and perform signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate.
According to a fifth aspect of the embodiments of the present invention, a terminal network access authentication system is further disclosed, which is applied to a video network, where the video network includes a terminal and a server, and the terminal is in communication connection with the server, where the terminal includes the terminal network access authentication device according to the third aspect; the server comprises the terminal network access authentication device according to the fourth aspect.
According to a sixth aspect of the embodiments of the present invention, there is also disclosed an apparatus, comprising: one or more processors; and one or more machine readable media having instructions stored thereon, which when executed by the one or more processors, cause the apparatus to perform the terminal network entry authentication method according to the first aspect and/or the second aspect.
According to a seventh aspect of the embodiments of the present invention, there is also disclosed a computer-readable storage medium, which is characterized in that a stored computer program causes a processor to execute the terminal network access authentication method according to the first aspect and/or the second aspect.
The embodiment of the invention has the following advantages:
in the terminal access authentication method provided by the embodiment of the invention, in the terminal of the video network, a first function of a terminal middleware is called, and access authentication request information is generated according to the access authentication type of the terminal, wherein the access authentication type comprises an entity terminal type, a virtual terminal type or a quick access type. And sending the network access authentication request information to the server so that the server returns network access authentication response information under the condition that the network access authentication request information is verified. And then, a second function of the terminal middleware is called to verify the network access authentication response information, network access authentication confirmation information is generated under the condition that the verification is passed, and the network access authentication confirmation information is sent to the server, so that the server allows the terminal to access the network under the condition that the verification of the network access authentication confirmation information is passed.
On the first hand, the network access authentication request information is generated according to the network access authentication type of the terminal, and the network access authentication request information does not contain an account and a password, so that the potential safety hazard problem caused by forgetting and stealing the account and the password is avoided, the difficulty of decoding and analyzing the network access authentication request information is increased, and the network access security of the terminal is improved.
In a second aspect, in the embodiment of the present invention, the terminal generates the network access authentication request information by calling the first function of the terminal middleware, and verifies the network access authentication response information by calling the second function of the terminal middleware, and generates the network access authentication confirmation information. The terminal middleware is added in the network access authentication process, interaction levels between the terminal and the server are enriched, the network access authentication request information is generated by using a first function in the terminal middleware, the network access authentication response information is verified by using a second function in the terminal middleware, and network access authentication confirmation information is generated, so that the steps of generating the network access authentication request information and the network access authentication confirmation information by the terminal and verifying the network access authentication response information are simplified.
In a third aspect, the network access authentication type of the terminal may include an entity terminal type, a virtual terminal type, or a fast network access type. Various types of network access authentication request information can be generated according to the network access authentication type. The network access authentication request messages of various types are provided for the network access authentication of the terminal, and the network access authentication requirements of terminals of different network access authentication types are met.
In the fourth aspect, the server verifies the network access authentication request information and the network access authentication confirmation information of the terminal, and the terminal also verifies the network access authentication response information of the server, so that the bidirectional verification of the terminal and the server is realized, and the network access safety of the terminal is improved.
Drawings
Fig. 1 is a schematic flow chart of terminal network access authentication according to the present invention;
FIG. 2 is a flowchart illustrating steps of an embodiment of a method for authenticating a terminal during network access according to the present invention;
FIG. 3 is a flowchart illustrating steps of another embodiment of a method for authenticating a terminal during network entry according to the present invention;
FIG. 4 is a schematic diagram of bidirectional authentication between a terminal and a server according to the present invention;
FIG. 5 is a flowchart illustrating steps of an embodiment of a method for authenticating a terminal in a video conference system according to the present invention;
fig. 6 is a schematic flowchart of an embodiment of a terminal network access authentication method based on a video network according to the present invention;
fig. 7 is a block diagram of a terminal network access authentication device according to an embodiment of the present invention;
fig. 8 is a block diagram of another embodiment of the terminal network access authentication device according to the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
The public Key Infrastructure (KPI) is a standard-compliant technology and specification that provides a secure Infrastructure for network data transmission using public Key cryptography. The basis for establishing a secure communication trust mechanism using KPIs is: any communication requiring security services is based on a public key, and a private key paired with the public key is held only by the other party of the communication. The private key encrypts the digest value, which is called signature operation; the public key is compared with the digest value after decrypting the signature value, and the signature verification operation is called.
As shown in fig. 1, when applying for network access authentication to a server, a terminal in the embodiment of the present invention sends network access authentication request information to the server, and the server returns network access authentication response information to the terminal when the network access authentication request information is verified. And the terminal sends network access authentication confirmation information to the server when the network access authentication response information is verified, and the server allows the terminal to access the network when the network access authentication confirmation information is verified. The network access authentication request information sent by the terminal to the server can be generated by the terminal according to the network access authentication type of the terminal. The network access authentication request information does not need to include an account and a password of the terminal.
Referring to fig. 2, a flowchart illustrating steps of an embodiment of a terminal network access authentication method according to the present invention is shown, where the method may be applied to a terminal in a video network, and the terminal may be communicatively connected to a server in the video network. The method specifically comprises the following steps:
In an embodiment of the present invention, a first cryptographic device (e.g., a UKey) may be connected to the terminal, where a terminal signature certificate is stored in advance in the UKey. The terminal signature certificate comprises a paired terminal signature public key and a paired terminal signature private key. An application program in the terminal can call a first function of the terminal middleware and acquire a terminal signature certificate from the UKey. The middleware is a kind of software between the application program and the system program, and it uses the basic service (function) provided by the system program to connect each part of the application program or different applications on the network, so as to achieve the purpose of resource sharing and function sharing. An interface for accessing the UKey and the like can be configured in advance in the first function of the terminal middleware, so that the step of directly acquiring the terminal signature certificate from the UKey by an application program is simplified. In practical application, an application program in the terminal can call a first function of the terminal middleware to acquire a terminal signature certificate from a UKey through a terminal password module. The terminal cryptographic module provides cryptographic operation functions for the terminal, such as encryption operation, signature operation, and the like.
When the first function of the terminal middleware is called to generate the network access authentication request information, the network access authentication request information can be generated according to the terminal signature certificate, the terminal random number and the network access authentication type of the terminal.
In the embodiment of the present invention, the network access authentication type of the terminal may include an entity terminal type, a virtual terminal type, or a fast network access type. And the entity terminal type indicates that the terminal is an entity terminal in the video network. The virtual terminal type indicates that the terminal is a virtual terminal in the video network. The fast network access type belongs to a concept of a service layer and is a temporary network access authentication strategy. When the network access authentication type of the terminal is an entity terminal type or a virtual terminal type, a certificate needs to be mutually transmitted between the terminal and the server; when the network access authentication type of the terminal is the quick network access type, the mutual certificate transmission between the terminal and the server is not needed.
In this step 201, different access authentication request information may be generated according to different access authentication types of the terminal, and accordingly, the server may also perform verification processing on the different access authentication request information according to the different access authentication types of the terminal, and return different access authentication response information. No matter which data the generated network access authentication request information contains, the various network access authentication request information does not contain an account and a password.
When the network access authentication type is an entity terminal type or a virtual terminal type, the step of generating the network access authentication request information may include: firstly, a terminal abstract value of the terminal random number is calculated by utilizing a hash algorithm. A hash algorithm is an algorithm that converts an input message string of arbitrary length into an output message string of fixed length. And then, carrying out signature operation on the terminal abstract value by using a terminal signature private key in the terminal signature certificate to obtain a terminal signature value. And packaging the terminal signature certificate, the terminal abstract value and the terminal signature value into a network access authentication request message. In practical application, when the network access authentication request message is encapsulated, the network access authentication request message can be encapsulated according to a preset "key-length-value" protocol, that is, "key" represents the identifier of the terminal signature certificate, the terminal digest value, and the terminal signature value, respectively. The corresponding "length" represents the number of bytes of the terminal signature certificate, the terminal digest value, and the terminal signature value, respectively. The corresponding "value" represents a specific numerical value of the terminal signature certificate, the terminal digest value, and the terminal signature value, respectively.
When the network access authentication type is a fast network access type, the step of generating the network access authentication request information may include: firstly, a terminal abstract value of the terminal random number is calculated by utilizing a hash algorithm. And then, a terminal signature private key in the terminal signature certificate is utilized to perform signature operation on the terminal digest value to obtain a terminal signature value. And then the terminal abstract value and the terminal signature value are encapsulated into a network access authentication request message according to a key-length-value protocol.
In an embodiment of the invention, the input of the first function may comprise a handle of the first cryptographic device and the output of the first function may comprise one or more of a terminal nonce, a terminal signature certificate and security configuration information.
In the embodiment of the present invention, when verifying the network access authentication response information, a second function of the terminal middleware may be called to obtain the server signature certificate, and the network access authentication response information is verified according to the server signature certificate.
Similarly, different verification processes are also carried out on the network access authentication response information according to different network access authentication types.
When the network access authentication type is the entity terminal type or the virtual terminal type, a second function of the terminal middleware can be called to obtain a server signature certificate, a server abstract value and a server signature value from the network access authentication response information according to a key-length-value protocol. Then, it is checked whether the server signature certificate is legitimate and valid. When the server signature certificate is verified to be legal and valid, the signature value and the valid period interval of the server signature certificate can be obtained by analyzing the server signature certificate. Verifying the signature value of the server signature certificate according to the root certificate public key stored on the terminal, and if the verification is passed, indicating that the server signature certificate is a legal server signature certificate; if the verification fails, the server signing certificate is represented as an illegal server signing certificate. Judging whether the current time belongs to the valid period interval or not, if so, indicating that the server signature certificate is a valid server signature certificate; if not, the server signature certificate is an invalid server signature certificate. And under the condition that the server signature certificate is legal and effective, analyzing the server signature certificate to obtain a server signature public key, and carrying out signature verification operation on the server signature value by using the server signature public key and the server digest value. When the server signature public key and the server digest value are used for signature verification operation of the server signature value, the server signature public key is used for decrypting the server signature value to obtain a server decryption result, the server decryption result is compared with the server digest value, and if the server signature public key and the server digest value are the same, verification of the network access authentication response information is passed; if not, the verification of the network access authentication response information is not passed.
When the network access authentication type is a quick network access type, a second function of the terminal middleware can be called to read a server signature certificate from the first password equipment (such as UKey). And calling a second function of the terminal middleware to analyze the network access authentication response information according to a key-length-value protocol to obtain a server abstract value and a server signature value, and then carrying out signature verification operation on the server signature value by using a server signature public key and the server abstract value in the server signature certificate.
Correspondingly, when the network access authentication confirmation information is generated, different processing procedures can be adopted to generate different network access authentication confirmation information according to different network access authentication types of the terminal.
When the network access authentication type is an entity terminal type or a virtual terminal type, a second function of the terminal middleware can be called to package the terminal signature certificate, the server signature certificate, the terminal abstract value, the server abstract value, the terminal signature value and the server signature value into network access authentication confirmation information according to a key-length-value protocol.
And when the network access authentication type is the quick network access type, a second function of the terminal middleware can be called to package the terminal abstract value, the server abstract value, the terminal signature value and the server signature value into network access authentication confirmation information according to a key-length-value protocol.
In an embodiment of the present invention, the input item of the second function may include a handle of the first cryptographic device and network access authentication response information, and the output item of the second function may include network access authentication confirmation information.
Referring to fig. 3, a flowchart illustrating steps of another embodiment of a terminal network access authentication method according to the present invention is shown, where the method may be applied to a server in a video network, and the server may be communicatively connected to a terminal in the video network. The method specifically comprises the following steps:
In the embodiment of the invention, the server receives the network access authentication request information from the terminal and verifies the network access authentication request information. The network access authentication request information may be different network access authentication request information generated by the terminal according to different network access authentication types of the terminal. Different network access authentication request messages may contain different data. The server can verify various data in the network access authentication request information.
When the network access authentication request information is verified, a third function of the server middleware can be called to obtain the terminal signature certificate, and the network access authentication request information is verified according to the terminal signature certificate. In practical application, different verification processes can be performed on the network access authentication request information according to different network access authentication types of the terminal.
When the network access authentication type is an entity terminal type or a virtual terminal type, a third function of the server middleware can be called to analyze the network access authentication request information to obtain a terminal signature certificate, a terminal abstract value and a terminal signature value; verifying whether the terminal signature certificate is legal and valid; and under the condition that the terminal signature certificate is legal and effective, analyzing the terminal signature certificate to obtain a terminal signature public key, and carrying out signature verification operation on the terminal signature value by using the terminal signature public key and the terminal digest value.
When the network access authentication type is a fast network access type, a third function of the server middleware can be called to read a terminal signature certificate from the second password equipment, and the third function of the server middleware is called to analyze the network access authentication request information to obtain a terminal digest value and a terminal signature value; and carrying out signature verification operation on the terminal signature value by using the terminal signature public key and the terminal abstract value in the terminal signature certificate. The second cryptographic device may be a Peripheral Component Interconnect Express (PCIE) card, where a server signature certificate is stored in advance. The server signature certificate comprises a pair of a server signature public key and a server signature private key. The application program in the server may call a third function of the server middleware to obtain the server signature certificate from the PCIE card. An interface for accessing the PCIE card and the like are configured in the third function of the server middleware in advance, so that the step that the application program directly obtains the server signature certificate from the PCIE card is simplified. In practical application, an application program in the server may call a third function of the server middleware to obtain the server signature certificate from the PCIE card through the server cryptographic module. The server cryptographic module provides cryptographic functions, such as encryption operation, signature operation, and the like, for the server.
And step 302, under the condition that the network access authentication request information is verified, calling a third function of the server middleware, generating network access authentication response information according to the network access authentication type, and sending the network access authentication response information to the terminal.
In the embodiment of the invention, when the network access authentication response information is generated, a third function of the server middleware can be called to read the server signature certificate from the second password equipment; and generating network access authentication response information according to the server signature certificate, the server random number and the network access authentication type. The network access authentication type of the terminal can be carried in the network access authentication request information, and the server can analyze the network access authentication type of the terminal from the network access authentication request information after receiving the network access authentication request information. The network access authentication type of the terminal can be not carried in the network access authentication request information, the server analyzes the network access authentication request information after receiving the network access authentication request information, and if the analysis result contains a terminal signature certificate, the network access authentication type of the terminal is an entity terminal type or a virtual terminal type; and if the analysis result does not contain the terminal signature certificate, the network access authentication type of the terminal is the fast network access type.
When the network access authentication response information is generated according to the server signing certificate, the server random number and the network access authentication type, different network access authentication response information can be generated according to different network access authentication types.
When the network access authentication type is an entity terminal type or a virtual terminal type, a server abstract value of a server random number can be calculated by utilizing a hash algorithm; utilizing a server signature private key in the server signature certificate to perform signature operation on the server digest value to obtain a server signature value; and packaging the server signature certificate, the server abstract value and the server signature value into network access authentication response information.
When the network access authentication type is a quick network access type, a server abstract value of the server random number can be calculated by utilizing a hash algorithm; utilizing a server signature private key in the server signature certificate to perform signature operation on the server digest value to obtain a server signature value; and packaging the server abstract value and the server signature value into network access authentication response information.
In an implementation of the present invention, the input item of the third function may include one or more of a handle of the second cryptographic device, a terminal random number, and a terminal signature certificate, and the output item of the third function may include network entry authentication response information.
And step 303, calling a fourth function of the server middleware to verify the network access authentication confirmation information, and allowing the terminal to access the network if the network access authentication confirmation information is verified.
In the embodiment of the invention, the server verifies the network access authentication confirmation information from the terminal, and if the verification is passed, the terminal is allowed to access the network; and if the verification is not passed, refusing the terminal to access the network.
In a preferred embodiment of the present invention, when verifying the network access authentication confirmation information, a fourth function of the server middleware may be called to obtain the terminal signature certificate and the server signature certificate, and the network access authentication confirmation information is verified according to the terminal signature certificate and the server signature certificate. In practical application, different access authentication confirmation information can be verified by adopting different processing procedures according to different access authentication types of the terminal.
When the network access authentication type is an entity terminal type or a virtual terminal type, a fourth function of the server middleware can be called to obtain a terminal signature certificate, a server signature certificate, a terminal abstract value, a server abstract value, a terminal signature value and a server signature value from the network access authentication confirmation information through analysis; verifying whether the terminal signature certificate and the server signature certificate are legal and valid; and under the condition that the terminal signature certificate and the server signature certificate are both legal and effective, analyzing the terminal signature certificate to obtain a terminal signature public key, carrying out signature verification operation on the terminal signature value by using the terminal signature public key and the terminal digest value, analyzing the server signature public key from the server signature certificate to obtain a server signature public key, and carrying out signature verification operation on the server signature value by using the server signature public key and the server digest value.
And when the network access authentication type is the quick network access type, calling a fourth function of the server middleware to read the terminal signature certificate and the server signature certificate from the second password equipment. A fourth function of the server middleware is called to analyze the network access authentication confirmation information to obtain a terminal abstract value, a server abstract value, a terminal signature value and a server signature value; and carrying out signature verification operation on the terminal signature value by using the terminal signature public key and the terminal abstract value, and carrying out signature verification operation on the server signature value by using the server signature public key and the server abstract value.
In an embodiment of the present invention, the input item of the fourth function may include a handle of the second cryptographic device and network access authentication confirmation information; the output item of the fourth function may contain a verification result of the network-entry authentication confirmation information.
In the terminal network access authentication method applied to the server, the introduction of the verification processing procedure of the network access authentication request information and the network access authentication confirmation information by the server may refer to the description of the verification processing procedure of the terminal network access authentication response information by the terminal in the terminal network access authentication method applied to the terminal. The server generates the relevant introduction of the network access authentication response information, which may refer to the above-mentioned terminal network access authentication method applied to the terminal, and the terminal generates the relevant description of the network access authentication request information and the network access authentication confirmation information, which is not described herein again. In addition, regardless of the authentication process performed by the terminal or the authentication process performed by the server, if the authentication fails, the terminal is prohibited from accessing the network.
As shown in fig. 4, in the process of applying for network access authentication from the server, the terminal invokes the terminal middleware, acquires the terminal signature certificate from the UKey through the terminal cryptographic module, generates network access authentication request information according to the terminal signature certificate, the terminal random number, the network access authentication type, and the like, and sends the network access authentication request information to the server. The server verifies the network access authentication request information, if the network access authentication request information passes the verification, the server middleware is called, the server signature certificate is obtained from the PCIE card through the server password module, network access authentication response information is generated according to the server signature certificate, the server random number, the network access authentication type and the like, and the network access authentication response information is returned to the terminal. And the terminal verifies the network access authentication response information, and if the verification is passed, network access authentication confirmation information is generated and sent to the server. And the server verifies the network access authentication confirmation information, and if the verification is passed, the terminal is allowed to access the network. And if the verification is not passed, the terminal is prohibited from accessing the network.
Referring to fig. 5, a flowchart illustrating steps of an embodiment of a method for authenticating a terminal in a video conference system according to the present invention is shown, where the method specifically includes the following steps: the terminal sends the network access authentication request information to the network management server, and the network management server returns network access authentication response information to the terminal under the condition that the network access authentication request information is verified. And the terminal sends network access authentication completion information to the network management server under the condition that the network access authentication response information is verified to pass. And the network management server allows the terminal to access the network under the condition that the verification of the network access authentication completion information is passed.
The network access authentication request information may include an "info" field, a "sing _ T" field, and a "cert _ T" field, the network access authentication response information may include an "info" field, a "sing _ S" field, and a "cert _ S" field, and the network access authentication completion information may include an "info" field. The detailed description of each field can be referred to table 1.
TABLE 1
The version of the safety interaction mechanism represents a uniform cryptographic algorithm of the terminal and the network management server. The quick network access is a concept provided by a business layer, and is a temporary network access strategy, and the quick network access does not need a terminal and a network management server to mutually transmit a signature certificate.
Referring to fig. 6, which is a schematic flowchart illustrating an embodiment of a network access authentication method for a terminal based on a video network according to the present invention, the terminal generates network access authentication request information by using a "VVSec _ vEntryNet" function, and packages the network access authentication request information into a video network format to transmit the video network format to a network management server. And the network management server verifies the network access authentication request information by using a VVSec _ vEntryNetResp function, generates network access authentication response information according to the network root key and the broadcast key applied by the key manager, packages the network access authentication response information into a view networking format and transmits the view networking format to the terminal. And the terminal verifies the network access authentication response information by using a VVSec _ vEntryNetAck function to generate network access authentication confirmation information, packages the network access authentication confirmation information into a video network format and transmits the video network format to the network management server. And the network management server verifies the network access authentication confirmation information by using a VvSec _ vEntryNetFinal function, and completes the network access operation of the terminal. The functions and the data structure of the information will be described in detail below.
Table 2 shows a relevant description of the "VVSec _ vEntryNet" function.
TABLE 2
In the "VVSec _ vEntryNet" function, hdev (HANDLE of the cryptographic DEVICE), hcont (number of times the cryptographic DEVICE is called), and happ (main program of the cryptographic DEVICE) may be included in the DEVICE _ portable. When the info is input, namely the info represents the terminal security configuration information in the network access authentication request information, and the network access authentication request information is sent to the network management server, whether to export the certificate data is determined by setting certLabel in the info. When the info is output, that is, the info represents terminal security configuration information in the network access authentication request information, and when the terminal outputs the network access authentication request information, if the terminal stores a network management signature certificate, the serial number of the network management signature certificate is put into the info, and if the terminal does not store the network management signature certificate, the info may not carry the serial number of the network management signature certificate.
Table 3 shows a relevant description of the "VVSec _ vEntryNetAck" function.
TABLE 3
In the 'VVSec _ ventrynetcack' function, when info is used as input, the info represents server security configuration information in the network access authentication response information, and when the network access authentication response information is sent to the terminal, if the network management server sends the serial number of the network management signing certificate to the terminal, the serial number of the network management signing certificate is transmitted into the info; if the network management server does not send the serial number of the network management signing certificate to the terminal, the info may not carry the serial number of the network management signing certificate. When the info is output, namely the info represents the terminal security configuration information in the network access authentication confirmation information, and when the terminal outputs the network access authentication confirmation information, if the terminal needs to enable the network management server to update the terminal signature certificate, the certLabel in the info is set to be 0x03, and the terminal signature certificate is output; and if the terminal does not need to let the network management server update the terminal signature certificate, setting certLabel in info to 0.
Table 4 shows a relevant description of the "VVSec _ ventrynenetresp" function.
TABLE 4
In the 'VVSec _ vEntryNetResp' function, when info is input, that is, info represents terminal security configuration information in the network access authentication confirmation information, and when the network access authentication confirmation information is sent to the network management server, if the terminal sends a terminal encryption certificate, certLabel in the info is set to 0x02, otherwise, the certLabel is set to 0; and if the terminal sends the serial number of the terminal signature certificate, the serial number of the terminal signature certificate is transmitted into info. When the info is output, namely the info represents the server security configuration information in the network access authentication response information, and when the network management server outputs the network access authentication response information, if the network management server does not locally store the terminal encryption certificate, certLabel in the info is set to be 0x02; if the network management server locally stores the terminal encryption certificate, the certLabel in the info is set as 0.
Table 5 shows the relevant description of the "VVSec _ vEntryNetFinal" function.
TABLE 5
In the terminal access authentication method provided by the embodiment of the invention, in the terminal of the video network, a first function of a terminal middleware is called, and access authentication request information is generated according to the access authentication type of the terminal, wherein the access authentication type comprises an entity terminal type, a virtual terminal type or a quick access type. And sending the network access authentication request information to the server so that the server returns network access authentication response information under the condition that the network access authentication request information is verified to be passed. And then, a second function of the terminal middleware is called to verify the network access authentication response information, network access authentication confirmation information is generated under the condition that the verification is passed, and the network access authentication confirmation information is sent to the server, so that the server allows the terminal to access the network under the condition that the verification of the network access authentication confirmation information is passed.
On the first hand, the network access authentication request information is generated according to the network access authentication type of the terminal, and the network access authentication request information does not contain an account and a password, so that the potential safety hazard problem caused by forgetting and stealing the account and the password is avoided, the difficulty of decoding and analyzing the network access authentication request information is increased, and the network access security of the terminal is improved.
In a second aspect, in the embodiment of the present invention, the terminal generates the network access authentication request information by calling the first function of the terminal middleware, and verifies the network access authentication response information by calling the second function of the terminal middleware, and generates the network access authentication confirmation information. The terminal middleware is added in the network access authentication process, interaction levels between the terminal and the server are enriched, the network access authentication request information is generated by using a first function in the terminal middleware, the network access authentication response information is verified by using a second function in the terminal middleware, and network access authentication confirmation information is generated, so that the steps of generating the network access authentication request information and the network access authentication confirmation information by the terminal and verifying the network access authentication response information are simplified.
In a third aspect, the network access authentication type of the terminal may include an entity terminal type, a virtual terminal type, or a fast network access type. Various types of network access authentication request information can be generated according to the network access authentication type. The network access authentication request messages of various types are provided for the network access authentication of the terminal, and the network access authentication requirements of terminals of different network access authentication types are met.
In the fourth aspect, the server verifies the network access authentication request information and the network access authentication confirmation information of the terminal, and the terminal also verifies the network access authentication response information of the server, so that the bidirectional verification of the terminal and the server is realized, and the network access safety of the terminal is improved.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those of skill in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the embodiments of the invention.
Referring to fig. 7, a block diagram of a terminal network access authentication apparatus according to an embodiment of the present invention is shown, where the apparatus may be applied to a terminal in a video network, the terminal is communicatively connected to a server in the video network, and the apparatus may specifically include the following modules:
the network access authentication request module 71 is configured to invoke a first function of a preconfigured terminal middleware, generate network access authentication request information according to a network access authentication type of the terminal, where the network access authentication type includes an entity terminal type, a virtual terminal type, or a fast network access type, and send the network access authentication request information to the server;
the network access authentication confirmation module 72 is configured to invoke a second function of the terminal middleware to verify the network access authentication response information returned by the server, generate network access authentication confirmation information when the verification is passed, and send the network access authentication confirmation information to the server;
wherein the input item of the first function comprises a handle of a first password device connected with the terminal in a communication way, and the output item of the first function comprises one or more of a terminal random number, a terminal signature certificate and security configuration information; and the input item of the second function comprises the handle of the first password device and the network access authentication response information, and the output item of the second function comprises the network access authentication confirmation information.
In a preferred embodiment of the present invention, the network access authentication request module 71 includes:
the terminal signature certificate reading module is used for calling the first function of the terminal middleware to read the first password equipment in communication connection with the terminal to obtain the terminal signature certificate;
and the request information generating module is used for generating the network access authentication request information according to the terminal signature certificate, the terminal random number and the network access authentication type.
In a preferred embodiment of the present invention, when the network access authentication type is the entity terminal type or the virtual terminal type, the request information generating module includes:
the first calculation module is used for calculating a terminal abstract value of the terminal random number by utilizing a hash algorithm;
the first signature module is used for carrying out signature operation on the terminal abstract value by using a terminal signature private key in the terminal signature certificate to obtain a terminal signature value;
a first encapsulation module, configured to encapsulate the terminal signature certificate, the terminal digest value, and the terminal signature value as the network access authentication request information;
when the network access authentication type is the fast network access type, the request information generating module includes:
a second calculating module, configured to calculate the terminal digest value of the terminal random number by using the hash algorithm;
the second signature module is used for carrying out signature operation on the terminal abstract value by using the terminal signature private key in the terminal signature certificate to obtain the terminal signature value;
and the second packaging module is used for packaging the terminal abstract value and the terminal signature value into the network access authentication request information.
In a preferred embodiment of the present invention, the network access authentication confirming module 72 is configured to call the second function of the terminal middleware to obtain a server signature certificate, and verify the network access authentication response information according to the server signature certificate.
In a preferred embodiment of the present invention, when the network access authentication type is the entity terminal type or the virtual terminal type, the network access authentication confirmation module 72 includes:
the first analysis module is used for calling the second function of the terminal middleware to analyze the network access authentication response information to obtain the server signature certificate, the server abstract value and the server signature value;
the first checking module is used for checking whether the server signature certificate is legal and valid;
the first signature verification module is used for verifying the signature of the server signature value by using a server signature public key and the server digest value in the server signature certificate under the condition that the server signature certificate is legal and effective;
when the network access authentication type is the fast network access type, the network access authentication confirmation module 72 includes:
the second reading module is used for calling the second function of the terminal middleware to read the server signature certificate from the first password device;
the second analysis module is used for calling the second function of the terminal middleware to analyze the network access authentication response information to obtain the server abstract value and the server signature value;
and the second signature verification module is used for performing signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate.
In a preferred embodiment of the present invention, when the network access authentication type is the entity terminal type or the virtual terminal type, the network access authentication confirmation module 72 is configured to call the second function of the terminal middleware to package the terminal signature certificate, the server signature certificate, the terminal digest value, the server digest value, the terminal signature value, and the server signature value into the network access authentication confirmation information;
and when the network access authentication type is the fast network access type, the network access authentication confirmation module 72 is configured to call the second function of the terminal middleware to package the terminal digest value, the server digest value, the terminal signature value, and the server signature value into the network access authentication confirmation information.
Referring to fig. 8, a block diagram of another embodiment of the terminal network access authentication apparatus according to the present invention is shown, where the apparatus may be applied to a server in a video network, where the server is communicatively connected to a terminal in the video network, and the apparatus may specifically include the following modules:
the network access authentication verification module 81 is configured to invoke a third function of a preconfigured server middleware to verify network access authentication request information from the terminal, where the network access authentication request information includes a network access authentication type of the terminal, and the network access authentication type includes an entity terminal type, a virtual terminal type, or a fast network access type;
the network access authentication response module 82 is configured to, in a case that the network access authentication request information is verified, invoke the third function of the server middleware, generate network access authentication response information according to the network access authentication type, and send the network access authentication response information to the terminal;
the network access authentication verification module 81 is further configured to invoke a fourth function of the server middleware to verify the network access authentication confirmation information, and allow the terminal to access the network if the network access authentication confirmation information is verified;
wherein, the input item of the third function comprises one or more of a handle of a second password device which is connected with the server in a communication way, a terminal random number and a terminal signing certificate, and the output item of the third function comprises the network access authentication response information; an input item of the fourth function comprises a handle of the second password device and the network access authentication confirmation information; the output item of the fourth function contains the verification result of the network access authentication confirmation information.
In a preferred embodiment of the present invention, the network access authentication verifying module 81 is configured to call the third function of the server middleware to obtain the terminal signature certificate, and verify the network access authentication request information according to the terminal signature certificate.
In a preferred embodiment of the present invention, when the network access authentication type is the entity terminal type or the virtual terminal type, the network access authentication verifying module 81 includes:
the third analysis module is used for calling the third function of the server middleware to analyze the network access authentication request information to obtain the terminal signature certificate, the terminal abstract value and the terminal signature value;
the third checking module is used for checking whether the terminal signature certificate is legal and valid;
the third signature verification module is used for verifying the signature of the terminal signature value by using the terminal signature public key and the terminal abstract value in the terminal signature certificate under the condition that the terminal signature certificate is legal and effective;
when the network access authentication type is the fast network access type, the network access authentication verification module 81 includes:
a fourth reading module, configured to call the third function of the server middleware to read the terminal signature certificate from the second cryptographic device;
the fourth analysis module is used for calling the third function of the server middleware to analyze the network access authentication request information to obtain the terminal abstract value and the terminal signature value;
and the fourth signature verification module is used for performing signature verification operation on the terminal signature value by using the terminal signature public key and the terminal abstract value in the terminal signature certificate.
In a preferred embodiment of the present invention, the network entry authentication response module 82 includes:
the server signature certificate reading module is used for calling the third function of the server middleware to read the server signature certificate from the second password device;
and the response information generating module is used for generating the network access authentication response information according to the server signature certificate, the server random number and the network access authentication type.
In a preferred embodiment of the present invention, when the network access authentication type is the entity terminal type or the virtual terminal type, the response information generating module includes:
the third calculation module is used for calculating the server abstract value of the server random number by using a hash algorithm;
the third signature module is used for carrying out signature operation on the server digest value by using a server signature private key in the server signature certificate to obtain a server signature value;
a third encapsulation module, configured to encapsulate the server signature certificate, the server digest value, and the server signature value as the network access authentication response information;
when the network access authentication type is the fast network access type, the response information generating module includes:
a fourth calculating module, configured to calculate the server digest value of the server random number by using the hash algorithm;
the fourth signature module is used for performing signature operation on the server digest value by using the server signature private key in the server signature certificate to obtain a server signature value;
and the fourth packaging module is used for packaging the server abstract value and the server signature value into the network access authentication response information.
In a preferred embodiment of the present invention, the network access authentication verifying module 81 is further configured to call a fourth function of the server middleware to obtain the terminal signature certificate and the server signature certificate, and verify the network access authentication confirmation information according to the terminal signature certificate and the server signature certificate.
In a preferred embodiment of the present invention, when the network access authentication type is the physical terminal type or the virtual terminal type,
the third analysis module is further configured to invoke a fourth function of the server middleware to analyze the network access authentication confirmation information to obtain the terminal signature certificate, the server signature certificate, the terminal digest value, the server digest value, the terminal signature value, and the server signature value;
the third checking module is further configured to check whether the terminal signature certificate and the server signature certificate are legal and valid;
the third signature verification module is further configured to, under the condition that the terminal signature certificate and the server signature certificate are both legal and valid, perform signature verification operation on the terminal signature value by using the terminal signature public key and the terminal digest value in the terminal signature certificate, and perform signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate;
when the network access authentication type is the fast network access type,
the fourth reading module is further configured to call a fourth function of the server middleware to read the terminal signature certificate and the server signature certificate from the second cryptographic device;
the fourth analysis module is further configured to invoke a fourth function of the server middleware to analyze the network access authentication confirmation information to obtain the terminal digest value, the server digest value, the terminal signature value, and the server signature value;
the fourth signature verification module is further configured to perform signature verification operation on the terminal signature value by using the terminal signature public key and the terminal digest value in the terminal signature certificate, and perform signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiment of the invention also provides a terminal network access authentication system which is applied to a video network, wherein the video network comprises a terminal and a server, the terminal is in communication connection with the server, and the terminal comprises the terminal network access authentication device shown in the figure 7; the server comprises the terminal network access authentication device shown in fig. 8.
The embodiments in the present specification are all described in a progressive manner, and each embodiment focuses on differences from other embodiments, and portions that are the same and similar between the embodiments may be referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all changes and modifications that fall within the true scope of the embodiments of the present invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or terminal device that comprises the element.
The method, apparatus, system and storage medium for authenticating a terminal access network provided by the present invention are described in detail above, and a specific example is applied in the present document to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (29)
1. A terminal network access authentication method is applied to a terminal in a video network, and the terminal is in communication connection with a server in the video network, and the method comprises the following steps:
calling a first function of a pre-configured terminal middleware, generating network access authentication request information according to a network access authentication type of the terminal, wherein the network access authentication type comprises an entity terminal type, a virtual terminal type or a quick network access type, and sending the network access authentication request information to the server;
calling a second function of the terminal middleware to verify the network access authentication response information returned by the server, generating network access authentication confirmation information under the condition that the verification is passed, and sending the network access authentication confirmation information to the server;
wherein the input item of the first function comprises a handle of a first password device which is in communication connection with the terminal, and the output item of the first function comprises one or more of a terminal random number, a terminal signature certificate and security configuration information; and the input item of the second function comprises the handle of the first password device and the network access authentication response information, and the output item of the second function comprises the network access authentication confirmation information.
2. The method according to claim 1, wherein the step of calling the first function of the pre-configured terminal middleware and generating the network access authentication request information according to the network access authentication type of the terminal comprises:
calling the first function of the terminal middleware to read the terminal signature certificate from the first password equipment in communication connection with the terminal;
and generating the network access authentication request information according to the terminal signature certificate, the terminal random number and the network access authentication type.
3. The method according to claim 2, wherein when the network access authentication type is the physical terminal type or the virtual terminal type, the step of generating the network access authentication request information according to the terminal signature certificate, the terminal random number, and the network access authentication type includes:
calculating a terminal abstract value of the terminal random number by using a hash algorithm;
carrying out signature operation on the terminal abstract value by using a terminal signature private key in the terminal signature certificate to obtain a terminal signature value;
packaging the terminal signature certificate, the terminal abstract value and the terminal signature value into the network access authentication request information;
when the network access authentication type is the fast network access type, the step of generating the network access authentication request information according to the terminal signature certificate, the terminal random number and the network access authentication type comprises the following steps:
calculating the terminal abstract value of the terminal random number by using the hash algorithm;
signing the terminal digest value by using the terminal signature private key in the terminal signature certificate to obtain the terminal signature value;
and packaging the terminal abstract value and the terminal signature value into the network access authentication request information.
4. The method according to claim 1, wherein the step of calling the second function of the terminal middleware to verify the network access authentication response information returned by the server comprises:
and calling the second function of the terminal middleware to acquire a server signature certificate, and verifying the network access authentication response information according to the server signature certificate.
5. The method according to claim 4, wherein when the network access authentication type is the entity terminal type or the virtual terminal type, the step of calling the second function of the terminal middleware to obtain a server signature certificate, and performing verification processing on the network access authentication response information according to the server signature certificate includes:
calling the second function of the terminal middleware to analyze the network access authentication response information to obtain the server signature certificate, the server abstract value and the server signature value;
verifying whether the server signature certificate is legal and valid;
under the condition that the server signature certificate is legal and effective, performing signature verification operation on the server signature value by using a server signature public key and the server digest value in the server signature certificate;
when the network access authentication type is the fast network access type, the step of calling the second function of the terminal middleware to obtain a server signature certificate and verifying the network access authentication response information according to the server signature certificate comprises the following steps:
calling the second function of the terminal middleware to read the server signature certificate from the first password equipment;
calling the second function of the terminal middleware to analyze the network access authentication response information to obtain the server abstract value and the server signature value;
and performing signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate.
6. The method according to claim 5, wherein when the network access authentication type is the physical terminal type or the virtual terminal type, the step of generating the network access authentication confirmation information includes:
calling the second function of the terminal middleware to package the terminal signature certificate, the server signature certificate, the terminal abstract value, the server abstract value, the terminal signature value and the server signature value into the network access authentication confirmation information;
when the network access authentication type is the fast network access type, the step of generating network access authentication confirmation information includes:
and calling the second function of the terminal middleware to package the terminal abstract value, the server abstract value, the terminal signature value and the server signature value into the network access authentication confirmation information.
7. A terminal network access authentication method is applied to a server in a video network, wherein the server is in communication connection with a terminal in the video network, and the method comprises the following steps:
calling a third function of a pre-configured server middleware to verify the network access authentication request information from the terminal, wherein the network access authentication request information comprises a network access authentication type of the terminal, and the network access authentication type comprises an entity terminal type, a virtual terminal type or a quick network access type;
under the condition that the network access authentication request information is verified, calling the third function of the server middleware, generating network access authentication response information according to the network access authentication type, and sending the network access authentication response information to the terminal;
calling a fourth function of the server middleware to verify the access authentication confirmation information, and allowing the terminal to access the network under the condition that the access authentication confirmation information is verified;
wherein, the input item of the third function comprises one or more of a handle of a second password device which is in communication connection with the server, a terminal random number and a terminal signature certificate, and the output item of the third function comprises the network access authentication response information; an input item of the fourth function comprises a handle of the second password device and the network access authentication confirmation information; the output item of the fourth function comprises a verification result of the network access authentication confirmation information.
8. The method according to claim 7, wherein the step of calling a third function of the pre-configured server middleware to verify the network access authentication request information from the terminal comprises:
and calling the third function of the server middleware to acquire the terminal signature certificate, and verifying the network access authentication request information according to the terminal signature certificate.
9. The method according to claim 8, wherein when the network access authentication type is the entity terminal type or the virtual terminal type, the step of calling the third function of the server middleware to obtain the terminal signature certificate, and performing verification processing on the network access authentication request information according to the terminal signature certificate includes:
calling the third function of the server middleware to analyze the network access authentication request information to obtain the terminal signature certificate, the terminal abstract value and the terminal signature value;
checking whether the terminal signature certificate is legal and valid;
under the condition that the terminal signature certificate is legal and effective, performing signature verification operation on the terminal signature value by using a terminal signature public key and the terminal digest value in the terminal signature certificate;
when the network access authentication type is the fast network access type, the step of calling the third function of the server middleware to obtain the terminal signature certificate and verifying the network access authentication request information according to the terminal signature certificate includes:
calling the third function of the server middleware to read the terminal signature certificate from the second password device;
calling the third function of the server middleware to analyze the network access authentication request information to obtain the terminal abstract value and the terminal signature value;
and carrying out signature verification operation on the terminal signature value by using the terminal signature public key and the terminal abstract value in the terminal signature certificate.
10. The method according to claim 9, wherein the step of calling the third function of the server middleware to generate the network access authentication response information according to the network access authentication type includes:
calling the third function of the server middleware to read a server signature certificate from the second password device;
and generating the network access authentication response information according to the server signature certificate, the server random number and the network access authentication type.
11. The method according to claim 10, wherein when the network access authentication type is the physical terminal type or the virtual terminal type, the step of generating the network access authentication response information according to the server signature certificate, the server random number, and the network access authentication type includes:
calculating a server digest value of the server random number by using a hash algorithm;
utilizing a server signature private key in the server signature certificate to perform signature operation on the server digest value to obtain a server signature value;
packaging the server signature certificate, the server digest value and the server signature value into the network access authentication response information;
when the network access authentication type is the fast network access type, the step of generating the network access authentication response information according to the server signature certificate, the server random number and the network access authentication type comprises the following steps:
calculating said server digest value of said server random number using said hash algorithm;
signing the server digest value by using the server signature private key in the server signature certificate to obtain a server signature value;
and packaging the server abstract value and the server signature value into the network access authentication response information.
12. The method according to claim 10, wherein the step of calling the fourth function of the server middleware to verify the network access authentication confirmation information includes:
and calling a fourth function of the server middleware to acquire the terminal signature certificate and the server signature certificate, and verifying the network access authentication confirmation information according to the terminal signature certificate and the server signature certificate.
13. The method according to claim 12, wherein when the network access authentication type is the entity terminal type or the virtual terminal type, the step of calling a fourth function of the server middleware to obtain the terminal signature certificate and the server signature certificate, and performing verification processing on the network access authentication confirmation information according to the terminal signature certificate and the server signature certificate includes:
calling a fourth function of the server middleware to analyze the network access authentication confirmation information to obtain the terminal signature certificate, the server signature certificate, the terminal abstract value, the server abstract value, the terminal signature value and the server signature value;
verifying whether the terminal signature certificate and the server signature certificate are legal and valid;
under the condition that the terminal signature certificate and the server signature certificate are both legal and effective, carrying out signature verification operation on the terminal signature value by using the terminal signature public key and the terminal digest value in the terminal signature certificate, and carrying out signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate;
when the network access authentication type is the fast network access type, the step of calling a fourth function of the server middleware to acquire the terminal signature certificate and the server signature certificate, and verifying the network access authentication confirmation information according to the terminal signature certificate and the server signature certificate comprises the following steps:
calling a fourth function of the server middleware to read the terminal signature certificate and the server signature certificate from the second password device;
calling a fourth function of the server middleware to analyze the network access authentication confirmation information to obtain the terminal abstract value, the server abstract value, the terminal signature value and the server signature value;
and carrying out signature verification operation on the terminal signature value by using the terminal signature public key and the terminal digest value in the terminal signature certificate, and carrying out signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate.
14. A terminal network access authentication device is applied to a terminal in a video network, wherein the terminal is in communication connection with a server in the video network, and the device comprises:
the network access authentication request module is used for calling a first function of a pre-configured terminal middleware, generating network access authentication request information according to a network access authentication type of the terminal, wherein the network access authentication type comprises an entity terminal type, a virtual terminal type or a quick network access type, and sending the network access authentication request information to the server;
the network access authentication confirmation module is used for calling a second function of the terminal middleware to verify the network access authentication response information returned by the server, generating network access authentication confirmation information under the condition of passing the verification, and sending the network access authentication confirmation information to the server;
wherein the input item of the first function comprises a handle of a first password device which is in communication connection with the terminal, and the output item of the first function comprises one or more of a terminal random number, a terminal signature certificate and security configuration information; and the input item of the second function comprises the handle of the first password device and the network access authentication response information, and the output item of the second function comprises the network access authentication confirmation information.
15. The apparatus of claim 14, wherein the network entry authentication request module comprises:
the terminal signature certificate reading module is used for calling the first function of the terminal middleware to read the first password equipment in communication connection with the terminal to obtain the terminal signature certificate;
and the request information generating module is used for generating the network access authentication request information according to the terminal signature certificate, the terminal random number and the network access authentication type.
16. The apparatus of claim 15, wherein when the network access authentication type is the physical terminal type or the virtual terminal type, the request information generating module comprises:
the first calculation module is used for calculating a terminal abstract value of the terminal random number by using a hash algorithm;
the first signature module is used for carrying out signature operation on the terminal abstract value by using a terminal signature private key in the terminal signature certificate to obtain a terminal signature value;
the first encapsulation module is used for encapsulating the terminal signature certificate, the terminal abstract value and the terminal signature value into the network access authentication request information;
when the network access authentication type is the fast network access type, the request information generating module includes:
a second calculation module, configured to calculate the terminal digest value of the terminal random number by using the hash algorithm;
the second signature module is used for carrying out signature operation on the terminal abstract value by using the terminal signature private key in the terminal signature certificate to obtain the terminal signature value;
and the second packaging module is used for packaging the terminal abstract value and the terminal signature value into the network access authentication request information.
17. The apparatus according to claim 14, wherein the network access authentication confirming module is configured to invoke the second function of the terminal middleware to obtain a server signature certificate, and perform verification processing on the network access authentication response message according to the server signature certificate.
18. The apparatus of claim 17, wherein when the network access authentication type is the physical terminal type or the virtual terminal type, the network access authentication confirmation module comprises:
the first analysis module is used for calling the second function of the terminal middleware to analyze the network access authentication response information to obtain the server signature certificate, the server abstract value and the server signature value;
the first checking module is used for checking whether the server signature certificate is legal and valid;
the first signature verification module is used for verifying the signature of the server by using the server signature public key and the server digest value in the server signature certificate under the condition that the server signature certificate is legal and effective;
when the network access authentication type is the fast network access type, the network access authentication confirmation module includes:
the second reading module is used for calling the second function of the terminal middleware to read the server signature certificate from the first password device;
the second analysis module is used for calling the second function of the terminal middleware to analyze the network access authentication response information to obtain the server abstract value and the server signature value;
and the second signature verification module is used for performing signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate.
19. The apparatus according to claim 18, wherein when the network access authentication type is the physical terminal type or the virtual terminal type, the network access authentication confirmation module is configured to invoke the second function of the terminal middleware to package the terminal signature certificate, the server signature certificate, the terminal digest value, the server digest value, the terminal signature value, and the server signature value as the network access authentication confirmation information;
and when the network access authentication type is the fast network access type, the network access authentication confirmation module is used for calling the second function of the terminal middleware to package the terminal abstract value, the server abstract value, the terminal signature value and the server signature value into the network access authentication confirmation information.
20. A terminal network access authentication device is applied to a server in a video network, wherein the server is in communication connection with a terminal in the video network, and the device comprises:
the network access authentication verification module is used for calling a third function of a pre-configured server middleware to verify network access authentication request information from the terminal, wherein the network access authentication request information comprises a network access authentication type of the terminal, and the network access authentication type comprises an entity terminal type, a virtual terminal type or a quick network access type;
the network access authentication response module is used for calling the third function of the server middleware under the condition that the network access authentication request information is verified to pass, generating network access authentication response information according to the network access authentication type and sending the network access authentication response information to the terminal;
the network access authentication verification module is further configured to call a fourth function of the server middleware to verify the network access authentication confirmation information, and allow the terminal to access the network if the network access authentication confirmation information is verified;
wherein, the input item of the third function comprises one or more of a handle of a second password device which is in communication connection with the server, a terminal random number and a terminal signature certificate, and the output item of the third function comprises the network access authentication response information; an input item of the fourth function comprises a handle of the second password device and the network access authentication confirmation information; the output item of the fourth function comprises a verification result of the network access authentication confirmation information.
21. The apparatus according to claim 20, wherein the network access authentication verifying module is configured to call the third function of the server middleware to obtain the terminal signature certificate, and verify the network access authentication request information according to the terminal signature certificate.
22. The apparatus of claim 21, wherein when the network access authentication type is the physical terminal type or the virtual terminal type, the network access authentication verifying module comprises:
the third analysis module is used for calling the third function of the server middleware to analyze the network access authentication request information to obtain the terminal signature certificate, the terminal abstract value and the terminal signature value;
the third checking module is used for checking whether the terminal signature certificate is legal and valid;
the third signature verification module is used for verifying the signature of the terminal signature value by using the terminal signature public key and the terminal abstract value in the terminal signature certificate under the condition that the terminal signature certificate is legal and effective;
when the network access authentication type is the fast network access type, the network access authentication verification module includes:
a fourth reading module, configured to call the third function of the server middleware to read the terminal signature certificate from the second cryptographic device;
the fourth analysis module is used for calling the third function of the server middleware to analyze the network access authentication request information to obtain the terminal abstract value and the terminal signature value;
and the fourth signature verification module is used for performing signature verification operation on the terminal signature value by using the terminal signature public key and the terminal abstract value in the terminal signature certificate.
23. The apparatus of claim 22, wherein the network entry authentication response module comprises:
the server signature certificate reading module is used for calling the third function of the server middleware to read the server signature certificate from the second password device;
and the response information generating module is used for generating the network access authentication response information according to the server signature certificate, the server random number and the network access authentication type.
24. The apparatus of claim 23, wherein when the network access authentication type is the physical terminal type or the virtual terminal type, the response information generating module comprises:
the third calculation module is used for calculating the server abstract value of the server random number by using a hash algorithm;
the third signature module is used for carrying out signature operation on the server digest value by using a server signature private key in the server signature certificate to obtain a server signature value;
a third encapsulation module, configured to encapsulate the server signature certificate, the server digest value, and the server signature value as the network access authentication response information;
when the network access authentication type is the fast network access type, the response information generation module includes:
a fourth calculating module, configured to calculate the server digest value of the server random number by using the hash algorithm;
the fourth signature module is used for performing signature operation on the server digest value by using the server signature private key in the server signature certificate to obtain a server signature value;
and the fourth packaging module is used for packaging the server abstract value and the server signature value into the network access authentication response information.
25. The apparatus according to claim 23, wherein the network access authentication verifying module is further configured to call a fourth function of the server middleware to obtain the terminal signature certificate and the server signature certificate, and verify the network access authentication confirmation information according to the terminal signature certificate and the server signature certificate.
26. The apparatus of claim 25, wherein when the network access authentication type is the physical terminal type or the virtual terminal type,
the third analysis module is further configured to invoke a fourth function of the server middleware to analyze the network access authentication confirmation information to obtain the terminal signature certificate, the server signature certificate, the terminal digest value, the server digest value, the terminal signature value, and the server signature value;
the third checking module is further configured to check whether the terminal signature certificate and the server signature certificate are legal and valid;
the third signature verification module is further configured to, under the condition that the terminal signature certificate and the server signature certificate are both legal and valid, perform signature verification operation on the terminal signature value by using the terminal signature public key and the terminal digest value in the terminal signature certificate, and perform signature verification operation on the server signature value by using the server signature public key and the server digest value in the server signature certificate;
when the network access authentication type is the fast network access type,
the fourth reading module is further configured to call a fourth function of the server middleware to read the terminal signature certificate and the server signature certificate from the second cryptographic device;
the fourth analysis module is further configured to invoke a fourth function of the server middleware to analyze the network access authentication confirmation information to obtain the terminal digest value, the server digest value, the terminal signature value, and the server signature value;
the fourth signature verification module is further configured to perform signature verification on the terminal signature value by using the terminal signature public key and the terminal digest value in the terminal signature certificate, and perform signature verification on the server signature value by using the server signature public key and the server digest value in the server signature certificate.
27. A terminal network access authentication system, which is applied in a video network, wherein the video network comprises a terminal and a server, and the terminal is in communication connection with the server, wherein the terminal comprises the terminal network access authentication device according to any one of claims 14 to 19; the server comprises the terminal network access authentication device as claimed in any one of claims 20 to 26.
28. An apparatus, comprising:
one or more processors; and
one or more machine-readable media having instructions stored thereon, which when executed by the one or more processors, cause the apparatus to perform the terminal network entry authentication method of any one of claims 1 to 13.
29. A computer-readable storage medium storing a computer program for causing a processor to execute the terminal network entry authentication method according to any one of claims 1 to 13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911329898.6A CN111147471B (en) | 2019-12-20 | 2019-12-20 | Terminal network access authentication method, device, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911329898.6A CN111147471B (en) | 2019-12-20 | 2019-12-20 | Terminal network access authentication method, device, system and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111147471A CN111147471A (en) | 2020-05-12 |
| CN111147471B true CN111147471B (en) | 2023-02-28 |
Family
ID=70519210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911329898.6A Active CN111147471B (en) | 2019-12-20 | 2019-12-20 | Terminal network access authentication method, device, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111147471B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111800378B (en) * | 2020-05-21 | 2023-08-11 | 视联动力信息技术股份有限公司 | Login authentication method, device, system and storage medium |
| CN113727059B (en) * | 2021-08-31 | 2023-10-24 | 成都卫士通信息产业股份有限公司 | Network access authentication method, device and equipment for multimedia conference terminal and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101621433A (en) * | 2008-07-02 | 2010-01-06 | 上海华为技术有限公司 | Method, device and system for configuring access equipment |
| CN105450418A (en) * | 2014-09-22 | 2016-03-30 | 中兴通讯股份有限公司 | IKE authentication method, IKE initiating terminal, IKE response terminal and IKE authentication system |
| CN108738019A (en) * | 2017-04-25 | 2018-11-02 | 华为技术有限公司 | User authen method in converged network and device |
| CN110430043A (en) * | 2019-07-05 | 2019-11-08 | 视联动力信息技术股份有限公司 | A kind of authentication method, system and device and storage medium |
| CN110535856A (en) * | 2019-08-28 | 2019-12-03 | 视联动力信息技术股份有限公司 | A kind of authentication method of user, device and storage medium |
-
2019
- 2019-12-20 CN CN201911329898.6A patent/CN111147471B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101621433A (en) * | 2008-07-02 | 2010-01-06 | 上海华为技术有限公司 | Method, device and system for configuring access equipment |
| CN105450418A (en) * | 2014-09-22 | 2016-03-30 | 中兴通讯股份有限公司 | IKE authentication method, IKE initiating terminal, IKE response terminal and IKE authentication system |
| CN108738019A (en) * | 2017-04-25 | 2018-11-02 | 华为技术有限公司 | User authen method in converged network and device |
| CN110430043A (en) * | 2019-07-05 | 2019-11-08 | 视联动力信息技术股份有限公司 | A kind of authentication method, system and device and storage medium |
| CN110535856A (en) * | 2019-08-28 | 2019-12-03 | 视联动力信息技术股份有限公司 | A kind of authentication method of user, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111147471A (en) | 2020-05-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109309565B (en) | Security authentication method and device | |
| US9419806B2 (en) | Trusted certificate authority to create certificates based on capabilities of processes | |
| CN101189827B (en) | Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method | |
| CN111245870B (en) | Identity authentication method based on mobile terminal and related device | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| CN111800378B (en) | Login authentication method, device, system and storage medium | |
| EP2608477B1 (en) | Trusted certificate authority to create certificates based on capabilities of processes | |
| KR20140134663A (en) | Method for verifying the identity of a user of a communicating terminal and associated system | |
| CN111147471B (en) | Terminal network access authentication method, device, system and storage medium | |
| CN114553590A (en) | Data transmission method and related equipment | |
| CN114338201B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN103368831A (en) | Anonymous instant messaging system based on frequent visitor recognition | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| CN115296807B (en) | Key generation method, device and equipment for preventing industrial control network viruses | |
| CN111698204A (en) | Bidirectional identity authentication method and device | |
| KR102053993B1 (en) | Method for Authenticating by using Certificate | |
| CN102882882B (en) | A kind of user resources authorization method | |
| CN103107881A (en) | Access method, device and system of smart card | |
| CN115225286A (en) | Application access authentication method and device | |
| CN108599936A (en) | A kind of OpenStack increases income the safety certifying method of cloud user | |
| CN114372241A (en) | Internet of things terminal identity authentication method, system, device and storage medium | |
| TWI576779B (en) | Method and Method of Payment Authentication System for Internet of Things | |
| CN113381982B (en) | Registration method, registration device, electronic equipment and storage medium | |
| CN111835713B (en) | Security authentication method, device and storage medium | |
| CN113193964B (en) | Method and system for recognizing identity by combining gesture password with FIDO (fixed Internet data Access) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |