CN111163039B - Authentication method, authentication server, authentication terminal and authentication equipment - Google Patents

Authentication method, authentication server, authentication terminal and authentication equipment Download PDF

Info

Publication number
CN111163039B
CN111163039B CN201811324959.5A CN201811324959A CN111163039B CN 111163039 B CN111163039 B CN 111163039B CN 201811324959 A CN201811324959 A CN 201811324959A CN 111163039 B CN111163039 B CN 111163039B
Authority
CN
China
Prior art keywords
authentication
terminal
migration
server
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811324959.5A
Other languages
Chinese (zh)
Other versions
CN111163039A (en
Inventor
何劼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201811324959.5A priority Critical patent/CN111163039B/en
Priority to PCT/CN2019/116378 priority patent/WO2020094102A1/en
Publication of CN111163039A publication Critical patent/CN111163039A/en
Application granted granted Critical
Publication of CN111163039B publication Critical patent/CN111163039B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/021Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses an authentication method, an authentication server, an authentication terminal and authentication equipment, wherein the authentication method comprises the following steps: under the condition that an authentication terminal completes primary authentication through first authentication equipment, an authentication server generates and stores an authentication connection abstract corresponding to the authentication terminal and sends the authentication connection abstract to the authentication terminal and the first authentication equipment; the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas. Therefore, in the process from the first authentication to the active offline, when the user migrates from different network areas, the user does not need to submit own identity information for many times, the risk of user identity information leakage is reduced, and the user experience is also improved.

Description

Authentication method, authentication server, authentication terminal and authentication equipment
Technical Field
The embodiment of the invention relates to but is not limited to an authentication method, an authentication server, an authentication terminal and authentication equipment.
Background
In the development of the changing network environment, users pay more and more attention to the security of network services, and the requirements of mobile office of clients are stronger. 802.1X, as a general identity authentication technology, can provide effective access user authentication capability for a network.
The traditional 802.1X technical model is composed of an authentication server, authentication equipment and an authentication terminal. The user accesses the network through the authentication terminal and initiates an authentication request, the authentication equipment is connected with available network resources, and after receiving the authentication request, the authentication terminal and the authentication server are guided to complete identity verification interaction, and an authentication result given by the authentication server is received. If the authentication server gives the user authorization permission, the authentication device sets the software and hardware appearance of the authentication device according to the permission content, and the authentication terminal is allowed to access the network through the device. If the authentication server refuses the user authentication request, the authentication device correspondingly sets own software and hardware appearance, forbids the authentication terminal to access the network, and cuts off the access of the network resource of the illegal user.
In order to ensure the security of network access, in general, 802.1X identity authentication is required when a user enters a network area managed by each different authentication device. Meanwhile, along with the higher and higher requirements of users on safety, in order to ensure that the user identity is not simply counterfeited, the complexity of an identity key submitted during user authentication is continuously increased, and the length of the key is also longer and longer. The network and server processing resources for identity authentication are also increasing.
Nowadays, the situation that a user works while moving is very common when a notebook computer/tablet terminal/smart phone terminal is highly popularized. When a user moves from one network area to another, the user must first authenticate offline in the first area and then re-authenticate online in the second area. Frequent online and offline processes not only increase the consumption of system resources for authentication, but also significantly increase the risk of network threats such as hacking and the like for capturing user identity information. And the complicated authentication process may also affect the user experience to some extent.
Disclosure of Invention
In view of this, an embodiment of the present invention provides an authentication method, including:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, an authentication server generates and stores an authentication connection abstract corresponding to the authentication terminal and sends the authentication connection abstract to the authentication terminal and the first authentication equipment;
and the authentication connection abstract is used for authentication when the authentication terminal migrates between different network areas.
The embodiment of the invention also provides an authentication method, which comprises the following steps:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, the authentication terminal receives and stores an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal through the first authentication equipment;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas.
The embodiment of the invention also provides an authentication method, which comprises the following steps:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, the first authentication equipment receives and stores an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal;
and sending the authentication connection abstract to the authentication terminal;
and the authentication connection abstract is used for authentication when the authentication terminal migrates between different network areas.
The embodiment of the invention also provides an authentication server, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the authentication method executed by the authentication server is realized.
The embodiment of the invention also provides an authentication terminal, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the authentication method executed by the authentication terminal is realized.
The embodiment of the invention also provides authentication equipment, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the authentication method executed by the authentication equipment is realized.
An embodiment of the present invention further provides a computer-readable storage medium, where an information processing program is stored on the computer-readable storage medium, and when the information processing program is executed by a processor, the information processing program implements the steps of any one of the authentication methods described above.
Compared with the related art, the embodiment of the invention provides an authentication method, an authentication server, an authentication terminal and authentication equipment, wherein the authentication method comprises the following steps: under the condition that an authentication terminal completes primary authentication through first authentication equipment, an authentication server generates and stores an authentication connection abstract corresponding to the authentication terminal, and sends the authentication connection abstract to the authentication terminal and the first authentication equipment; and the authentication connection abstract is used for authentication when the authentication terminal migrates between different network areas. Therefore, the user only needs to submit the identity information of the user once to perform primary authentication when using the network every time, and the user does not need to submit the identity information of the user for many times when the user migrates from different network areas to active offline after the primary authentication is successful, so that the risk of user identity information leakage is reduced, and the user experience is also improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the present invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the example serve to explain the principles of the invention and are not intended to limit the invention.
FIG. 1 is a flow chart illustrating an authentication method of a conventional 802.1X technology model;
fig. 2 is a schematic flowchart of an authentication method according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating an authentication method according to a second embodiment of the present invention;
fig. 4 is a schematic flowchart of an authentication method according to a third embodiment of the present invention;
fig. 5 is a schematic flowchart of an authentication method according to a fourth embodiment of the present invention;
fig. 6 is a schematic flowchart of an authentication method according to a fifth embodiment of the present invention;
fig. 7 is a schematic flowchart of an authentication method according to a sixth embodiment of the present invention;
fig. 8 is a schematic flowchart of an authentication method according to a seventh embodiment of the present invention;
fig. 9 is a schematic flowchart of an authentication method according to an eighth embodiment of the present invention;
fig. 10 is a schematic structural diagram of an authentication server according to a ninth embodiment of the present invention;
fig. 11 is a schematic structural diagram of an authentication terminal according to a tenth embodiment of the present invention;
fig. 12 is a schematic structural diagram of an authentication apparatus according to an eleventh embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
Fig. 1 is a flowchart illustrating an authentication method of a conventional 802.1X technology model. As shown in fig. 1, in the conventional 802.1X technology model, when an authentication terminal migrates between different authentication devices (different authentication devices serve different network areas correspondingly), an 802.1X authentication process needs to be performed for multiple times, and identity information is interacted. Therefore, when the authentication terminal migrates among different network areas, the frequent online and offline authentication process not only increases the system resource consumption for authentication, but also obviously increases the risk of network threats such as hacking and the like for capturing user identity information; and the complicated authentication process can also affect the use experience of the user to some extent.
Therefore, the embodiment of the invention provides an authentication method, an authentication server, an authentication terminal and authentication equipment, and introduces an authentication link summary technology, so that the authentication process of a user moving among different network areas is simplified, the user is prevented from submitting own identity information for many times, and the risk of user identity information leakage is reduced.
The main idea of the embodiment of the invention is that the user only needs to submit the own user identity information (information such as user name, password, certificate and the like) once when using the network. After the identity authentication is successful, the authentication server distributes a special link abstract for the user link, the user terminal stores the abstract and submits the abstract information instead of performing the identity authentication again when entering a new network area. The authentication server reconfigures the authentication equipment according to the abstract information, so that the terminal skips the traditional identity authentication process and quickly obtains the access authorization of new regional network resources. The following is a detailed description by way of several examples.
Example one
Fig. 2 is a flowchart illustrating an authentication method according to an embodiment of the present invention. As shown in fig. 2, the authentication method includes:
step 201, an authentication server generates and stores an authentication connection abstract corresponding to an authentication terminal under the condition that the authentication terminal completes primary authentication through first authentication equipment;
step 202, sending the authentication connection summary to the authentication terminal and the first authentication device;
and the authentication connection abstract is used for authentication when the authentication terminal migrates between different network areas.
Wherein the authentication connection digest is generated by one of the following ways:
generating an authentication link abstract through a hash algorithm according to the user name and the authentication initiation time;
or generating an authentication link digest through a hash algorithm according to the user name and the position information initiated by authentication;
alternatively, the authentication link digest is generated by a hashing algorithm based on the user's knowledge and a specific descriptor assigned by the authentication server.
Wherein, the method also comprises:
when the authentication terminal leaves a network area corresponding to first authentication equipment, an authentication server receives an authentication transition notification sent by the first authentication equipment, and then sets the link state of the authentication terminal to be a transition state;
wherein the authentication migration notification is configured to notify the authentication server that the authentication terminal starts migrating or that the authentication terminal is not in the jurisdiction of the first authentication device.
Wherein, the method also comprises:
when the authentication terminal enters a new network area, the authentication server receives a migration registration message sent by the authentication terminal through second authentication equipment, wherein the migration registration message comprises the authentication link abstract;
the authentication server determines the link state of the authentication terminal according to the migration registration message;
when the link state is a transition state, the second authentication equipment and the authentication terminal are informed that the transition authentication is successful;
and when the link state is not the transition state, notifying the second authentication equipment and the authentication terminal that the transition authentication fails.
Wherein, the method also comprises:
when the authentication server receives a user offline message or does not receive a migration registration message after the authentication migration notification is received and the migration registration message exceeds the preset migration waiting time, the authentication server executes user offline operation and deletes the authentication link abstract.
Example two
Fig. 3 is a flowchart illustrating an authentication method according to a second embodiment of the present invention. As shown in fig. 3, the authentication method includes:
step 301, when an authentication terminal completes a first authentication through a first authentication device, the authentication terminal receives an authentication connection summary corresponding to the authentication terminal, which is sent by an authentication server, through the first authentication device;
step 302, storing the authentication connection abstract;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas.
Wherein, the method also comprises:
when the authentication terminal leaves a network area corresponding to first authentication equipment, an authentication transition notification is sent to an authentication server through the first authentication equipment, and the authentication transition notification is used for notifying the authentication server that the authentication terminal starts to transition so that the authentication server can set the link state of the authentication terminal to a transition state.
Wherein, the method also comprises:
when the authentication terminal enters a new network area, a migration registration notification is sent to the authentication server through second authentication equipment, wherein the migration registration notification comprises the authentication link abstract;
when the authentication server successfully migrates and authenticates the authentication terminal, receiving a migration authentication success message sent by the authentication server through the second authentication device; or, when the authentication server fails to perform the migration authentication on the authentication terminal, receiving, by the second authentication device, a migration authentication failure message sent by the authentication server.
Wherein, the method also comprises:
and when the authentication terminal is formally offline, sending an offline message to an authentication server through the second authentication device, and deleting the authentication link abstract.
EXAMPLE III
Fig. 4 is a flowchart illustrating an authentication method according to a third embodiment of the present invention. As shown in fig. 4, the authentication method includes:
step 401, when an authentication terminal completes a first authentication through a first authentication device, the first authentication device receives and stores an authentication connection summary corresponding to the authentication terminal and sent by an authentication server;
step 402, sending the authentication connection abstract to the authentication terminal;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas.
Wherein, the method also comprises:
and when a migration message sent by the authentication terminal is received or the authentication terminal is detected not to be in the jurisdiction of the first authentication device, sending an authentication migration notification to an authentication server and deleting the authentication connection abstract.
Wherein, the method also comprises:
when receiving a migration registration message sent by another authentication terminal, sending a migration registration notification to the authentication server and storing an authentication connection abstract corresponding to the other authentication terminal carried in the migration registration message, wherein the migration registration notification also carries an authentication connection abstract corresponding to the other authentication terminal;
when the authentication server succeeds in the migration authentication of the other authentication terminal, receiving a migration authentication success message sent by the authentication server, and forwarding the migration authentication success message to the other authentication terminal; or, when the authentication server fails to perform the migration authentication on the other authentication terminal, receiving a migration authentication failure message sent by the authentication server, and forwarding the migration authentication failure message to the other authentication terminal.
Wherein, the method also comprises:
when receiving an offline message sent by the authentication terminal, forwarding the offline message to the authentication server, and deleting the authentication link abstract;
or when receiving the offline message sent by the other authentication terminal, forwarding the offline message to the authentication server, and deleting the authentication link summary corresponding to the other authentication terminal.
According to the technical scheme provided by the first, second and third embodiments of the invention, through simple interaction based on the authentication link abstract, the authentication process when the user moves to a new authentication device (network area) is greatly simplified, and the resource overhead and time consumption are obviously reduced. Meanwhile, the user identity information does not need to be sent repeatedly, and the safety of the user identity information is remarkably improved.
The technical solutions provided in the first, second and third embodiments are explained in detail by several specific embodiments.
Example four
The fourth embodiment is applied to a scene that a user is on line for the first time. Fig. 5 is a schematic flowchart of an authentication method according to a fourth embodiment of the present invention, and as shown in fig. 5, the authentication method includes:
step 501, a user goes online for the first time, follows the traditional 802.1X authentication process, and initiates an authentication request through an authentication terminal;
step 502, the authentication device A and the authentication server authenticate the user identity and apply the authentication result;
when the authentication is passed, the authentication device A authorizes the user to access the network, starts accounting, records logs and other actions.
The above-mentioned primary authentication process can be referred to fig. 1, and is not described herein again for the prior art.
Step 503, after the authentication terminal passes the authentication device a and completes the primary authentication, the authentication server generates and stores an authentication connection abstract corresponding to the authentication terminal, and sends the authentication connection abstract to the authentication device a;
the authentication server can generate the authentication link summary according to the set authentication link summary algorithm.
Specifically, the generation of the authentication link abstract can adopt various technical methods, and aims to determine the uniqueness of a user link event so as to ensure that a user can continuously access network resources after requesting authentication and in the process of actively quitting, reduce extra resource overhead in cross-region, eliminate bad feelings of the user, reduce the possibility of monitoring and stealing user identity information, and improve the safety performance.
The authentication link abstract can be generated by one or a combination of the following methods:
1. generating an authentication link digest through a hash algorithm according to the user name + the authentication initiation time;
2. generating an authentication link abstract through a hash algorithm according to the user name + the position information initiated by authentication;
3. the authentication link digest is generated by a hashing algorithm based on the user profile plus a specific descriptor assigned by the authentication server.
Step 504, the authentication device a saves the authentication link abstract and sends the authentication link abstract to the authentication terminal;
step 505, the authentication terminal stores the authentication link summary for authentication when migrating between different network areas.
EXAMPLE five
The fifth embodiment is applied to a scenario in which a user (authentication terminal) leaves a network area governed by the authentication device a. Fig. 6 is a schematic flowchart of an authentication method according to a fifth embodiment of the present invention, and as shown in fig. 6, the authentication method includes:
601, the authentication terminal sends a migration message carrying an authentication link abstract to an authentication device A;
the authentication terminal does not send 802.1X offline messages as in the existing authentication process, but sends migration messages carrying authentication link summaries to the authentication device A, and informs the authentication device A that the terminal starts to migrate;
step 602, the authentication device a sends an authentication migration notification to the authentication server after receiving the migration message, and notifies the authentication server that the authentication terminal starts to migrate or the authentication terminal is not in the jurisdiction of the first authentication device;
specifically, the authentication device A generates an authentication migration notification according to the authentication link abstract, sends the authentication migration notification to an authentication server, and notifies the authentication server that the authentication terminal starts to migrate; or the authentication terminal does not send any message, but the authentication device A automatically sends an authentication migration notification to the authentication server when detecting that the authentication link abstract corresponds to the authentication terminal not in the jurisdiction of the device, and notifies the authentication server that the authentication terminal is not in the jurisdiction of the authentication device A;
step 603, after receiving the authentication migration notification, the authentication server sets the state of the user link to the migration state.
The authentication server may set the authentication device a to authorize the user on the authentication device while resuming the link after waiting for the user to migrate to a new network, but does not end the user billing or perform other actions.
And when the authentication server does not receive the migration registration message after receiving the authentication migration notification and exceeding the preset migration waiting time, the authentication server can execute the user offline operation and delete the authentication link abstract. For example, after the authentication server waits for the set migration waiting time, the user does not complete the migration registration, the user is considered to be offline, the user billing is finished, the authentication link abstract is deleted, and other management actions are completed.
Example six
The sixth embodiment is applied to a case where a user (authentication terminal) enters (migrates) a new network area managed by the authentication device B from a network area managed by the authentication device a. Fig. 7 is a schematic flowchart of an authentication method according to a sixth embodiment of the present invention, and as shown in fig. 7, the authentication method includes:
step 701, the authentication terminal sends a migration registration message carrying an authentication link abstract to an authentication device B;
the authentication terminal does not restart the 802.1X authentication request process as the existing authentication process, but sends the migration registration message carrying the authentication link abstract.
Step 702, the authentication device B caches the received authentication link abstract based on the migration registration message, generates a migration registration notification carrying the authentication link abstract, and sends the migration registration notification to the authentication server;
step 703, after receiving the migration registration notification, the authentication server finds out the corresponding user (authentication terminal) according to the authentication link digest, and determines the link state of the user;
step 704, when the link state is a transition state, notifying the second authentication device and the authentication terminal that the transition authentication is successful; and when the link state is not the transition state, notifying the second authentication equipment and the authentication terminal that the transition authentication fails.
Specifically, if the link state of the user corresponding to the authentication link abstract is in a migration state, the user is considered to be migrated online, the migration authentication is successful, the authentication device B is set to authorize the user to access the corresponding network resource, and the cached authentication link abstract is formally stored. Or if the user link is not in the migration state and the migration authentication fails, refusing the user migration, sending an authentication failure message to the authentication device B, refusing the user to access the network resource, and deleting the cached authentication link abstract.
EXAMPLE seven
The seventh embodiment is applied to a scenario in which a user (authentication terminal) is formally offline. Fig. 8 is a schematic flowchart of an authentication method according to a seventh embodiment of the present invention, and as shown in fig. 8, the authentication method includes:
step 801, when a user formally goes offline, sending a traditional 802.1X offline message, and deleting a locally stored authentication link abstract;
step 802, the authentication device notifies the authentication server of the user offline according to the traditional 802.1X flow, and deletes the stored authentication link abstract;
and step 803, the authentication server executes the user offline operation, ends the user accounting, sets the authentication equipment to end the corresponding network access authorization, and destroys the corresponding authentication link abstract.
Example eight
The eighth embodiment is applied to a scenario that a user goes from online to offline. Fig. 9 is a schematic flowchart of an authentication method according to an eighth embodiment of the present invention, and as shown in fig. 9, the authentication method includes:
step 901, the user is on line, the terminal is authenticated, the equipment is authenticated, and the authentication server follows the standard 802.1X authentication flow to complete the initial authentication of the user;
step 902, after the authentication server completes authentication, based on the selected rule, generating a unique authentication link abstract of each link, and distributing the unique authentication link abstract to authentication equipment and an authentication terminal;
step 903, when the user starts to migrate, the authentication terminal or the authentication device initiates a migration message, and the authentication server records the migration state of the user.
After receiving the authentication migration notification, the authentication device closes the user authorization on the original authentication device, and the original authentication device deletes the stored authentication link abstract. If the user does not initiate step 904 and passes authentication within the set time period, the authentication server performs an offline operation on the user and the authentication server and the authentication device delete the stored authentication link digest.
Step 904, when the user is online in the new authentication device, initiating migration registration by using the authentication link abstract stored by the user, caching the received authentication link abstract by the authentication device, and sending a migration registration message to the authentication server to request authorization;
step 905, the authentication server judges whether to give authorization to the user according to the authentication link abstract;
if the user corresponding to the authentication link abstract is in a migration state, authorization is issued, the migration authentication is successful, the authentication device is set to enable the user to access the network, and the authentication device stores the authentication link abstract cached in the step 904. Otherwise, the migration authentication fails, the authentication server rejects the migration request of the authentication link digest for the user, the authentication device is set to reject the user to access the network, and the authentication device deletes the authentication link digest cached in step 204.
Step 906, when the user is off-line normally, the standard 802.1X authentication flow is followed, and off-line, authentication terminal, authentication device and authentication server are initiated to delete the authentication link abstract stored in each.
The technical solutions provided by the fourth, fifth, sixth, seventh and eighth embodiments of the present invention generally include the following points: the user only submits the identity information once when logging in the network, and does not submit the complete identity information any more when moving among network areas managed by different authentication equipment. When moving among network areas managed by different authentication equipment, a simple migration process based on the user authentication link abstract is adopted, and the authentication link abstract is uniformly generated and distributed by a quick registration authentication server on different authentication equipment. The authentication link abstract is only effective in one-time login time of the user, and the authentication link abstract is different when the same user logs in for multiple times.
Compared with the traditional 802.1X technical scheme, the technical scheme provided by the embodiment of the invention has the advantages that for a user, when the user moves among network areas managed by different authentication equipment, a complete authentication process is not required to be completed, and the registration is completed quickly through the interaction of the authentication link abstract, so that the resource consumption in the migration process is reduced, the time required by the user for obtaining authorization in a new network area is shortened, and the user experience is improved. For the authentication server, the scheme reduces the number of times of user identity verification which needs to be processed by the server, and saves the computing resources of the server. In the online and migration process of the user, the user submits the identity information only once, and subsequent interaction is performed based on the authentication link abstract, so that the possibility that the identity information of the user is stolen in different network areas is reduced. The authentication link abstract is only effective for the link, and the user is invalid after off-line, and can not be used repeatedly even if being monitored and stolen, so that the method has sufficient safety.
Example nine
Fig. 10 is a schematic structural diagram of an authentication server according to a ninth embodiment of the present invention, and as shown in fig. 10, the authentication server includes:
a generation and storage unit for generating and storing an authentication connection digest corresponding to an authentication terminal in a case where the authentication terminal completes a primary authentication by a first authentication device,
a sending unit, configured to send the authentication connection digest to the authentication terminal and the first authentication device;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas.
Wherein the authentication connection digest is generated by at least one of:
generating an authentication link digest through a hash algorithm according to the user name and the authentication initiation time;
or generating an authentication link abstract through a hash algorithm according to the user name and the position information initiated by authentication;
alternatively, the authentication link digest is generated by a hashing algorithm based on the user's knowledge and a specific descriptor assigned by the authentication server.
Wherein, this authentication server still includes:
the authentication terminal comprises a setting unit, a transition unit and a transition unit, wherein the setting unit is used for receiving an authentication transition notification sent by first authentication equipment when the authentication terminal leaves a network area corresponding to the first authentication equipment, and then setting the link state of the authentication terminal into a transition state;
wherein the authentication migration notification is used to notify the authentication server that the authentication terminal starts migrating or that the authentication terminal is not in the jurisdiction of the first authentication device.
Wherein, this authentication server still includes:
a receiving unit, configured to receive, by a second authentication device, a migration registration message sent by the authentication terminal when the authentication terminal enters a new network area, where the migration registration message includes the authentication link digest;
the authentication unit is used for determining the link state of the authentication terminal according to the migration registration message; when the link state is a transition state, notifying the second authentication device and the authentication terminal that the transition authentication is successful; and when the link state is not the transition state, notifying the second authentication equipment and the authentication terminal that the transition authentication fails.
Wherein, this authentication server still includes:
and the deleting unit is used for executing the user offline operation and deleting the authentication link abstract when the user offline message is received or the migration registration message is not received after the authentication migration notification is received and the preset migration waiting time is exceeded.
EXAMPLE ten
Fig. 11 is a schematic structural diagram of an authentication terminal according to a tenth embodiment of the present invention, and as shown in fig. 11, the authentication terminal includes:
the receiving unit is used for receiving an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal through first authentication equipment after the first authentication equipment completes primary authentication;
a storage unit for storing the authentication connection digest;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas.
Wherein, this authentication terminal still includes:
a sending unit, configured to send, when the authentication terminal leaves a network area corresponding to a first authentication device, an authentication migration notification to an authentication server through the first authentication device, where the authentication migration notification is used to notify the authentication server that the authentication terminal starts to migrate, so that the authentication server sets a link state of the authentication terminal to a migration state.
The sending unit is further configured to send a migration registration notification to the authentication server through a second authentication device when the authentication terminal enters a new network area, where the migration registration notification includes the authentication link digest;
the receiving unit is further configured to receive, by the second authentication device, a migration authentication success message sent by the authentication server when the authentication server succeeds in migration authentication of the authentication terminal; or, when the authentication server fails to perform the migration authentication on the authentication terminal, receiving, by the second authentication device, a migration authentication failure message sent by the authentication server.
The sending unit is further configured to send an offline message to an authentication server through the second authentication device when the authentication terminal is formally offline.
The authentication terminal further includes: and the deleting unit is used for deleting the authentication link abstract when the authentication terminal is formally offline.
EXAMPLE eleven
Fig. 12 is a schematic structural diagram of an authentication apparatus according to an eleventh embodiment of the present invention, and as shown in fig. 12, the authentication apparatus includes:
the authentication terminal comprises a receiving and storing unit, a sending and storing unit and a judging unit, wherein the receiving and storing unit is used for receiving and storing an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal under the condition that the authentication terminal completes primary authentication through first authentication equipment;
a sending unit, configured to send the authentication connection digest to the authentication terminal;
and the authentication connection abstract is used for authentication when the authentication terminal migrates between different network areas.
The sending unit is further configured to send an authentication migration notification to an authentication server when receiving a migration message sent by the authentication terminal or when detecting that the authentication terminal is not in the jurisdiction of the first authentication device;
the authentication device further includes: and the deleting unit is used for deleting the authentication connection summary when the migration message sent by the authentication terminal is received or the authentication terminal is detected not to be in the jurisdiction of the first authentication device.
The sending unit is further configured to send a migration registration notification to the authentication server and store the authentication connection digest, which is carried in the migration registration message and corresponds to the another authentication terminal, when receiving the migration registration message sent by the another authentication terminal, where the migration registration notification also carries the authentication connection digest corresponding to the another authentication terminal;
the receiving and storing unit is further configured to receive a migration authentication success message sent by the authentication server and forward the migration authentication success message to the other authentication terminal when the authentication server succeeds in migration authentication of the other authentication terminal; or, when the authentication server fails to perform the migration authentication on the other authentication terminal, receiving a migration authentication failure message sent by the authentication server, and forwarding the migration authentication failure message to the other authentication terminal.
The sending unit is further configured to forward the offline message to the authentication server when receiving the offline message sent by the authentication terminal;
the deleting unit is further used for deleting the authentication link abstract when receiving an offline message sent by the authentication terminal;
or, the sending unit is further configured to forward, when receiving an offline message sent by the other authentication terminal, the offline message to the authentication server;
and the deleting unit is further configured to delete the authentication link digest corresponding to the other authentication terminal when receiving the offline message sent by the other authentication terminal.
The technical solutions provided by the ninth, tenth and eleventh embodiments can effectively reduce the complexity of the authentication process when the user moves between different areas, and effectively reduce the danger that the user identity information is monitored and acquired because the user only needs to interact the identity information once.
The embodiment of the invention also provides an authentication server, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, any one of the authentication methods executed by the authentication server is realized.
The embodiment of the invention also provides an authentication terminal, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, any one of the authentication methods executed by the authentication terminal is realized.
The embodiment of the present invention further provides an authentication device, which includes a memory, a processor, and a computer program stored on the memory and capable of running on the processor, and when the computer program is executed by the processor, the computer program implements any one of the authentication methods executed by the authentication device.
An embodiment of the present invention further provides a computer-readable storage medium, where an information processing program is stored on the computer-readable storage medium, and when the information processing program is executed by a processor, the information processing program implements the steps of any of the authentication methods described above.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as is well known to those skilled in the art.
Although the embodiments of the present invention have been described above, the above description is only for the purpose of understanding the present invention, and is not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (15)

1. An authentication method, comprising:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, an authentication server generates and stores an authentication connection abstract corresponding to the authentication terminal and sends the authentication connection abstract to the authentication terminal and the first authentication equipment;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas;
when the authentication terminal leaves a network area corresponding to first authentication equipment, an authentication server receives an authentication transition notification sent by the first authentication equipment, and then sets the link state of the authentication terminal to a transition state;
wherein the authentication migration notification is configured to notify the authentication server that the authentication terminal starts migrating or that the authentication terminal is not in the jurisdiction of the first authentication device.
2. The authentication method of claim 1, wherein the authentication connection digest is generated by at least one of:
generating an authentication connection abstract through a hash algorithm according to the user name and the authentication initiation time;
or generating the authentication connection abstract through a hash algorithm according to the user name and the position information of the authentication initiation.
3. The authentication method of claim 1, further comprising:
when the authentication terminal enters a new network area, the authentication server receives a migration registration message sent by the authentication terminal through second authentication equipment, wherein the migration registration message comprises the authentication connection abstract;
the authentication server determines the link state of the authentication terminal according to the migration registration message;
when the link state is a transition state, notifying the second authentication device and the authentication terminal that the transition authentication is successful;
and when the link state is not the transition state, notifying the second authentication equipment and the authentication terminal that the transition authentication fails.
4. The authentication method according to claim 1, characterized in that the method further comprises:
when the authentication server receives a user offline message or does not receive a migration registration message after the authentication migration notification is received and the migration registration message exceeds the preset migration waiting time, the authentication server executes user offline operation and deletes the authentication connection abstract.
5. An authentication method, comprising:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, the authentication terminal receives and stores an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal through the first authentication equipment;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas;
when the authentication terminal leaves a network area corresponding to first authentication equipment, an authentication transition notification is sent to an authentication server through the first authentication equipment, and the authentication transition notification is used for notifying the authentication server that the authentication terminal starts to transition so that the authentication server can set the link state of the authentication terminal to a transition state.
6. The authentication method of claim 5, further comprising:
when the authentication terminal enters a new network area, a migration registration notification is sent to the authentication server through second authentication equipment, wherein the migration registration notification comprises the authentication connection abstract;
when the authentication server successfully migrates the authentication terminal, receiving a migration authentication success message sent by the authentication server through the second authentication equipment; or, when the authentication server fails to perform the migration authentication on the authentication terminal, receiving, by the second authentication device, a migration authentication failure message sent by the authentication server.
7. The authentication method of claim 5, further comprising:
and when the authentication terminal is formally offline, sending an offline message to an authentication server through second authentication equipment, and deleting the authentication connection abstract.
8. An authentication method, comprising:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, the first authentication equipment receives and stores an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal;
and sending the authentication connection abstract to the authentication terminal;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas;
when the authentication terminal leaves a network area corresponding to first authentication equipment, an authentication transition notification is sent to an authentication server through the first authentication equipment, and the authentication transition notification is used for notifying the authentication server that the authentication terminal starts to transition so that the authentication server can set the link state of the authentication terminal to a transition state.
9. The authentication method of claim 8, further comprising:
and when a migration message sent by the authentication terminal is received or the authentication terminal is detected not to be in the jurisdiction of the first authentication device, sending an authentication migration notification to an authentication server, and deleting the authentication connection abstract.
10. The authentication method of claim 8, further comprising:
when receiving a migration registration message sent by another authentication terminal, sending a migration registration notification to the authentication server and storing an authentication connection abstract corresponding to the other authentication terminal carried in the migration registration message, wherein the migration registration notification also carries an authentication connection abstract corresponding to the other authentication terminal;
when the authentication server succeeds in the migration authentication of the other authentication terminal, receiving a migration authentication success message sent by the authentication server, and forwarding the migration authentication success message to the other authentication terminal; or, when the authentication server fails to perform the migration authentication on the other authentication terminal, receiving a migration authentication failure message sent by the authentication server, and forwarding the migration authentication failure message to the other authentication terminal.
11. The authentication method of claim 10, further comprising:
when receiving an offline message sent by the authentication terminal, forwarding the offline message to the authentication server, and deleting the authentication connection abstract;
or when receiving the off-line message sent by the other authentication terminal, forwarding the off-line message to the authentication server, and deleting the authentication connection abstract corresponding to the other authentication terminal.
12. An authentication server comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing the authentication method of any one of claims 1 to 4.
13. An authentication terminal comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing the authentication method of any one of claims 5 to 7.
14. An authentication apparatus comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing the authentication method of any one of claims 8 to 11.
15. A computer-readable storage medium, characterized in that an information processing program is stored thereon, which when executed by a processor implements the steps of the authentication method according to any one of claims 1 to 11.
CN201811324959.5A 2018-11-08 2018-11-08 Authentication method, authentication server, authentication terminal and authentication equipment Active CN111163039B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201811324959.5A CN111163039B (en) 2018-11-08 2018-11-08 Authentication method, authentication server, authentication terminal and authentication equipment
PCT/CN2019/116378 WO2020094102A1 (en) 2018-11-08 2019-11-07 Authentication method, authentication server, authentication terminal and authentication device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811324959.5A CN111163039B (en) 2018-11-08 2018-11-08 Authentication method, authentication server, authentication terminal and authentication equipment

Publications (2)

Publication Number Publication Date
CN111163039A CN111163039A (en) 2020-05-15
CN111163039B true CN111163039B (en) 2023-03-10

Family

ID=70555503

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811324959.5A Active CN111163039B (en) 2018-11-08 2018-11-08 Authentication method, authentication server, authentication terminal and authentication equipment

Country Status (2)

Country Link
CN (1) CN111163039B (en)
WO (1) WO2020094102A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113067797B (en) * 2021-02-01 2023-04-07 上海金融期货信息技术有限公司 Identity authentication and authorization system supporting multiple terminals and multiple certificates in cross-network area

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104144095A (en) * 2014-08-08 2014-11-12 福建星网锐捷网络有限公司 Terminal authentication method and interchanger
CN105208030A (en) * 2015-09-30 2015-12-30 北京锐安科技有限公司 Wireless network roaming method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101697540B (en) * 2009-10-15 2012-08-15 浙江大学 Method for authenticating user identity through P2P service request
JP5713244B2 (en) * 2012-01-17 2015-05-07 日立金属株式会社 Network system
CN103873449B (en) * 2012-12-18 2017-07-07 中国电信股份有限公司 Method for network access and system
CN104202744A (en) * 2014-08-14 2014-12-10 腾讯科技(深圳)有限公司 Operation authentication method for intelligent terminal, terminal and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104144095A (en) * 2014-08-08 2014-11-12 福建星网锐捷网络有限公司 Terminal authentication method and interchanger
CN105208030A (en) * 2015-09-30 2015-12-30 北京锐安科技有限公司 Wireless network roaming method

Also Published As

Publication number Publication date
WO2020094102A1 (en) 2020-05-14
CN111163039A (en) 2020-05-15

Similar Documents

Publication Publication Date Title
US11178134B2 (en) Method and apparatus for allocating device identifiers
US11736292B2 (en) Access token management method, terminal, and server
KR102047902B1 (en) Message management methods, devices, and storage media
US12011094B2 (en) Multi-factor authentication with increased security
CN110365483B (en) Cloud platform authentication method, client, middleware and system
US9332433B1 (en) Distributing access and identification tokens in a mobile environment
EP3251285B1 (en) Service request authentication method and apparatus
CN109561429B (en) Authentication method and device
CN101986598B (en) Authentication method, server and system
WO2016188224A1 (en) Service authorization method, apparatus, system and router
CN105681259A (en) Open authorization method and apparatus and open platform
CN111405036A (en) Service access method, device, related equipment and computer readable storage medium
CN111949959B (en) Authorization authentication method and device in Oauth protocol
CN102971739B (en) Strength evidence protection account security is utilized to set
CN111404918A (en) Cloud mobile phone distributed service emergency authentication method, device and system
CN108009439B (en) Resource request method, device and system
CN111163039B (en) Authentication method, authentication server, authentication terminal and authentication equipment
CN113489689B (en) Authentication method and device for access request, storage medium and electronic equipment
CN110781481A (en) Single sign-on method, client, server, and storage medium
CN103685134A (en) WLAN (Wireless Local Area Network) resource access control method and WLAN resource access control device
US11363020B2 (en) Method, device and storage medium for forwarding messages
CN107846410B (en) Network access verification method and device
CN111581613A (en) Account login verification method and system
CN110266657A (en) Authentication method and device, resource access method and device, storage medium
CN112583777B (en) Method and device for realizing user login

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant