CN111163039B - Authentication method, authentication server, authentication terminal and authentication equipment - Google Patents
Authentication method, authentication server, authentication terminal and authentication equipment Download PDFInfo
- Publication number
- CN111163039B CN111163039B CN201811324959.5A CN201811324959A CN111163039B CN 111163039 B CN111163039 B CN 111163039B CN 201811324959 A CN201811324959 A CN 201811324959A CN 111163039 B CN111163039 B CN 111163039B
- Authority
- CN
- China
- Prior art keywords
- authentication
- terminal
- migration
- server
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/021—Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention discloses an authentication method, an authentication server, an authentication terminal and authentication equipment, wherein the authentication method comprises the following steps: under the condition that an authentication terminal completes primary authentication through first authentication equipment, an authentication server generates and stores an authentication connection abstract corresponding to the authentication terminal and sends the authentication connection abstract to the authentication terminal and the first authentication equipment; the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas. Therefore, in the process from the first authentication to the active offline, when the user migrates from different network areas, the user does not need to submit own identity information for many times, the risk of user identity information leakage is reduced, and the user experience is also improved.
Description
Technical Field
The embodiment of the invention relates to but is not limited to an authentication method, an authentication server, an authentication terminal and authentication equipment.
Background
In the development of the changing network environment, users pay more and more attention to the security of network services, and the requirements of mobile office of clients are stronger. 802.1X, as a general identity authentication technology, can provide effective access user authentication capability for a network.
The traditional 802.1X technical model is composed of an authentication server, authentication equipment and an authentication terminal. The user accesses the network through the authentication terminal and initiates an authentication request, the authentication equipment is connected with available network resources, and after receiving the authentication request, the authentication terminal and the authentication server are guided to complete identity verification interaction, and an authentication result given by the authentication server is received. If the authentication server gives the user authorization permission, the authentication device sets the software and hardware appearance of the authentication device according to the permission content, and the authentication terminal is allowed to access the network through the device. If the authentication server refuses the user authentication request, the authentication device correspondingly sets own software and hardware appearance, forbids the authentication terminal to access the network, and cuts off the access of the network resource of the illegal user.
In order to ensure the security of network access, in general, 802.1X identity authentication is required when a user enters a network area managed by each different authentication device. Meanwhile, along with the higher and higher requirements of users on safety, in order to ensure that the user identity is not simply counterfeited, the complexity of an identity key submitted during user authentication is continuously increased, and the length of the key is also longer and longer. The network and server processing resources for identity authentication are also increasing.
Nowadays, the situation that a user works while moving is very common when a notebook computer/tablet terminal/smart phone terminal is highly popularized. When a user moves from one network area to another, the user must first authenticate offline in the first area and then re-authenticate online in the second area. Frequent online and offline processes not only increase the consumption of system resources for authentication, but also significantly increase the risk of network threats such as hacking and the like for capturing user identity information. And the complicated authentication process may also affect the user experience to some extent.
Disclosure of Invention
In view of this, an embodiment of the present invention provides an authentication method, including:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, an authentication server generates and stores an authentication connection abstract corresponding to the authentication terminal and sends the authentication connection abstract to the authentication terminal and the first authentication equipment;
and the authentication connection abstract is used for authentication when the authentication terminal migrates between different network areas.
The embodiment of the invention also provides an authentication method, which comprises the following steps:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, the authentication terminal receives and stores an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal through the first authentication equipment;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas.
The embodiment of the invention also provides an authentication method, which comprises the following steps:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, the first authentication equipment receives and stores an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal;
and sending the authentication connection abstract to the authentication terminal;
and the authentication connection abstract is used for authentication when the authentication terminal migrates between different network areas.
The embodiment of the invention also provides an authentication server, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the authentication method executed by the authentication server is realized.
The embodiment of the invention also provides an authentication terminal, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the authentication method executed by the authentication terminal is realized.
The embodiment of the invention also provides authentication equipment, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the authentication method executed by the authentication equipment is realized.
An embodiment of the present invention further provides a computer-readable storage medium, where an information processing program is stored on the computer-readable storage medium, and when the information processing program is executed by a processor, the information processing program implements the steps of any one of the authentication methods described above.
Compared with the related art, the embodiment of the invention provides an authentication method, an authentication server, an authentication terminal and authentication equipment, wherein the authentication method comprises the following steps: under the condition that an authentication terminal completes primary authentication through first authentication equipment, an authentication server generates and stores an authentication connection abstract corresponding to the authentication terminal, and sends the authentication connection abstract to the authentication terminal and the first authentication equipment; and the authentication connection abstract is used for authentication when the authentication terminal migrates between different network areas. Therefore, the user only needs to submit the identity information of the user once to perform primary authentication when using the network every time, and the user does not need to submit the identity information of the user for many times when the user migrates from different network areas to active offline after the primary authentication is successful, so that the risk of user identity information leakage is reduced, and the user experience is also improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the present invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the example serve to explain the principles of the invention and are not intended to limit the invention.
FIG. 1 is a flow chart illustrating an authentication method of a conventional 802.1X technology model;
fig. 2 is a schematic flowchart of an authentication method according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating an authentication method according to a second embodiment of the present invention;
fig. 4 is a schematic flowchart of an authentication method according to a third embodiment of the present invention;
fig. 5 is a schematic flowchart of an authentication method according to a fourth embodiment of the present invention;
fig. 6 is a schematic flowchart of an authentication method according to a fifth embodiment of the present invention;
fig. 7 is a schematic flowchart of an authentication method according to a sixth embodiment of the present invention;
fig. 8 is a schematic flowchart of an authentication method according to a seventh embodiment of the present invention;
fig. 9 is a schematic flowchart of an authentication method according to an eighth embodiment of the present invention;
fig. 10 is a schematic structural diagram of an authentication server according to a ninth embodiment of the present invention;
fig. 11 is a schematic structural diagram of an authentication terminal according to a tenth embodiment of the present invention;
fig. 12 is a schematic structural diagram of an authentication apparatus according to an eleventh embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
Fig. 1 is a flowchart illustrating an authentication method of a conventional 802.1X technology model. As shown in fig. 1, in the conventional 802.1X technology model, when an authentication terminal migrates between different authentication devices (different authentication devices serve different network areas correspondingly), an 802.1X authentication process needs to be performed for multiple times, and identity information is interacted. Therefore, when the authentication terminal migrates among different network areas, the frequent online and offline authentication process not only increases the system resource consumption for authentication, but also obviously increases the risk of network threats such as hacking and the like for capturing user identity information; and the complicated authentication process can also affect the use experience of the user to some extent.
Therefore, the embodiment of the invention provides an authentication method, an authentication server, an authentication terminal and authentication equipment, and introduces an authentication link summary technology, so that the authentication process of a user moving among different network areas is simplified, the user is prevented from submitting own identity information for many times, and the risk of user identity information leakage is reduced.
The main idea of the embodiment of the invention is that the user only needs to submit the own user identity information (information such as user name, password, certificate and the like) once when using the network. After the identity authentication is successful, the authentication server distributes a special link abstract for the user link, the user terminal stores the abstract and submits the abstract information instead of performing the identity authentication again when entering a new network area. The authentication server reconfigures the authentication equipment according to the abstract information, so that the terminal skips the traditional identity authentication process and quickly obtains the access authorization of new regional network resources. The following is a detailed description by way of several examples.
Example one
Fig. 2 is a flowchart illustrating an authentication method according to an embodiment of the present invention. As shown in fig. 2, the authentication method includes:
and the authentication connection abstract is used for authentication when the authentication terminal migrates between different network areas.
Wherein the authentication connection digest is generated by one of the following ways:
generating an authentication link abstract through a hash algorithm according to the user name and the authentication initiation time;
or generating an authentication link digest through a hash algorithm according to the user name and the position information initiated by authentication;
alternatively, the authentication link digest is generated by a hashing algorithm based on the user's knowledge and a specific descriptor assigned by the authentication server.
Wherein, the method also comprises:
when the authentication terminal leaves a network area corresponding to first authentication equipment, an authentication server receives an authentication transition notification sent by the first authentication equipment, and then sets the link state of the authentication terminal to be a transition state;
wherein the authentication migration notification is configured to notify the authentication server that the authentication terminal starts migrating or that the authentication terminal is not in the jurisdiction of the first authentication device.
Wherein, the method also comprises:
when the authentication terminal enters a new network area, the authentication server receives a migration registration message sent by the authentication terminal through second authentication equipment, wherein the migration registration message comprises the authentication link abstract;
the authentication server determines the link state of the authentication terminal according to the migration registration message;
when the link state is a transition state, the second authentication equipment and the authentication terminal are informed that the transition authentication is successful;
and when the link state is not the transition state, notifying the second authentication equipment and the authentication terminal that the transition authentication fails.
Wherein, the method also comprises:
when the authentication server receives a user offline message or does not receive a migration registration message after the authentication migration notification is received and the migration registration message exceeds the preset migration waiting time, the authentication server executes user offline operation and deletes the authentication link abstract.
Example two
Fig. 3 is a flowchart illustrating an authentication method according to a second embodiment of the present invention. As shown in fig. 3, the authentication method includes:
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas.
Wherein, the method also comprises:
when the authentication terminal leaves a network area corresponding to first authentication equipment, an authentication transition notification is sent to an authentication server through the first authentication equipment, and the authentication transition notification is used for notifying the authentication server that the authentication terminal starts to transition so that the authentication server can set the link state of the authentication terminal to a transition state.
Wherein, the method also comprises:
when the authentication terminal enters a new network area, a migration registration notification is sent to the authentication server through second authentication equipment, wherein the migration registration notification comprises the authentication link abstract;
when the authentication server successfully migrates and authenticates the authentication terminal, receiving a migration authentication success message sent by the authentication server through the second authentication device; or, when the authentication server fails to perform the migration authentication on the authentication terminal, receiving, by the second authentication device, a migration authentication failure message sent by the authentication server.
Wherein, the method also comprises:
and when the authentication terminal is formally offline, sending an offline message to an authentication server through the second authentication device, and deleting the authentication link abstract.
EXAMPLE III
Fig. 4 is a flowchart illustrating an authentication method according to a third embodiment of the present invention. As shown in fig. 4, the authentication method includes:
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas.
Wherein, the method also comprises:
and when a migration message sent by the authentication terminal is received or the authentication terminal is detected not to be in the jurisdiction of the first authentication device, sending an authentication migration notification to an authentication server and deleting the authentication connection abstract.
Wherein, the method also comprises:
when receiving a migration registration message sent by another authentication terminal, sending a migration registration notification to the authentication server and storing an authentication connection abstract corresponding to the other authentication terminal carried in the migration registration message, wherein the migration registration notification also carries an authentication connection abstract corresponding to the other authentication terminal;
when the authentication server succeeds in the migration authentication of the other authentication terminal, receiving a migration authentication success message sent by the authentication server, and forwarding the migration authentication success message to the other authentication terminal; or, when the authentication server fails to perform the migration authentication on the other authentication terminal, receiving a migration authentication failure message sent by the authentication server, and forwarding the migration authentication failure message to the other authentication terminal.
Wherein, the method also comprises:
when receiving an offline message sent by the authentication terminal, forwarding the offline message to the authentication server, and deleting the authentication link abstract;
or when receiving the offline message sent by the other authentication terminal, forwarding the offline message to the authentication server, and deleting the authentication link summary corresponding to the other authentication terminal.
According to the technical scheme provided by the first, second and third embodiments of the invention, through simple interaction based on the authentication link abstract, the authentication process when the user moves to a new authentication device (network area) is greatly simplified, and the resource overhead and time consumption are obviously reduced. Meanwhile, the user identity information does not need to be sent repeatedly, and the safety of the user identity information is remarkably improved.
The technical solutions provided in the first, second and third embodiments are explained in detail by several specific embodiments.
Example four
The fourth embodiment is applied to a scene that a user is on line for the first time. Fig. 5 is a schematic flowchart of an authentication method according to a fourth embodiment of the present invention, and as shown in fig. 5, the authentication method includes:
when the authentication is passed, the authentication device A authorizes the user to access the network, starts accounting, records logs and other actions.
The above-mentioned primary authentication process can be referred to fig. 1, and is not described herein again for the prior art.
the authentication server can generate the authentication link summary according to the set authentication link summary algorithm.
Specifically, the generation of the authentication link abstract can adopt various technical methods, and aims to determine the uniqueness of a user link event so as to ensure that a user can continuously access network resources after requesting authentication and in the process of actively quitting, reduce extra resource overhead in cross-region, eliminate bad feelings of the user, reduce the possibility of monitoring and stealing user identity information, and improve the safety performance.
The authentication link abstract can be generated by one or a combination of the following methods:
1. generating an authentication link digest through a hash algorithm according to the user name + the authentication initiation time;
2. generating an authentication link abstract through a hash algorithm according to the user name + the position information initiated by authentication;
3. the authentication link digest is generated by a hashing algorithm based on the user profile plus a specific descriptor assigned by the authentication server.
EXAMPLE five
The fifth embodiment is applied to a scenario in which a user (authentication terminal) leaves a network area governed by the authentication device a. Fig. 6 is a schematic flowchart of an authentication method according to a fifth embodiment of the present invention, and as shown in fig. 6, the authentication method includes:
601, the authentication terminal sends a migration message carrying an authentication link abstract to an authentication device A;
the authentication terminal does not send 802.1X offline messages as in the existing authentication process, but sends migration messages carrying authentication link summaries to the authentication device A, and informs the authentication device A that the terminal starts to migrate;
specifically, the authentication device A generates an authentication migration notification according to the authentication link abstract, sends the authentication migration notification to an authentication server, and notifies the authentication server that the authentication terminal starts to migrate; or the authentication terminal does not send any message, but the authentication device A automatically sends an authentication migration notification to the authentication server when detecting that the authentication link abstract corresponds to the authentication terminal not in the jurisdiction of the device, and notifies the authentication server that the authentication terminal is not in the jurisdiction of the authentication device A;
The authentication server may set the authentication device a to authorize the user on the authentication device while resuming the link after waiting for the user to migrate to a new network, but does not end the user billing or perform other actions.
And when the authentication server does not receive the migration registration message after receiving the authentication migration notification and exceeding the preset migration waiting time, the authentication server can execute the user offline operation and delete the authentication link abstract. For example, after the authentication server waits for the set migration waiting time, the user does not complete the migration registration, the user is considered to be offline, the user billing is finished, the authentication link abstract is deleted, and other management actions are completed.
Example six
The sixth embodiment is applied to a case where a user (authentication terminal) enters (migrates) a new network area managed by the authentication device B from a network area managed by the authentication device a. Fig. 7 is a schematic flowchart of an authentication method according to a sixth embodiment of the present invention, and as shown in fig. 7, the authentication method includes:
the authentication terminal does not restart the 802.1X authentication request process as the existing authentication process, but sends the migration registration message carrying the authentication link abstract.
Specifically, if the link state of the user corresponding to the authentication link abstract is in a migration state, the user is considered to be migrated online, the migration authentication is successful, the authentication device B is set to authorize the user to access the corresponding network resource, and the cached authentication link abstract is formally stored. Or if the user link is not in the migration state and the migration authentication fails, refusing the user migration, sending an authentication failure message to the authentication device B, refusing the user to access the network resource, and deleting the cached authentication link abstract.
EXAMPLE seven
The seventh embodiment is applied to a scenario in which a user (authentication terminal) is formally offline. Fig. 8 is a schematic flowchart of an authentication method according to a seventh embodiment of the present invention, and as shown in fig. 8, the authentication method includes:
and step 803, the authentication server executes the user offline operation, ends the user accounting, sets the authentication equipment to end the corresponding network access authorization, and destroys the corresponding authentication link abstract.
Example eight
The eighth embodiment is applied to a scenario that a user goes from online to offline. Fig. 9 is a schematic flowchart of an authentication method according to an eighth embodiment of the present invention, and as shown in fig. 9, the authentication method includes:
After receiving the authentication migration notification, the authentication device closes the user authorization on the original authentication device, and the original authentication device deletes the stored authentication link abstract. If the user does not initiate step 904 and passes authentication within the set time period, the authentication server performs an offline operation on the user and the authentication server and the authentication device delete the stored authentication link digest.
if the user corresponding to the authentication link abstract is in a migration state, authorization is issued, the migration authentication is successful, the authentication device is set to enable the user to access the network, and the authentication device stores the authentication link abstract cached in the step 904. Otherwise, the migration authentication fails, the authentication server rejects the migration request of the authentication link digest for the user, the authentication device is set to reject the user to access the network, and the authentication device deletes the authentication link digest cached in step 204.
The technical solutions provided by the fourth, fifth, sixth, seventh and eighth embodiments of the present invention generally include the following points: the user only submits the identity information once when logging in the network, and does not submit the complete identity information any more when moving among network areas managed by different authentication equipment. When moving among network areas managed by different authentication equipment, a simple migration process based on the user authentication link abstract is adopted, and the authentication link abstract is uniformly generated and distributed by a quick registration authentication server on different authentication equipment. The authentication link abstract is only effective in one-time login time of the user, and the authentication link abstract is different when the same user logs in for multiple times.
Compared with the traditional 802.1X technical scheme, the technical scheme provided by the embodiment of the invention has the advantages that for a user, when the user moves among network areas managed by different authentication equipment, a complete authentication process is not required to be completed, and the registration is completed quickly through the interaction of the authentication link abstract, so that the resource consumption in the migration process is reduced, the time required by the user for obtaining authorization in a new network area is shortened, and the user experience is improved. For the authentication server, the scheme reduces the number of times of user identity verification which needs to be processed by the server, and saves the computing resources of the server. In the online and migration process of the user, the user submits the identity information only once, and subsequent interaction is performed based on the authentication link abstract, so that the possibility that the identity information of the user is stolen in different network areas is reduced. The authentication link abstract is only effective for the link, and the user is invalid after off-line, and can not be used repeatedly even if being monitored and stolen, so that the method has sufficient safety.
Example nine
Fig. 10 is a schematic structural diagram of an authentication server according to a ninth embodiment of the present invention, and as shown in fig. 10, the authentication server includes:
a generation and storage unit for generating and storing an authentication connection digest corresponding to an authentication terminal in a case where the authentication terminal completes a primary authentication by a first authentication device,
a sending unit, configured to send the authentication connection digest to the authentication terminal and the first authentication device;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas.
Wherein the authentication connection digest is generated by at least one of:
generating an authentication link digest through a hash algorithm according to the user name and the authentication initiation time;
or generating an authentication link abstract through a hash algorithm according to the user name and the position information initiated by authentication;
alternatively, the authentication link digest is generated by a hashing algorithm based on the user's knowledge and a specific descriptor assigned by the authentication server.
Wherein, this authentication server still includes:
the authentication terminal comprises a setting unit, a transition unit and a transition unit, wherein the setting unit is used for receiving an authentication transition notification sent by first authentication equipment when the authentication terminal leaves a network area corresponding to the first authentication equipment, and then setting the link state of the authentication terminal into a transition state;
wherein the authentication migration notification is used to notify the authentication server that the authentication terminal starts migrating or that the authentication terminal is not in the jurisdiction of the first authentication device.
Wherein, this authentication server still includes:
a receiving unit, configured to receive, by a second authentication device, a migration registration message sent by the authentication terminal when the authentication terminal enters a new network area, where the migration registration message includes the authentication link digest;
the authentication unit is used for determining the link state of the authentication terminal according to the migration registration message; when the link state is a transition state, notifying the second authentication device and the authentication terminal that the transition authentication is successful; and when the link state is not the transition state, notifying the second authentication equipment and the authentication terminal that the transition authentication fails.
Wherein, this authentication server still includes:
and the deleting unit is used for executing the user offline operation and deleting the authentication link abstract when the user offline message is received or the migration registration message is not received after the authentication migration notification is received and the preset migration waiting time is exceeded.
EXAMPLE ten
Fig. 11 is a schematic structural diagram of an authentication terminal according to a tenth embodiment of the present invention, and as shown in fig. 11, the authentication terminal includes:
the receiving unit is used for receiving an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal through first authentication equipment after the first authentication equipment completes primary authentication;
a storage unit for storing the authentication connection digest;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas.
Wherein, this authentication terminal still includes:
a sending unit, configured to send, when the authentication terminal leaves a network area corresponding to a first authentication device, an authentication migration notification to an authentication server through the first authentication device, where the authentication migration notification is used to notify the authentication server that the authentication terminal starts to migrate, so that the authentication server sets a link state of the authentication terminal to a migration state.
The sending unit is further configured to send a migration registration notification to the authentication server through a second authentication device when the authentication terminal enters a new network area, where the migration registration notification includes the authentication link digest;
the receiving unit is further configured to receive, by the second authentication device, a migration authentication success message sent by the authentication server when the authentication server succeeds in migration authentication of the authentication terminal; or, when the authentication server fails to perform the migration authentication on the authentication terminal, receiving, by the second authentication device, a migration authentication failure message sent by the authentication server.
The sending unit is further configured to send an offline message to an authentication server through the second authentication device when the authentication terminal is formally offline.
The authentication terminal further includes: and the deleting unit is used for deleting the authentication link abstract when the authentication terminal is formally offline.
EXAMPLE eleven
Fig. 12 is a schematic structural diagram of an authentication apparatus according to an eleventh embodiment of the present invention, and as shown in fig. 12, the authentication apparatus includes:
the authentication terminal comprises a receiving and storing unit, a sending and storing unit and a judging unit, wherein the receiving and storing unit is used for receiving and storing an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal under the condition that the authentication terminal completes primary authentication through first authentication equipment;
a sending unit, configured to send the authentication connection digest to the authentication terminal;
and the authentication connection abstract is used for authentication when the authentication terminal migrates between different network areas.
The sending unit is further configured to send an authentication migration notification to an authentication server when receiving a migration message sent by the authentication terminal or when detecting that the authentication terminal is not in the jurisdiction of the first authentication device;
the authentication device further includes: and the deleting unit is used for deleting the authentication connection summary when the migration message sent by the authentication terminal is received or the authentication terminal is detected not to be in the jurisdiction of the first authentication device.
The sending unit is further configured to send a migration registration notification to the authentication server and store the authentication connection digest, which is carried in the migration registration message and corresponds to the another authentication terminal, when receiving the migration registration message sent by the another authentication terminal, where the migration registration notification also carries the authentication connection digest corresponding to the another authentication terminal;
the receiving and storing unit is further configured to receive a migration authentication success message sent by the authentication server and forward the migration authentication success message to the other authentication terminal when the authentication server succeeds in migration authentication of the other authentication terminal; or, when the authentication server fails to perform the migration authentication on the other authentication terminal, receiving a migration authentication failure message sent by the authentication server, and forwarding the migration authentication failure message to the other authentication terminal.
The sending unit is further configured to forward the offline message to the authentication server when receiving the offline message sent by the authentication terminal;
the deleting unit is further used for deleting the authentication link abstract when receiving an offline message sent by the authentication terminal;
or, the sending unit is further configured to forward, when receiving an offline message sent by the other authentication terminal, the offline message to the authentication server;
and the deleting unit is further configured to delete the authentication link digest corresponding to the other authentication terminal when receiving the offline message sent by the other authentication terminal.
The technical solutions provided by the ninth, tenth and eleventh embodiments can effectively reduce the complexity of the authentication process when the user moves between different areas, and effectively reduce the danger that the user identity information is monitored and acquired because the user only needs to interact the identity information once.
The embodiment of the invention also provides an authentication server, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, any one of the authentication methods executed by the authentication server is realized.
The embodiment of the invention also provides an authentication terminal, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, any one of the authentication methods executed by the authentication terminal is realized.
The embodiment of the present invention further provides an authentication device, which includes a memory, a processor, and a computer program stored on the memory and capable of running on the processor, and when the computer program is executed by the processor, the computer program implements any one of the authentication methods executed by the authentication device.
An embodiment of the present invention further provides a computer-readable storage medium, where an information processing program is stored on the computer-readable storage medium, and when the information processing program is executed by a processor, the information processing program implements the steps of any of the authentication methods described above.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as is well known to those skilled in the art.
Although the embodiments of the present invention have been described above, the above description is only for the purpose of understanding the present invention, and is not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (15)
1. An authentication method, comprising:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, an authentication server generates and stores an authentication connection abstract corresponding to the authentication terminal and sends the authentication connection abstract to the authentication terminal and the first authentication equipment;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas;
when the authentication terminal leaves a network area corresponding to first authentication equipment, an authentication server receives an authentication transition notification sent by the first authentication equipment, and then sets the link state of the authentication terminal to a transition state;
wherein the authentication migration notification is configured to notify the authentication server that the authentication terminal starts migrating or that the authentication terminal is not in the jurisdiction of the first authentication device.
2. The authentication method of claim 1, wherein the authentication connection digest is generated by at least one of:
generating an authentication connection abstract through a hash algorithm according to the user name and the authentication initiation time;
or generating the authentication connection abstract through a hash algorithm according to the user name and the position information of the authentication initiation.
3. The authentication method of claim 1, further comprising:
when the authentication terminal enters a new network area, the authentication server receives a migration registration message sent by the authentication terminal through second authentication equipment, wherein the migration registration message comprises the authentication connection abstract;
the authentication server determines the link state of the authentication terminal according to the migration registration message;
when the link state is a transition state, notifying the second authentication device and the authentication terminal that the transition authentication is successful;
and when the link state is not the transition state, notifying the second authentication equipment and the authentication terminal that the transition authentication fails.
4. The authentication method according to claim 1, characterized in that the method further comprises:
when the authentication server receives a user offline message or does not receive a migration registration message after the authentication migration notification is received and the migration registration message exceeds the preset migration waiting time, the authentication server executes user offline operation and deletes the authentication connection abstract.
5. An authentication method, comprising:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, the authentication terminal receives and stores an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal through the first authentication equipment;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas;
when the authentication terminal leaves a network area corresponding to first authentication equipment, an authentication transition notification is sent to an authentication server through the first authentication equipment, and the authentication transition notification is used for notifying the authentication server that the authentication terminal starts to transition so that the authentication server can set the link state of the authentication terminal to a transition state.
6. The authentication method of claim 5, further comprising:
when the authentication terminal enters a new network area, a migration registration notification is sent to the authentication server through second authentication equipment, wherein the migration registration notification comprises the authentication connection abstract;
when the authentication server successfully migrates the authentication terminal, receiving a migration authentication success message sent by the authentication server through the second authentication equipment; or, when the authentication server fails to perform the migration authentication on the authentication terminal, receiving, by the second authentication device, a migration authentication failure message sent by the authentication server.
7. The authentication method of claim 5, further comprising:
and when the authentication terminal is formally offline, sending an offline message to an authentication server through second authentication equipment, and deleting the authentication connection abstract.
8. An authentication method, comprising:
under the condition that an authentication terminal completes primary authentication through first authentication equipment, the first authentication equipment receives and stores an authentication connection abstract which is sent by an authentication server and corresponds to the authentication terminal;
and sending the authentication connection abstract to the authentication terminal;
the authentication connection abstract is used for authentication when the authentication terminal migrates among different network areas;
when the authentication terminal leaves a network area corresponding to first authentication equipment, an authentication transition notification is sent to an authentication server through the first authentication equipment, and the authentication transition notification is used for notifying the authentication server that the authentication terminal starts to transition so that the authentication server can set the link state of the authentication terminal to a transition state.
9. The authentication method of claim 8, further comprising:
and when a migration message sent by the authentication terminal is received or the authentication terminal is detected not to be in the jurisdiction of the first authentication device, sending an authentication migration notification to an authentication server, and deleting the authentication connection abstract.
10. The authentication method of claim 8, further comprising:
when receiving a migration registration message sent by another authentication terminal, sending a migration registration notification to the authentication server and storing an authentication connection abstract corresponding to the other authentication terminal carried in the migration registration message, wherein the migration registration notification also carries an authentication connection abstract corresponding to the other authentication terminal;
when the authentication server succeeds in the migration authentication of the other authentication terminal, receiving a migration authentication success message sent by the authentication server, and forwarding the migration authentication success message to the other authentication terminal; or, when the authentication server fails to perform the migration authentication on the other authentication terminal, receiving a migration authentication failure message sent by the authentication server, and forwarding the migration authentication failure message to the other authentication terminal.
11. The authentication method of claim 10, further comprising:
when receiving an offline message sent by the authentication terminal, forwarding the offline message to the authentication server, and deleting the authentication connection abstract;
or when receiving the off-line message sent by the other authentication terminal, forwarding the off-line message to the authentication server, and deleting the authentication connection abstract corresponding to the other authentication terminal.
12. An authentication server comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing the authentication method of any one of claims 1 to 4.
13. An authentication terminal comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing the authentication method of any one of claims 5 to 7.
14. An authentication apparatus comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing the authentication method of any one of claims 8 to 11.
15. A computer-readable storage medium, characterized in that an information processing program is stored thereon, which when executed by a processor implements the steps of the authentication method according to any one of claims 1 to 11.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811324959.5A CN111163039B (en) | 2018-11-08 | 2018-11-08 | Authentication method, authentication server, authentication terminal and authentication equipment |
PCT/CN2019/116378 WO2020094102A1 (en) | 2018-11-08 | 2019-11-07 | Authentication method, authentication server, authentication terminal and authentication device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811324959.5A CN111163039B (en) | 2018-11-08 | 2018-11-08 | Authentication method, authentication server, authentication terminal and authentication equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111163039A CN111163039A (en) | 2020-05-15 |
CN111163039B true CN111163039B (en) | 2023-03-10 |
Family
ID=70555503
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811324959.5A Active CN111163039B (en) | 2018-11-08 | 2018-11-08 | Authentication method, authentication server, authentication terminal and authentication equipment |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN111163039B (en) |
WO (1) | WO2020094102A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113067797B (en) * | 2021-02-01 | 2023-04-07 | 上海金融期货信息技术有限公司 | Identity authentication and authorization system supporting multiple terminals and multiple certificates in cross-network area |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104144095A (en) * | 2014-08-08 | 2014-11-12 | 福建星网锐捷网络有限公司 | Terminal authentication method and interchanger |
CN105208030A (en) * | 2015-09-30 | 2015-12-30 | 北京锐安科技有限公司 | Wireless network roaming method |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101697540B (en) * | 2009-10-15 | 2012-08-15 | 浙江大学 | Method for authenticating user identity through P2P service request |
JP5713244B2 (en) * | 2012-01-17 | 2015-05-07 | 日立金属株式会社 | Network system |
CN103873449B (en) * | 2012-12-18 | 2017-07-07 | 中国电信股份有限公司 | Method for network access and system |
CN104202744A (en) * | 2014-08-14 | 2014-12-10 | 腾讯科技(深圳)有限公司 | Operation authentication method for intelligent terminal, terminal and system |
-
2018
- 2018-11-08 CN CN201811324959.5A patent/CN111163039B/en active Active
-
2019
- 2019-11-07 WO PCT/CN2019/116378 patent/WO2020094102A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104144095A (en) * | 2014-08-08 | 2014-11-12 | 福建星网锐捷网络有限公司 | Terminal authentication method and interchanger |
CN105208030A (en) * | 2015-09-30 | 2015-12-30 | 北京锐安科技有限公司 | Wireless network roaming method |
Also Published As
Publication number | Publication date |
---|---|
WO2020094102A1 (en) | 2020-05-14 |
CN111163039A (en) | 2020-05-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11178134B2 (en) | Method and apparatus for allocating device identifiers | |
US11736292B2 (en) | Access token management method, terminal, and server | |
KR102047902B1 (en) | Message management methods, devices, and storage media | |
US12011094B2 (en) | Multi-factor authentication with increased security | |
CN110365483B (en) | Cloud platform authentication method, client, middleware and system | |
US9332433B1 (en) | Distributing access and identification tokens in a mobile environment | |
EP3251285B1 (en) | Service request authentication method and apparatus | |
CN109561429B (en) | Authentication method and device | |
CN101986598B (en) | Authentication method, server and system | |
WO2016188224A1 (en) | Service authorization method, apparatus, system and router | |
CN105681259A (en) | Open authorization method and apparatus and open platform | |
CN111405036A (en) | Service access method, device, related equipment and computer readable storage medium | |
CN111949959B (en) | Authorization authentication method and device in Oauth protocol | |
CN102971739B (en) | Strength evidence protection account security is utilized to set | |
CN111404918A (en) | Cloud mobile phone distributed service emergency authentication method, device and system | |
CN108009439B (en) | Resource request method, device and system | |
CN111163039B (en) | Authentication method, authentication server, authentication terminal and authentication equipment | |
CN113489689B (en) | Authentication method and device for access request, storage medium and electronic equipment | |
CN110781481A (en) | Single sign-on method, client, server, and storage medium | |
CN103685134A (en) | WLAN (Wireless Local Area Network) resource access control method and WLAN resource access control device | |
US11363020B2 (en) | Method, device and storage medium for forwarding messages | |
CN107846410B (en) | Network access verification method and device | |
CN111581613A (en) | Account login verification method and system | |
CN110266657A (en) | Authentication method and device, resource access method and device, storage medium | |
CN112583777B (en) | Method and device for realizing user login |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |