CN111510442A - User verification method and device, electronic equipment and storage medium - Google Patents

User verification method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN111510442A
CN111510442A CN202010267824.0A CN202010267824A CN111510442A CN 111510442 A CN111510442 A CN 111510442A CN 202010267824 A CN202010267824 A CN 202010267824A CN 111510442 A CN111510442 A CN 111510442A
Authority
CN
China
Prior art keywords
public key
password
user
encryption information
primary
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010267824.0A
Other languages
Chinese (zh)
Inventor
孔德刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuba Co Ltd
Original Assignee
Wuba Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuba Co Ltd filed Critical Wuba Co Ltd
Priority to CN202010267824.0A priority Critical patent/CN111510442A/en
Publication of CN111510442A publication Critical patent/CN111510442A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a user authentication method, a user authentication device, electronic equipment and a storage medium. And the server carries out secondary encryption on the primary encryption password according to the public key to obtain secondary encryption information, and uses the primary encryption information and the secondary encryption information to complete user registration or user authentication corresponding to the user ID. The method provided by the invention has the advantages that the password is encrypted for the first time by the client, the password information can be prevented from being repeatedly utilized after being intercepted, and the server encrypts the encrypted information for the second time, so that the client can be simulated to log in by utilizing the leaked password information when a hacker attacks the server. Therefore, the method carries out irreversible password encryption processing, so that even if the password is intercepted in the transmission process, the password cannot be leaked and is difficult to be utilized, and the safety is good.

Description

User verification method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a user authentication method and apparatus, an electronic device, and a storage medium.
Background
When a user uses a certain application on a client for the first time, the user needs to register an account and set a password, and when the user uses the application next time, the user needs to log in by using the account and the password. The account and the password when the user registers through the client are stored in the server, so that the account and the password input by the user are matched with the account and the password stored in the server when the user uses the application next time, and the client is allowed to log in the application when the account and the password are matched with each other.
When the client transmits the account and the password during registration or the account and the password during login to the server, the client generally directly transmits the account and the password by using an HTTP Protocol (HyperText Transfer Protocol); when the server side performs storage or verification, the received account and password are usually converted into an MD5 code (Message digest algorithm MD5, fifth version) and then stored or verified.
However, when the account and the password are transmitted by using the HTTP protocol, if a network in which the client and the server are located is hijacked, or if the server is attacked, the information of the database is leaked, the information of the password is leaked.
Disclosure of Invention
The application provides a user authentication method, a user authentication device, electronic equipment and a storage medium, and aims to solve the problems that in the prior art, a password is easy to leak during transmission and the security is low.
In a first aspect, the present application provides a user authentication method, applied to a server, including the following steps:
receiving a public key acquisition instruction sent by a client, wherein the public key acquisition instruction comprises a user ID and a password;
acquiring a public key corresponding to the user ID;
sending the public key to the client;
receiving primary encryption information sent by the client, wherein the primary encryption information comprises the public key and a primary encryption password generated after the password is encrypted for one time by using the public key;
generating secondary encryption information, wherein the secondary encryption information comprises the public key and a secondary encryption password generated after the primary encryption password is secondarily encrypted by using the public key;
and finishing user registration or user authentication corresponding to the user ID by using the primary encryption information and the secondary encryption information.
Further, the obtaining a public key corresponding to the user ID includes:
searching whether a user ID corresponding to the public key acquisition instruction exists or not;
and if the user ID does not exist, generating an asymmetric encryption key pair corresponding to the user ID, wherein the asymmetric encryption key pair comprises a public key and a private key, the public key is used for the client to carry out password encryption, and the private key is discarded.
Further, the primary encryption information further comprises a token; and, the generating the twice encrypted information includes:
verifying whether the token passes;
and if the token passes the verification, generating secondary encryption information according to the primary encryption information and the public key.
Further, the primary encryption information further comprises a first identity identifier extracted from the primary encryption password; and the using the primary encryption information and the secondary encryption information to complete user registration or user authentication corresponding to the user ID includes:
extracting a second identity identifier in the secondary encryption password;
determining whether the first identity identifier and the second identity identifier are consistent;
and if the first identity identifier is consistent with the second identity identifier, the second encryption password and the public key are stored to finish user registration, or the second encryption password is used to finish user authentication.
In a second aspect, the present application provides a user authentication method, applied to a client, including the following steps:
receiving a user ID and a password input by a user;
generating a public key acquisition instruction according to the user ID and the password;
sending the public key acquisition instruction to a server;
receiving a public key corresponding to the user ID returned by the server according to a public key acquisition instruction;
generating primary encryption information, wherein the primary encryption information comprises the public key and a primary encryption password generated after the password is encrypted by using the public key;
and sending the once encryption information to the server.
Further, the generating the primary encryption information includes:
encrypting the password according to the public key to obtain a primary encrypted password;
extracting a first identity identifier from the primary encryption password, wherein the first identity identifier is used for representing the identity of the primary encryption password;
and generating primary encryption information according to the primary encryption password, the first identity identifier and the public key.
In a third aspect, the present application provides a user authentication apparatus, applied to a server, including:
the instruction receiving module is used for receiving a public key obtaining instruction sent by a client, wherein the public key obtaining instruction comprises a user ID and a password;
a public key obtaining module for obtaining a public key corresponding to the user ID;
the public key sending module is used for sending the public key to the client;
the primary encryption information receiving module is used for receiving primary encryption information sent by the client, and the primary encryption information comprises the public key and a primary encryption password generated after the password is encrypted for one time by using the public key;
the secondary encryption information generation module is used for generating secondary encryption information, and the secondary encryption information comprises the public key and a secondary encryption password generated after the primary encryption password is secondarily encrypted by using the public key;
and the registration or authentication module is used for finishing user registration or user authentication corresponding to the user ID by using the primary encryption information and the secondary encryption information.
Further, the public key obtaining module includes:
the public key searching unit is used for searching whether the user ID corresponding to the public key obtaining instruction exists or not;
and the key generation unit is used for generating an asymmetric encryption key pair corresponding to the user ID when the user ID does not exist, wherein the asymmetric encryption key pair comprises a public key and a private key, the public key is used for carrying out password encryption on the client, and the private key is discarded.
Further, the primary encryption information further comprises a token; and the secondary encryption information generation module comprises:
a verifying unit for verifying whether the token passes;
and the secondary encryption information generating unit is used for generating secondary encryption information according to the primary encryption information and the public key when the token passes the verification.
Further, the primary encryption information further comprises a first identity identifier extracted from the primary encryption password; and, the registration or authentication module comprising:
the first identifier extraction unit is used for extracting a second identity identifier in the secondary encryption password;
the identifier judging module is used for judging whether the first identity identifier is consistent with the second identity identifier;
and the registration or verification unit is used for storing the secondary encryption password and the public key to complete user registration or complete user verification by using the secondary encryption password when the first identity identifier is consistent with the second identity identifier.
In a fourth aspect, the present application provides a user authentication apparatus, applied to a client, including:
the input information receiving module is used for receiving a user ID and a password input by a user;
the instruction generating module is used for generating a public key obtaining instruction according to the user ID and the password;
the instruction sending module is used for sending the public key acquisition instruction to a server;
the public key receiving module is used for receiving a public key corresponding to the user ID returned by the server according to the public key acquisition instruction;
a first encryption information generation module, configured to generate first encryption information, where the first encryption information includes the public key and a first encryption password generated by encrypting the password using the public key;
and the primary encryption information sending module is used for sending the primary encryption information to the server.
Further, the primary encryption information generation module includes:
the primary encryption unit is used for encrypting the password according to the public key to obtain a primary encrypted password;
a second identifier extraction unit, configured to extract a first identity identifier from the primary encryption password, where the first identity identifier is used to characterize an identity of the primary encryption password;
and the primary encryption information generating unit is used for generating primary encryption information according to the primary encryption password, the first identity identifier and the public key.
In a fifth aspect, the present application provides an electronic device, comprising:
a memory for storing program instructions;
a processor for calling and executing program instructions in said memory to implement the user authentication method of the first aspect.
In a sixth aspect, the present application provides an electronic device, comprising:
a memory for storing program instructions;
a processor for calling and executing the program instructions in the memory to implement the user authentication method of the second aspect.
In a seventh aspect, the present application provides a storage medium having a computer program stored therein, which, when executed by at least one processor of a user authentication apparatus, causes the user authentication apparatus to perform the user authentication method of the first aspect.
In an eighth aspect, the present application provides a storage medium having a computer program stored therein, which, when executed by at least one processor of a user authentication apparatus, causes the user authentication apparatus to perform the user authentication method of the second aspect.
As can be seen from the foregoing technical solutions, in the user authentication method, the user authentication device, the electronic device, and the storage medium provided in the embodiments of the present invention, after requesting a public key from the server according to the user ID and the password, the client encrypts the password using the public key, and sends the obtained primary encryption information to the server. And the server carries out secondary encryption on the primary encryption password according to the public key to obtain secondary encryption information, and uses the primary encryption information and the secondary encryption information to complete user registration or user authentication corresponding to the user ID. The method provided by the invention has the advantages that the password is encrypted for the first time by the client, the password information can be prevented from being repeatedly utilized after being intercepted, and the server encrypts the encrypted information for the second time, so that the client can be simulated to log in by utilizing the leaked password information when a hacker attacks the server. Therefore, the method carries out irreversible password encryption processing, so that even if the password is intercepted in the transmission process, the password cannot be leaked and is difficult to be utilized, and the safety is good.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without any creative effort.
Fig. 1 is a flowchart of a user authentication method according to an embodiment of the present invention;
fig. 2 is a data flow diagram of a user authentication method according to an embodiment of the present invention
Fig. 3 is another flowchart of a user authentication method according to an embodiment of the present invention;
fig. 4 is a block diagram of a user authentication apparatus according to an embodiment of the present invention;
fig. 5 is a block diagram of another structure of a user authentication apparatus according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a hardware structure of another electronic device according to an embodiment of the present invention.
Detailed Description
In the user authentication process, in order to avoid the phenomenon of password information leakage caused by hijacking of a network where a client and a server are located in the transmission process or leakage of database information caused by attack of the server in the process of transmitting a user ID and a password by adopting an HTTP protocol, the embodiment of the invention provides a user authentication method. Meanwhile, the server side carries out secondary encryption on the password which is received after the primary encryption and extracts the identity identifier, and after the information of the database is prevented from being leaked, a lawbreaker can use the information to simulate the client side to log in.
Fig. 1 is a flowchart of a user authentication method according to an embodiment of the present invention; fig. 2 is a data flow diagram of a user authentication method according to an embodiment of the present invention. Referring to fig. 1 and fig. 2, a user authentication method provided in an embodiment of the present invention is applied to a client, where the client encrypts a password input by a user once and sends the encrypted password to a server for authentication, and the method includes the following steps:
and S11, receiving the user ID and the password input by the user.
And S12, generating a public key acquisition instruction according to the user ID and the password.
When a user uses a client to carry out user authentication, a user ID and a password need to be input first, and then authentication is carried out with a public key stored at a server side. When the client sends the user ID and the password to the server, the password needs to be encrypted by using the public key in order to improve the transmission security and avoid the leakage of the password-related information.
And the public key is stored in the server, so that the server generates a public key acquisition instruction according to the user ID and the password input by the user, and the public key acquisition instruction is used for acquiring the public key from the server.
And S13, sending the public key acquisition instruction to the server.
And S14, receiving the public key corresponding to the user ID returned by the server according to the public key acquisition instruction.
The client sends the public key acquisition instruction to the server, the server searches for the public key corresponding to the user ID according to the public key acquisition instruction, and if the server stores the public key corresponding to the user ID, the public key is sent to the client, see the flow shown by the solid line in fig. 2. If the server does not store the public key corresponding to the user ID, a new public key is generated for the client to use, and the public key information is synchronously stored when the server stores the password, see the flow shown by the dotted line in fig. 2.
And S15, generating primary encryption information, wherein the primary encryption information comprises the public key and a primary encryption password generated after the password is encrypted by using the public key.
The server encrypts the password input by the user once according to the received public key so as to improve the security of the password.
Specifically, in this embodiment, the step of generating the primary encryption information includes:
and S151, encrypting the password according to the public key to obtain a primary encrypted password.
S152, extracting a first identity identifier from the primary encryption password, wherein the first identity identifier is used for representing the identity of the primary encryption password.
And S153, generating primary encryption information according to the primary encryption password, the first identity identifier and the public key.
And the client encrypts the password input by the user according to the public key returned by the server and a corresponding encryption algorithm to obtain a primary encrypted password. The encryption algorithm may be an MD5 algorithm or a hash value algorithm, or may be other algorithms, which is not specifically limited in this embodiment.
In order to uniquely characterize the identity of the password, in this embodiment, after the password is encrypted, the first identity identifier of the encrypted password is extracted. The first identity identifier is used for uniquely representing the identity of the primary encryption password, and the server can judge whether the corresponding password is the real password input by the user through the first identity identifier, so that the client can be simulated to log in by utilizing the leaked password information when a hacker attacks the server.
The primary encryption information comprises a primary encryption password, a first identity identifier and a public key.
And S16, sending the once encryption information to the server.
The client sends the generated primary encryption information to the server, and the server performs user authentication or user registration after performing secondary encryption by using the primary encryption information so as to improve the security of the password.
According to the method provided by the embodiment of the invention, when the client transmits the user ID and the password to the server for user authentication, the encrypted primary encryption information is transmitted, and the password is intercepted in the transmission process through irreversible password encryption processing, so that the password is not leaked and is difficult to use, and the safety is good.
And on the server side, the server sends a public key to the client according to the received public key acquisition instruction sent by the client, and performs secondary encryption according to the received primary encryption information sent by the client so as to perform user authentication or user registration.
Fig. 3 is another flowchart of a user authentication method according to an embodiment of the present invention. Specifically, referring to fig. 2 and fig. 3, a user authentication method provided by an embodiment of the present invention is applied to a server, and a user authentication or registration process is performed by the server, where the method includes the following steps:
and S21, receiving a public key acquisition instruction sent by the client, wherein the public key acquisition instruction comprises a user ID and a password.
When user authentication is performed, a client receives a user ID and a password input by a user, and in order to improve the security of the password in a transmission process, the password needs to be encrypted by using a public key. Therefore, the client generates a public key acquisition instruction according to the user ID and the password and sends the public key acquisition instruction to the server.
And S22, acquiring the public key corresponding to the user ID.
And after receiving the public key acquisition instruction sent by the client, the server searches the public key corresponding to the user ID. Since the user ID and password currently input with the client may be input for the first time, it may also be input for a subsequent time. If the input is the first input, the user needs to use the client to perform user registration firstly; if the input is the subsequent input, the user needs to use the client to carry out user authentication and login.
In the process of user authentication and login, since the server stores the public key corresponding to the user ID, at this time, the server may send the public key found according to the user ID to the client, see the flow shown by the solid line in fig. 2. In the process of registering the user, the server does not store the public key corresponding to the user ID, so that the matched public key cannot be found for the client to verify, but a new public key is generated according to the user ID and the password sent by the client, and the user ID, the password and the public key information are stored to complete the user registering process, so that the user can be conveniently verified when a subsequent user uses the user registering process, which is shown in a flow shown by a dotted line in fig. 2.
Therefore, according to different application situations, the method provided by the embodiment of the present invention, in a process of acquiring a public key corresponding to a user ID by a server, includes:
s221, whether the user ID corresponding to the public key obtaining instruction exists is searched.
S222, if the user ID does not exist, generating an asymmetric encryption key pair corresponding to the user ID, wherein the asymmetric encryption key pair comprises a public key and a private key, the public key is used for carrying out password encryption on the client, and the private key is discarded.
After receiving the user ID and the password sent by the client, the server firstly judges whether the user ID is used for the first time or used subsequently, and the judging method judges whether the user ID exists. And judging whether the user stores the password and the public key information according to the process of judging whether the user ID exists.
And if the user ID is stored in the server, sending the public key corresponding to the user ID to the client. If the user ID is not stored in the server, the server is indicated as the first use, and a user registration process is executed, namely an asymmetric encryption key pair is generated for the user according to the user ID. An asymmetric encryption key pair requires two keys, a public key and a private key, for encryption and decryption.
The public key and the private key are a pair, and if the public key is used for encrypting data, only the corresponding private key can be used for decrypting the data; if the data is encrypted with a private key, it can only be decrypted with the corresponding public key.
In the embodiment, the public key is used for encrypting the password, and other people use the private key for decrypting to prevent password information from being leaked, so that the private key is discarded when the public key is used for encrypting, the password is prevented from being decrypted by other people, and the safety of the password can be improved.
And S23, sending the public key to the client.
The server sends the public key corresponding to the user ID to the client, where the public key may be an already stored public key (user login verification process) or a newly generated public key according to the user ID (user registration process).
And S24, receiving primary encryption information sent by the client, wherein the primary encryption information comprises a public key and a primary encryption password generated after the password is encrypted by using the public key.
And after receiving the public key sent by the server, the client encrypts the password input by the user and sends the encrypted primary encrypted information to the server. The process of encrypting the password by the client may refer to the related content of step S15 in the above embodiment, and is not described herein again.
And S25, generating secondary encryption information, wherein the secondary encryption information comprises a public key and a secondary encryption password generated after the primary encryption password is secondarily encrypted by using the public key.
In order to avoid stealing the password information and prevent a hacker from attacking the server, the server simulates the client to log in by using the leaked password information.
In the process of user authentication and login or the process of user registration, password information subjected to secondary encryption is verified or stored by the server, and the secondary encryption information comprises a public key and a secondary encryption password.
In order to avoid password leakage when the client transmits the encrypted information to the server once, so that the information is intercepted and reused, in this embodiment, the client carries the token when transmitting the encrypted information once. The token is randomly generated, and the tokens carried by the client when the client sends the encryption information once are different. The token is once valid, dynamically changing, and can be in the form of a dynamic password, and the password can only be used after the token passes authentication. Therefore, even if the password information is intercepted, the password information is valid only once, and an interceptor cannot verify the token, so that the password cannot be repeatedly utilized, and the security of the password is ensured.
Therefore, when the server performs secondary encryption on the primary encryption information, the server needs to verify the token first, and specifically, the process of generating the secondary encryption information includes:
and S251, verifying whether the token passes or not.
And S252, if the token passes the verification, generating secondary encryption information according to the primary encryption information and the public key.
Since the token is valid once and changes after one operation is performed, whether the current password information is accurate can be determined by verifying whether the token passes. Meanwhile, the token is used for verification, so that the password information is prevented from being intercepted and reused, and the safety is improved.
After the token passes the verification, the server can perform subsequent business logic, namely, perform secondary encryption on the primary encrypted information according to the public key and a corresponding encryption algorithm to obtain a secondary encrypted password, and then generate secondary encrypted information according to the secondary encrypted password and the public key. The encryption algorithm of the second encryption may be the same as or different from the encryption algorithm of the first encryption, and the public key may be the same as or different from the public key, which is not specifically limited in this embodiment.
The password is secondarily encrypted, so that the condition that a hacker logs in the server by simulating the client side through the leaked password information can be prevented when the hacker attacks the server, the password after secondary encryption is irreversible, the password can be prevented from being decrypted by other people, and the security of the password can be improved.
And S26, completing user registration or user authentication corresponding to the user ID by using the primary encryption information and the secondary encryption information.
And after the server carries out secondary encryption, the server carries out user registration or authentication by combining the primary encryption information. Specifically, in the process of user registration or user authentication, the method is to determine whether a first identity identifier in the primary encryption information and a second identity identifier in the secondary encryption information are consistent.
Because the identity identifier is the only identity identifier of the password and cannot be changed in the encryption process, the identity identifier can be subjected to consistency verification according to the identity identifiers in the two encryption processes, and after the identity identifiers are verified to be consistent, the corresponding password can be determined to be correct or the registration can be completed.
Specifically, in this embodiment, the process of completing user registration or user authentication corresponding to the user ID using the primary encryption information and the secondary encryption information includes:
and S261, extracting a second identity identifier in the secondary encryption password.
And after the server carries out secondary encryption on the primary encryption information, extracting a second identity identifier from the secondary encryption password. The second identity identifier is used for uniquely representing the identity of the secondary encryption password, and the server can judge whether the corresponding password is the real password input by the user through the second identity identifier, so that the client can be simulated to log in by utilizing the leaked password information when a hacker attacks the server.
S262, whether the first identity identifier is consistent with the second identity identifier is judged.
And S263, if the first identity identifier is consistent with the second identity identifier, storing the secondary encryption password and the public key to complete user registration, or completing user authentication by using the secondary encryption password.
The primary encryption information comprises a first identity identifier extracted from the primary encryption password, consistency judgment is carried out on the first identity identifier and a second identity identifier, and if the first identity identifier is consistent with the second identity identifier, password authentication is correct.
In the user login authentication process, referring to the flow shown by the solid line in fig. 2, if the first identity identifier is consistent with the second identity identifier, it indicates that the password authentication is correct, and the user authentication process is completed. In the user registration process, referring to the flow shown by the dotted line in fig. 2, the first identity identifier is consistent with the second identity identifier, which indicates that the password can pass the registration after the second encryption, and at this time, the server stores the second encrypted password and the public key, so that the password authentication is convenient for the subsequent use.
According to the technical scheme, the client requests the server for the public key according to the user ID and the password, then encrypts the password by using the public key, and sends the obtained primary encryption information to the server. And the server carries out secondary encryption on the primary encryption password according to the public key to obtain secondary encryption information, and uses the primary encryption information and the secondary encryption information to complete user registration or user authentication corresponding to the user ID. The method provided by the invention has the advantages that the password is encrypted for the first time by the client, the password information can be prevented from being repeatedly utilized after being intercepted, and the server encrypts the encrypted information for the second time, so that the client can be simulated to log in by utilizing the leaked password information when a hacker attacks the server. Therefore, the method carries out irreversible password encryption processing, so that even if the password is intercepted in the transmission process, the password cannot be leaked and is difficult to be utilized, and the safety is good.
Fig. 4 is a block diagram of a user authentication device according to an embodiment of the present invention. Referring to fig. 4, the present application provides a user authentication apparatus, applied to a server, for performing the relevant steps of the user authentication method shown in fig. 3, the apparatus including: the instruction receiving module 101 is configured to receive a public key obtaining instruction sent by a client, where the public key obtaining instruction includes a user ID and a password; a public key obtaining module 102, configured to obtain a public key corresponding to the user ID; a public key sending module 103, configured to send the public key to the client; a primary encryption information receiving module 104, configured to receive primary encryption information sent by the client, where the primary encryption information includes the public key and a primary encryption password generated after the password is encrypted once by using the public key; a secondary encryption information generation module 105, configured to generate secondary encryption information, where the secondary encryption information includes the public key and a secondary encryption password generated after the primary encryption password is secondarily encrypted by using the public key; and a registration or authentication module 106, configured to complete user registration or user authentication corresponding to the user ID by using the primary encryption information and the secondary encryption information.
Further, the public key obtaining module 102 includes: the public key searching unit is used for searching whether the user ID corresponding to the public key obtaining instruction exists or not; and the key generation unit is used for generating an asymmetric encryption key pair corresponding to the user ID when the user ID does not exist, wherein the asymmetric encryption key pair comprises a public key and a private key, the public key is used for carrying out password encryption on the client, and the private key is discarded.
Further, the primary encryption information further comprises a token; and, the secondary encryption information generating module 105 includes: a verifying unit for verifying whether the token passes; and the secondary encryption information generating unit is used for generating secondary encryption information according to the primary encryption information and the public key when the token passes the verification.
Further, the primary encryption information further comprises a first identity identifier extracted from the primary encryption password; and, the registration or authentication module 106, comprising: the first identifier extraction unit is used for extracting a second identity identifier in the secondary encryption password; the identifier judging module is used for judging whether the first identity identifier is consistent with the second identity identifier; and the registration or verification unit is used for storing the secondary encryption password and the public key to complete user registration or complete user verification by using the secondary encryption password when the first identity identifier is consistent with the second identity identifier.
Fig. 5 is a block diagram of another structure of the user authentication apparatus according to the embodiment of the present invention. Referring to fig. 5, the present application provides a user authentication apparatus, applied to a client, for performing the relevant steps of the user authentication method shown in fig. 1, and the apparatus includes: an input information receiving module 201, configured to receive a user ID and a password input by a user; the instruction generating module 202 is configured to generate a public key obtaining instruction according to the user ID and the password; an instruction sending module 203, configured to send the public key obtaining instruction to a server; a public key receiving module 204, configured to receive a public key corresponding to the user ID returned by the server according to the public key obtaining instruction; a primary encryption information generating module 205, configured to generate primary encryption information, where the primary encryption information includes the public key and a primary encryption password generated after encrypting the password by using the public key; a primary encryption information sending module 206, configured to send primary encryption information to the server.
Further, the primary encryption information generating module 205 includes: the primary encryption unit is used for encrypting the password according to the public key to obtain a primary encrypted password; a second identifier extraction unit, configured to extract a first identity identifier from the primary encryption password, where the first identity identifier is used to characterize an identity of the primary encryption password; and the primary encryption information generating unit is used for generating primary encryption information according to the primary encryption password, the first identity identifier and the public key.
Fig. 6 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention. As shown in fig. 6, an embodiment of the present invention provides an electronic device, including: a memory 611 for storing program instructions; a processor 612, configured to call and execute the program instructions in the memory, so as to implement the user authentication method according to the first aspect.
In this embodiment, the processor 612 and the memory 611 may be connected by a bus or other means. The processor may be a general-purpose processor, such as a central processing unit, a digital signal processor, an application specific integrated circuit, or one or more integrated circuits configured to implement embodiments of the present invention. The memory may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as read-only memory, flash memory, a hard disk, or a solid state disk.
Fig. 7 is a schematic diagram of another hardware structure of the electronic device according to the embodiment of the present invention. As shown in fig. 7, an embodiment of the present invention provides an electronic device, including: a memory 621 for storing program instructions; a processor 622 for calling and executing the program instructions in the memory to implement the user authentication method according to the second aspect.
In this embodiment, the processor 622 and the memory 621 may be connected by a bus or other means. The processor may be a general-purpose processor, such as a central processing unit, a digital signal processor, an application specific integrated circuit, or one or more integrated circuits configured to implement embodiments of the present invention. The memory may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as read-only memory, flash memory, a hard disk, or a solid state disk.
There is provided a storage medium having stored therein a computer program which, when executed by at least one processor of a user authentication apparatus, causes the user authentication apparatus to perform the user authentication method described in the above embodiments.
There is provided a storage medium having stored therein a computer program which, when executed by at least one processor of a user authentication apparatus, causes the user authentication apparatus to perform the user authentication method described in the above embodiments.
The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments in this specification may be referred to each other. In particular, for the embodiment of the user authentication apparatus, since it is substantially similar to the embodiment of the method, the description is simple, and the relevant points can be referred to the description in the embodiment of the method.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (12)

1. A user authentication method is applied to a server and is characterized by comprising the following steps:
receiving a public key acquisition instruction sent by a client, wherein the public key acquisition instruction comprises a user ID and a password;
acquiring a public key corresponding to the user ID;
sending the public key to the client;
receiving primary encryption information sent by the client, wherein the primary encryption information comprises the public key and a primary encryption password generated after the password is encrypted for one time by using the public key;
generating secondary encryption information, wherein the secondary encryption information comprises the public key and a secondary encryption password generated after the primary encryption password is secondarily encrypted by using the public key;
and finishing user registration or user authentication corresponding to the user ID by using the primary encryption information and the secondary encryption information.
2. The method of claim 1, wherein obtaining the public key corresponding to the user ID comprises:
searching whether a user ID corresponding to the public key acquisition instruction exists or not;
and if the user ID does not exist, generating an asymmetric encryption key pair corresponding to the user ID, wherein the asymmetric encryption key pair comprises a public key and a private key, the public key is used for the client to carry out password encryption, and the private key is discarded.
3. The method of claim 1, wherein the primary encryption information further comprises a token; and, the generating the twice encrypted information includes:
verifying whether the token passes;
and if the token passes the verification, generating secondary encryption information according to the primary encryption information and the public key.
4. The method of claim 1, wherein the primary encryption information further comprises a first identity identifier extracted in the primary encryption password; and the using the primary encryption information and the secondary encryption information to complete user registration or user authentication corresponding to the user ID includes:
extracting a second identity identifier in the secondary encryption password;
determining whether the first identity identifier and the second identity identifier are consistent;
and if the first identity identifier is consistent with the second identity identifier, the second encryption password and the public key are stored to finish user registration, or the second encryption password is used to finish user authentication.
5. A user authentication method is applied to a client, and is characterized by comprising the following steps:
receiving a user ID and a password input by a user;
generating a public key acquisition instruction according to the user ID and the password;
sending the public key acquisition instruction to a server;
receiving a public key corresponding to the user ID returned by the server according to a public key acquisition instruction;
generating primary encryption information, wherein the primary encryption information comprises the public key and a primary encryption password generated after the password is encrypted by using the public key;
and sending the once encryption information to the server.
6. The method of claim 5, wherein generating the once encrypted information comprises:
encrypting the password according to the public key to obtain a primary encrypted password;
extracting a first identity identifier from the primary encryption password, wherein the first identity identifier is used for representing the identity of the primary encryption password;
and generating primary encryption information according to the primary encryption password, the first identity identifier and the public key.
7. A user authentication apparatus applied to a server, comprising:
the instruction receiving module is used for receiving a public key obtaining instruction sent by a client, wherein the public key obtaining instruction comprises a user ID and a password;
a public key obtaining module for obtaining a public key corresponding to the user ID;
the public key sending module is used for sending the public key to the client;
the primary encryption information receiving module is used for receiving primary encryption information sent by the client, and the primary encryption information comprises the public key and a primary encryption password generated after the password is encrypted for one time by using the public key;
the secondary encryption information generation module is used for generating secondary encryption information, and the secondary encryption information comprises the public key and a secondary encryption password generated after the primary encryption password is secondarily encrypted by using the public key;
and the registration or authentication module is used for finishing user registration or user authentication corresponding to the user ID by using the primary encryption information and the secondary encryption information.
8. A user authentication apparatus applied to a client, comprising:
the input information receiving module is used for receiving a user ID and a password input by a user;
the instruction generating module is used for generating a public key obtaining instruction according to the user ID and the password;
the instruction sending module is used for sending the public key acquisition instruction to a server;
the public key receiving module is used for receiving a public key corresponding to the user ID returned by the server according to the public key acquisition instruction;
a first encryption information generation module, configured to generate first encryption information, where the first encryption information includes the public key and a first encryption password generated by encrypting the password using the public key;
and the primary encryption information sending module is used for sending the primary encryption information to the server.
9. An electronic device, comprising:
a memory for storing program instructions;
a processor for invoking and executing program instructions in said memory to implement the user authentication method of any one of claims 1-4.
10. An electronic device, comprising:
a memory for storing program instructions;
a processor for invoking and executing program instructions in the memory to implement the user authentication method of any one of claims 5 to 6.
11. A storage medium having a computer program stored therein, wherein the computer program, when executed by at least one processor of a user authentication apparatus, causes the user authentication apparatus to perform the user authentication method of any one of claims 1 to 4.
12. A storage medium having a computer program stored therein, wherein the computer program, when executed by at least one processor of a user authentication device, causes the user authentication device to perform the user authentication method of any one of claims 5 to 6.
CN202010267824.0A 2020-04-08 2020-04-08 User verification method and device, electronic equipment and storage medium Pending CN111510442A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010267824.0A CN111510442A (en) 2020-04-08 2020-04-08 User verification method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010267824.0A CN111510442A (en) 2020-04-08 2020-04-08 User verification method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN111510442A true CN111510442A (en) 2020-08-07

Family

ID=71875944

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010267824.0A Pending CN111510442A (en) 2020-04-08 2020-04-08 User verification method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111510442A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112787821A (en) * 2021-01-04 2021-05-11 北京同有飞骥科技股份有限公司 Asymmetric encryption Token verification method, server, client and system
CN114169013A (en) * 2021-12-06 2022-03-11 镁佳(北京)科技有限公司 User registration and verification method and system
WO2023020150A1 (en) * 2021-08-17 2023-02-23 International Business Machines Corporation Authorized secure data movement

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008009183A1 (en) * 2006-07-13 2008-01-24 Shanghai Jiaotong University Password remotely authentication method based on the intelligent card and an intelligent card, a server and system thereof
CN106230784A (en) * 2016-07-20 2016-12-14 杭州华三通信技术有限公司 A kind of device authentication method and device
CN109347858A (en) * 2018-11-16 2019-02-15 上海敬信软件技术有限公司 Cipher code protection method, auth method, device, equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008009183A1 (en) * 2006-07-13 2008-01-24 Shanghai Jiaotong University Password remotely authentication method based on the intelligent card and an intelligent card, a server and system thereof
CN106230784A (en) * 2016-07-20 2016-12-14 杭州华三通信技术有限公司 A kind of device authentication method and device
CN109347858A (en) * 2018-11-16 2019-02-15 上海敬信软件技术有限公司 Cipher code protection method, auth method, device, equipment and storage medium

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112787821A (en) * 2021-01-04 2021-05-11 北京同有飞骥科技股份有限公司 Asymmetric encryption Token verification method, server, client and system
WO2023020150A1 (en) * 2021-08-17 2023-02-23 International Business Machines Corporation Authorized secure data movement
US11991293B2 (en) 2021-08-17 2024-05-21 International Business Machines Corporation Authorized secure data movement
CN114169013A (en) * 2021-12-06 2022-03-11 镁佳(北京)科技有限公司 User registration and verification method and system
CN114169013B (en) * 2021-12-06 2022-07-01 镁佳(北京)科技有限公司 User registration and verification method and system

Similar Documents

Publication Publication Date Title
EP3319292B1 (en) Methods, client and server for checking security based on biometric features
CN110493202B (en) Login token generation and verification method and device and server
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
CN106656907B (en) Method, device, terminal equipment and system for authentication
US11539690B2 (en) Authentication system, authentication method, and application providing method
CN113691502B (en) Communication method, device, gateway server, client and storage medium
US10116693B1 (en) Server using proof-of-work technique for hardening against denial of service attacks
CN108243176B (en) Data transmission method and device
CN114900338B (en) Encryption and decryption method, device, equipment and medium
CN111510442A (en) User verification method and device, electronic equipment and storage medium
CN104426659A (en) Dynamic password generating method, authentication method, authentication system and corresponding equipment
CN110690956A (en) Bidirectional authentication method and system, server and terminal
CN108449322B (en) Identity registration and authentication method, system and related equipment
CN114629713B (en) Identity verification method, device and system
CN111327561B (en) Authentication method, system, authentication server, and computer-readable storage medium
CN109451504B (en) Internet of things module authentication method and system
CN110572392A (en) Identity authentication method based on HyperLegger network
CN113849797A (en) Method, device, equipment and storage medium for repairing data security vulnerability
CN104901967A (en) Registration method for trusted device
CN115913677A (en) Block chain-based collaboration edge storage data privacy protection system and method
CN115766192A (en) UKEY-based offline security authentication method, device, equipment and medium
CN114944921A (en) Login authentication method and device, electronic equipment and storage medium
CN106533685B (en) Identity authentication method, device and system
CN113992353A (en) Login certificate processing method and device, electronic equipment and storage medium
CN117421782B (en) File signature, integrity detection and tracking method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200807

RJ01 Rejection of invention patent application after publication