Disclosure of Invention
Embodiments of the present disclosure propose methods and apparatuses for maintaining a user authentication session.
In a first aspect, an embodiment of the present disclosure provides a method for maintaining a user authentication session, which is applied to a client, and includes: performing key agreement with an authentication server to obtain a first public key; generating an authentication session request after an account certificate is encrypted by the first public key, and sending the authentication session request to the authentication server; receiving a first authentication session certificate message which is sent by the authentication server and encrypted by the first public key; and decrypting the encrypted first authentication session certificate message by using the first public key to obtain a first refreshing certificate message and a first authentication certificate message signature, wherein the first authentication certificate message signature is obtained by encrypting the first authentication certificate message through a private key of the authentication server.
In some embodiments, the method further comprises: performing key agreement with the application server to obtain a second public key; assembling a service message including a first authentication certificate message signature; encrypting the service message by using a second public key to generate a service request; and sending the service request to an application server.
In some embodiments, the method further comprises: responding to a received business request failure message which is returned by an application server and is caused by overtime, and sending a renewal request to an authentication server, wherein the renewal request comprises a first refreshing certificate message encrypted by a first public key; receiving a second authentication session certificate message which is sent by an authentication server and encrypted by a first public key; and decrypting the encrypted second authentication session certificate message by using the first public key to obtain a second refreshing certificate message and a second authentication certificate message signature, wherein the second authentication certificate message signature is obtained by encrypting the second authentication certificate message through a private key of the authentication server.
In some embodiments, the method further comprises: in response to receiving the quit request, generating a termination request after encrypting the invalid refresh certificate message by a first public key; sending a termination request to an authentication server; in response to receiving a termination success message sent by the authentication server, decrypting the termination success message through the first public key to obtain a failed refresh certificate message; and deleting the invalid refreshing certificate message and the corresponding invalid authentication certificate message signature.
In a second aspect, an embodiment of the present disclosure provides a method for maintaining a user authentication session, which is applied to an authentication server, and includes: carrying out key agreement with a client to obtain a first public key; in response to receiving an authentication session request sent by a client, decrypting the authentication session request through a first public key to obtain an account certificate; checking the account certificate; if the verification is successful, acquiring user information according to the account certificate and assembling an authentication message; assembling a first authentication certificate message according to the authentication message and the certificate failure time; encrypting the first authentication certificate message by using a private key to obtain a first authentication certificate message signature; assembling a first refreshing certificate message according to the refreshing failure time; and assembling a first authentication session certificate message according to the first refreshing certificate message and the first authentication certificate message signature, encrypting by using a first public key, and sending to the client.
In some embodiments, the method further comprises: in response to receiving a renewal request sent by a client, decrypting the renewal request to obtain a first refreshing certificate message, wherein the renewal request comprises the first refreshing certificate message encrypted by a first public key; judging whether the first refreshing certificate message is invalid or not; if the first refreshing certificate message is not invalid, deleting the first refreshing certificate message; assembling a second authentication certificate message according to the authentication message and the updated certificate failure time; encrypting the second authentication certificate message by using a private key to obtain a second authentication certificate message signature; assembling a second refresh certificate according to the updated refresh failure time; and assembling a second authentication session certificate message according to the second refreshing certificate message and the second authentication certificate message signature, and encrypting the second authentication session certificate message by using the first public key and then sending the second authentication session certificate message to the client.
In some embodiments, the method further comprises: and if the client fails, sending a renewal request failure message to the client.
In some embodiments, the method further comprises: in response to receiving a termination request sent by a client, decrypting the termination request by using a first public key to obtain a failed refresh certificate message; judging whether the invalid refreshing certificate message is invalid or not; if the terminal fails, sending a termination request failure message obtained by encrypting the first public key to the client; and if the certificate is not invalid, deleting the invalid refreshing certificate message, and sending a termination request success message obtained by encrypting the first public key to the client.
In a third aspect, an embodiment of the present disclosure provides a method for maintaining a user authentication session, which is applied to an application server, and includes: carrying out key agreement with the client to obtain a second public key; in response to receiving the service request, decrypting the service request by using a second public key to obtain a service message including a first authentication certificate message signature; acquiring a public key of an authentication server; decrypting the first authentication credential message signature using the public key; if the decryption is successful, obtaining a first authentication voucher message, and analyzing user information and voucher failure time from the first authentication voucher message; and if the failure time of the certificate is not reached, performing service processing according to the user information, and sending a service request success message to the client.
In some embodiments, the method further comprises: and if the decryption fails or the certificate failure time is reached, sending a service request failure message to the client.
In a fourth aspect, an embodiment of the present disclosure provides an apparatus for maintaining a user authentication session, which is applied to a client, and includes: the first negotiation unit is configured to perform key negotiation with the authentication server to obtain a first public key; the authentication request unit is configured to encrypt the account certificate through a first public key to generate an authentication session request and send the authentication session request to an authentication server; the receiving unit is configured to receive a first authentication session credential message which is sent by the authentication server and encrypted by a first public key; and the decryption unit is configured to decrypt the encrypted first authentication session certificate message by using the first public key to obtain a first refreshing certificate message and a first authentication certificate message signature, wherein the first authentication certificate message signature is obtained by encrypting the first authentication certificate message through a private key of the authentication server.
In some embodiments, the apparatus further comprises: the second negotiation unit is configured to perform key negotiation with the application server to obtain a second public key; an assembling unit configured to assemble a service message including a first authentication credential message signature; the encryption unit is configured to encrypt the service message by using a second public key to generate a service request; and the sending unit is configured to send the service request to the application server.
In some embodiments, the apparatus further comprises a renewal request unit configured to: responding to a received business request failure message which is returned by an application server and is caused by overtime, and sending a renewal request to an authentication server, wherein the renewal request comprises a first refreshing certificate message encrypted by a first public key; receiving a second authentication session certificate message which is sent by an authentication server and encrypted by a first public key; and decrypting the encrypted second authentication session certificate message by using the first public key to obtain a second refreshing certificate message and a second authentication certificate message signature, wherein the second authentication certificate message signature is obtained by encrypting the second authentication certificate message through a private key of the authentication server.
In some embodiments, the apparatus further comprises a termination authentication unit configured to: in response to receiving the quit request, generating a termination request after encrypting the invalid refresh certificate message by a first public key; sending a termination request to an authentication server; in response to receiving a termination success message sent by the authentication server, decrypting the termination success message through the first public key to obtain a failed refresh certificate message; and deleting the invalid refreshing certificate message and the corresponding invalid authentication certificate message signature.
In a fifth aspect, an embodiment of the present disclosure provides an apparatus for maintaining a user authentication session, where the apparatus is applied to an authentication server, and includes: the third negotiation unit is configured to perform key negotiation with the client to obtain a first public key; the decryption unit is configured to respond to the received authentication session request sent by the client, decrypt the authentication session request through the first public key and obtain an account certificate; the verification unit is configured to verify the account certificate; the first message assembling unit is configured to acquire user information according to the account certificate and assemble an authentication message if verification is successful; a second message assembly unit configured to assemble the first authentication credential message according to the authentication message and the credential expiration time; a private key encryption unit configured to encrypt the first authentication credential message using a private key to obtain a first authentication credential message signature; a third message assembly unit configured to assemble the first refresh credential message according to the refresh failure time; and the encryption sending unit is configured to assemble a first authentication session certificate message according to the first refreshing certificate message and the first authentication certificate message signature, encrypt the first authentication session certificate message by using a first public key and send the first authentication session certificate message to the client.
In some embodiments, the apparatus further comprises a credential renewal unit configured to: in response to receiving a renewal request sent by a client, decrypting the renewal request to obtain a first refreshing certificate message, wherein the renewal request comprises the first refreshing certificate message encrypted by a first public key; judging whether the first refreshing certificate message is invalid or not; if the first refreshing certificate message is not invalid, deleting the first refreshing certificate message; assembling a second authentication certificate message according to the authentication message and the updated certificate failure time; encrypting the second authentication certificate message by using a private key to obtain a second authentication certificate message signature; assembling a second refresh certificate according to the updated refresh failure time; and assembling a second authentication session certificate message according to the second refreshing certificate message and the second authentication certificate message signature, and encrypting the second authentication session certificate message by using the first public key and then sending the second authentication session certificate message to the client.
In some embodiments, the apparatus further comprises a transmitting unit configured to: and if the client fails, sending a renewal request failure message to the client.
In some embodiments, the apparatus further comprises a credential deletion unit configured to: in response to receiving a termination request sent by a client, decrypting the termination request by using a first public key to obtain a failed refresh certificate message; judging whether the invalid refreshing certificate message is invalid or not; if the terminal fails, sending a termination request failure message obtained by encrypting the first public key to the client; and if the certificate is not invalid, deleting the invalid refreshing certificate message, and sending a termination request success message obtained by encrypting the first public key to the client.
In a sixth aspect, an embodiment of the present disclosure provides an apparatus for maintaining a user authentication session, where the apparatus is applied to an application server, and the apparatus includes: the fourth negotiation unit is configured to perform key negotiation with the client to obtain a second public key; the public key decryption unit is configured to respond to the received service request, and decrypt the service request by using the second public key to obtain a service message including the signature of the first authentication certificate message; an acquisition unit configured to acquire a public key of an authentication server; a public key decryption unit configured to decrypt the first authentication credential message signature using a public key; the analysis unit is configured to obtain a first authentication voucher message if decryption is successful, and analyze user information and voucher failure time from the first authentication voucher message; and the service processing unit is configured to perform service processing according to the user information and send a service request success message to the client if the certificate failure time is not reached.
In some embodiments, the apparatus further comprises a transmitting unit configured to: and if the decryption fails or the certificate failure time is reached, sending a service request failure message to the client.
In a seventh aspect, an embodiment of the present disclosure provides a system for maintaining a user authentication session, including: a client configured to implement the method as in any one of the first aspects; an authentication server configured to implement the method as in any one of the second aspects; an application server configured to implement the method as in any one of the third aspects.
In an eighth aspect, embodiments of the present disclosure provide an electronic device for maintaining a user authentication session, comprising: one or more processors; a storage device having one or more programs stored thereon, which when executed by one or more processors, cause the one or more processors to implement a method as in any one of the first, second, and third aspects.
In a ninth aspect, embodiments of the present disclosure provide a computer readable medium on which a computer program is stored, wherein the program, when executed by a processor, implements a method as in any one of the first, second, third aspects.
According to the method and the device for maintaining the user authentication session, the authentication session credential message can be dynamically changed and is only effective in a short time each time within the validity period of the authentication session, so that the credential message is prevented from being stolen after being leaked. When the application server receives the client request, the authenticity of the authentication session message can be checked without depending on the authentication server. The client and the application server exchange dynamic keys directly in a key negotiation mode, and encrypt the user information of the authentication session message through the keys.
Has the following advantages: 1. if the signature of the authentication certificate message is dynamically changed and the validity period is short, the message cannot be spoofed even if the message is acquired by an eavesdropper due to overtime; 2. the refreshing certificate message is only stored in the client and the authentication server, so that the risk of network transmission leakage is reduced; 3. the application server side locally checks the label through the public key of the authentication server side, so that the label checking efficiency of the application server side is improved; 4. the client and different application servers perform key agreement, and the network transmission message is encrypted by a public key, so that the security of the message is improved.
Detailed Description
The present disclosure is described in further detail below with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that, in the present disclosure, the embodiments and features of the embodiments may be combined with each other without conflict. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 illustrates an exemplary system architecture 100 to which embodiments of the disclosed method for maintaining a user authentication session or apparatus for maintaining a user authentication session may be applied.
As shown in fig. 1, the system architecture 100 may include a client 101, an authentication server 102, and an application server 103. The client 101, the authentication server 102 and the application server 103 are connected through a wired network or a wireless network.
A user may use the client 101 to interact with the authentication server 102, the application server 103 over a network to receive or send messages, etc. Various messaging client applications, such as a web browser application, a shopping-like application, a search-like application, an instant messaging tool, a mailbox client, social platform software, etc., may be installed on the client 101.
The client 101 may be hardware or software. When the client 101 is hardware, it may be various electronic devices supporting user name and password login, including but not limited to a smart phone, a tablet computer, an e-book reader, an MP3 player (Moving Picture Experts Group Audio Layer III, motion Picture Experts Group Audio Layer 3), an MP4 player (Moving Picture Experts Group Audio Layer IV, motion Picture Experts Group Audio Layer 4), a laptop computer, a desktop computer, and the like. When the terminal apparatuses 101, 102, 103 are software, they can be installed in the electronic apparatuses listed above. It may be implemented as multiple pieces of software or software modules (e.g., to provide distributed services) or as a single piece of software or software module. And is not particularly limited herein.
The authentication server 102 is configured to verify an account number and a password input by the user through the client. And if the verification is successful, sending the client-side certificate. The client can log in the application server by using the certificate. The application server is used for performing business processing, such as balance inquiry, account transfer and the like.
The authentication server 102 and the application server 103 may be hardware or software. When the authentication server 102 and the application server 103 are hardware, they may be implemented as a distributed server cluster composed of a plurality of servers, or may be implemented as a single server. When the authentication server 102 and the application server 103 are software, they may be implemented as multiple pieces of software or software modules (for example, multiple pieces of software or software modules for providing distributed services), or may be implemented as a single piece of software or software module. And is not particularly limited herein.
It should be noted that the method for maintaining the user authentication session provided by the embodiment of the present disclosure may be executed by the client 101, the authentication server 102, and the application server 103. Accordingly, means for maintaining the user authentication session may be provided in the client 101, the authentication server 102, and the application server 103.
It should be understood that the number of clients 101, authentication servers 102, and application servers 103 in fig. 1 is merely illustrative. There may be any number of clients 101, authentication servers 102, application servers 103, as desired for an implementation.
With continued reference to fig. 2, a flow 200 of one embodiment of a method for maintaining a user authentication session applied to a client in accordance with the present disclosure is shown. The method for maintaining a user authentication session comprises the following steps:
step 201, performing key agreement with the authentication server to obtain a first public key.
In this embodiment, an executing entity (for example, the client shown in fig. 1) of the method for maintaining the user authentication session may log in to the authentication server, perform key agreement with the authentication server, and obtain a public key only for the client and the authentication server, and since the key agreement is involved for 2 times in this application, the public key obtained by the negotiation between the client and the authentication server is referred to as a first public key. And the public key obtained by the client and the application server through negotiation is called a second public key.
The Key Agreement (Secret Key Agreement) is that two entities in the network establish a session Key together through the Agreement, and any participant affects the result without any credible third party. The principle is to use a function of key exchange (Diffie-Hellman), which is generally based on the mathematical theory of key consistency, i.e. two communicating parties can generate a shared cipher number only by exchanging some information that can be disclosed, and this cipher number can be used as the key of a symmetric cipher. A qualified key exchange function should have two main features:
1. for two secret original private keys, both sides can locally calculate and generate an identical shared secret key through public parameters,
2. it is difficult to back-calculate the shared secret key from the public information.
In the practical application of information security, if two parties transmit messages in an uncontrollable network, the two parties need to obtain a public key through key agreement, and then encrypt the messages, so that the encrypted data can be determined that only the two parties can decrypt the encrypted data.
Step 202, generating an authentication session request after the account certificate is encrypted by the first public key, and sending the authentication session request to the authentication server.
In this embodiment, the account credentials are a user name and a password input by the user. And encrypting the account certificate by using a first public key known by the authentication server and then sending the encrypted account certificate to the authentication server. The authentication server can then perform steps 302-308.
Step 203, receiving a first authentication session credential message encrypted by a first public key sent by the authentication server.
In this embodiment, the authentication server finally generates an authentication session credential message, encrypts the authentication session credential message, and sends the encrypted authentication session credential message to the client. The authentication session credential message includes an authentication credential message signature (hereinafter abbreviated AT) and a refresh credential message (hereinafter abbreviated RT). Wherein the validity period of AT is relatively short, e.g. 2 minutes. The AT can be used repeatedly, and the information of the user can be obtained after the AT passes the public key signature verification of the authentication server. The validity period of the RT is larger than that of the AT, and can be one hour or even longer, but the RT can be used only once, is only stored in the client of the user, and can only be verified by the authentication server.
In the present application, in order to distinguish from the AT and RT of the credential renewal, the authentication session credential message before the renewal is referred to as a first authentication session credential message, and the authentication session credential message after the renewal is referred to as a second authentication session credential message.
And step 204, decrypting the encrypted first authentication session certificate message by using the first public key to obtain a first refreshing certificate message and a first authentication certificate message signature.
In this embodiment, the information exchanged between the client and the authentication server is sent by encrypting through the public key negotiated by the client and the authentication server, so that the receiver also needs to decrypt through the public key, where the first authentication credential message signature is obtained by encrypting the first authentication credential message through the private key of the authentication server. And the decrypted first refreshing certificate message RT and the first authentication certificate message signature AT are stored in the client of the user.
In some optional implementations of this embodiment, the method further includes: performing key agreement with the application server to obtain a second public key; assembling a service message including a first authentication certificate message signature; encrypting the service message by using a second public key to generate a service request; and sending the service request to an application server. The process corresponds to steps 401-406.
In some optional implementations of this embodiment, the method further includes: responding to a received business request failure message which is returned by an application server and is caused by overtime, and sending a renewal request to an authentication server, wherein the renewal request comprises a first refreshing certificate message encrypted by a first public key; receiving a second authentication session certificate message which is sent by an authentication server and encrypted by a first public key; and decrypting the encrypted second authentication session certificate message by using the first public key to obtain a second refreshing certificate message and a second authentication certificate message signature, wherein the second authentication certificate message signature is obtained by encrypting the second authentication certificate message through a private key of the authentication server. Due to the short aging of the AT, the AT can be expired quickly, but can be renewed through the RT, and if the RT is within the valid period, a renewal request can be sent to the authentication server and verified by the authentication server. And after the RT is generated, the RT is recorded AT the authentication server side, the RT can be used only once, if the RT is used, the corresponding AT is invalid and cannot be renewed, and AT the moment, a renewal failure message is sent to the client side. If the RT is not used, the RT is deleted from the record of the authentication server after the use.
In some optional implementations of this embodiment, the method further includes: in response to receiving the quit request, generating a termination request after encrypting the invalid refresh certificate message by a first public key; sending a termination request to an authentication server; in response to receiving a termination success message sent by the authentication server, decrypting the termination success message through the first public key to obtain a failed refresh certificate message; and deleting the invalid refreshing certificate message and the corresponding invalid authentication certificate message signature. When the user logs out, the client sends a log-out request to the authentication server. At this time, the user actively disables the refresh credential message.
With continued reference to fig. 3, a flow 300 of one embodiment of the method for maintaining a user authentication session according to the present disclosure is shown as applied to an authentication server. The method for maintaining a user authentication session comprises the following steps:
step 301, performing key agreement with the client to obtain a first public key.
In this embodiment, an executing entity (for example, the authentication server shown in fig. 1) of the method for maintaining the user authentication session may receive a login request from the client, and perform key agreement with the client, and the specific process is substantially the same as step 201, and therefore is not described again.
Step 302, in response to receiving an authentication session request sent by a client, decrypting the authentication session request by using a first public key to obtain an account credential.
In this embodiment, since the authentication session request is obtained by encrypting the account credential with the first public key, the account credential can be obtained by decrypting with the first public key.
Step 303, the account voucher is verified.
In this embodiment, the registered information is queried according to the account credential, and whether the account credential is valid is verified. For example, the user name and password in the account credentials are matched with the user name and password in the registration information base, and if the matching is successful, the authentication is passed.
And 304, if the verification is successful, acquiring user information according to the account certificate and assembling an authentication message.
In this embodiment, if the verification is successful, the user information may be obtained according to the account credentials. Such as the user's name, gender, age, role, etc. The user information may be assembled into an authentication message in a predetermined format.
And if the verification fails, feeding back to a client authentication failure message. The authentication failure message can be sent to the client after being encrypted by the first public key. In order to save the overhead, the authentication failure message can also be directly sent without encryption. A special field is used to identify that the authentication failure message is unencrypted.
Step 305, assembling a first authentication certificate message according to the authentication message and the certificate failure time.
In this embodiment, the authentication credentials are valid for a period of time, e.g., 2 minutes, and the credential expiration time may be set according to the current time and the validity period, e.g., expiration times 2020-6-313: 20, indicated at 2020-6-313: after 20, the authentication credential message may be invalidated.
Step 306, the first authentication voucher message is encrypted by using a private key to obtain a first authentication voucher message signature.
In this embodiment, the first authentication credential message is encrypted by using a message signing technique to obtain a first authentication credential message signature. The sender is encrypted with a private key and the receiver is decrypted with a public key.
Message Signature (Message Signature) technology is a technology widely used in the field of information security. The basic principle is that a sender carries out private key Encryption operation on the content of a sent message by using an Asymmetric Encryption (Asymmetric Encryption) function and outputs an encrypted bit string. Generally, the bit string is called a Message Signature, a receiver decrypts a ciphertext Message by obtaining a public key of a sender, if decryption is successful, the Message Signature is proved to be really sent by the sender, the decryption process is generally called a Signature Verification (Message Signature Verification), and a qualified asymmetric encryption function has four main characteristics:
1. for a given message plaintext, the message signature can be easily obtained by private key encryption,
2. for a given message signature, the plaintext of the message can be readily obtained by public key decryption,
3. it is difficult to find out that message signatures generated by two different private keys are decrypted by the same public key,
4. it is difficult to find a bit string signed by the public key and get an understandable plaintext of the original message.
In practical application of information security, if a piece of message signature data can be decrypted by a public key, the piece of data can be considered to be encrypted by a private key.
And 307, assembling a first refreshing certificate message according to the refreshing failure time.
In this embodiment, in addition to the authentication credentials, there are also refresh credentials. The validity period of the authentication voucher is short, and after the authentication voucher is expired, the refreshing voucher can be used for applying for the renewal of the authentication voucher. The refresh credential is also stale. And in the valid time, if the refreshing certificate is not used and the authentication service end can allow the authentication certificate to be renewed, sending new AT and RT to the client. The user can obtain authentication without inputting a user name and a password. The validity period of the refresh credential is longer than that of the authentication credential. The refresh credential expiration time may be set according to the current time and the validity duration of the refresh credential, e.g., expiration time 2020-6-317: 20, represented at 2020-6-317: after 20, the refresh credential message may fail.
And 308, assembling a first authentication session certificate message according to the first refreshing certificate message and the first authentication certificate message signature, encrypting by using a first public key, and sending to the client.
In this embodiment, the refresh credential message RT and the authentication credential message signature AT are merged together to form an authentication session credential message. Encrypted and sent to the client, and then the client executes step 203 and step 204.
In some optional implementations of this embodiment, the method further includes: in response to receiving a renewal request sent by a client, decrypting the renewal request to obtain a first refreshing certificate message, wherein the renewal request comprises the first refreshing certificate message encrypted by a first public key; judging whether the first refreshing certificate message is invalid or not; if the first refreshing certificate message is not invalid, deleting the first refreshing certificate message; assembling a second authentication certificate message according to the authentication message and the updated certificate failure time; encrypting the second authentication certificate message by using a private key to obtain a second authentication certificate message signature; assembling a second refresh certificate according to the updated refresh failure time; and assembling a second authentication session certificate message according to the second refreshing certificate message and the second authentication certificate message signature, and encrypting the second authentication session certificate message by using the first public key and then sending the second authentication session certificate message to the client. Failure here refers to a timeout or being used. The refresh certificate message comprises refresh failure time, and whether the RT is overtime can be judged according to the refresh failure time. The RT can only be used once and is deleted from the record when used, so it is known whether it has been used only by looking up whether there is an RT for renewal in the record. If the RT is valid, a renewal is allowed, which is the same as in step 305-308.
With continued reference to fig. 4, a flow 400 of one embodiment of the application server for applying the method for maintaining a user authentication session according to the present disclosure is shown. The method for maintaining a user authentication session comprises the following steps:
step 401, performing key agreement with the client to obtain a second public key.
In this embodiment, an executing entity (for example, the application server shown in fig. 1) of the method for maintaining the user authentication session may perform key agreement with the client to obtain the second public key. The specific process is similar to step 201.
Step 402, in response to receiving the service request, decrypting the service request by using the second public key to obtain a service message including the signature of the first authentication certificate message.
In this embodiment, the service request is from a client, and the client assembles a service message including a first authentication credential message signature; and encrypting the service message by using the second public key to generate a service request. Therefore, the service request can be decrypted through the second public key to obtain the service message including the signature of the first authentication certificate message.
Step 403, acquiring a public key of the authentication server.
In this embodiment, the public key of the authentication server notifies the whole system that the application server can also obtain the public key.
Step 404, decrypting the first authentication credential message signature using the public key.
In this embodiment, since the first authentication credential message signature is obtained by the authentication server encrypting the first authentication credential message using its own private key, the first authentication credential message can be obtained by decrypting the first authentication credential message using the public key of the authentication server.
Step 405, if the decryption is successful, a first authentication voucher message is obtained, and the user information and the voucher failure time are analyzed from the first authentication voucher message.
In this embodiment, if the decryption is successful, the first authentication credential message is obtained. Then, user information and voucher failure time are analyzed from the first authentication voucher message according to the format of the assembled first authentication voucher message. The process is the reverse of step 305.
And step 406, if the voucher failure time is not reached, performing service processing according to the user information, and sending a service request success message to the client.
In this embodiment, if the AT is not disabled, the user information may be directly used for service processing, and a service request success message may be fed back. The service request success message may not be encrypted for ease of processing.
In some optional implementation manners of this embodiment, if decryption fails or a credential expiration time is reached, a service request failure message is sent to the client.
With continued reference to fig. 5, fig. 5 is a schematic diagram of an application scenario of the method for maintaining a user authentication session according to the present embodiment. In the application scenario of fig. 5, 4 stages are involved, and the specific flow is as follows:
1. authentication message request phase:
a client and an authentication server of a user directly obtain a first safe public key through key agreement, and encrypt and transmit a message through the key;
the user inputs account number credentials (e.g. user name and password) and sends the credentials to the authentication server to request authentication session credentials, including authentication credential message signature AT (Access token) and refresh credential RT (refresh token). The AT has the validity period of 2 minutes and can be repeatedly used, and the AT can acquire the information of the user after the signature verification of the public key of the authentication service; the effective period of the RT is larger than that of the AT, can be one hour or even longer, but can be used only once, only stored in a client of a user, and only verified by an authentication server;
2. authentication session credential usage phase:
the user client and the application server directly obtain a safe second public key through key negotiation, assemble information and a message signature AT as a request message, and encrypt and transmit the message through the second public key;
the application server receives the user request message, obtains a plaintext through decryption of a second public key, then verifies the signature of the message signature AT through a public key of the authentication server, obtains the plaintext information of the user after the signature verification is successful, and returns the user access failure if the signature verification fails or the certificate is overtime;
3. authentication session credential renewal phase:
after the authentication session certificate AT of the client side is overtime, the first public key is used for encrypting the refreshing certificate message RT, the authentication server side decrypts the message after receiving the renewal request encryption message, judges whether the RT is used or not, and issues a message signature AT and the renewal certificate RT of a new authentication session certificate to the client side after the verification is passed;
the client may proceed to enter the authentication session credential usage phase using the new RT.
4. User termination authentication session phase:
the client side encrypts the refreshing certificate message RT by using the first public key, the authentication server side decrypts the message after receiving the authentication session termination request encryption message, judges whether the RT is used or not, deletes the RT after the authentication is passed, and the subsequent RT can not be renewed.
With further reference to fig. 6, as an implementation of the methods shown in the above-mentioned figures, the present disclosure provides an embodiment of an apparatus for maintaining a user authentication session, which is applied to a client, and the apparatus embodiment corresponds to the method embodiment shown in fig. 2, and the apparatus may be applied to various electronic devices in particular.
As shown in fig. 6, the apparatus 600 for maintaining a user authentication session of the present embodiment includes: a first negotiation unit 601, an authentication request unit 602, a receiving unit 603 and a decryption unit 604. The first negotiation unit 601 is configured to perform key negotiation with the authentication server to obtain a first public key; an authentication request unit 602 configured to encrypt the account credential with the first public key to generate an authentication session request, and send the authentication session request to an authentication server; a receiving unit 603 configured to receive a first authentication session credential message encrypted by a first public key sent by an authentication server; a decryption unit 604, configured to decrypt the encrypted first authentication session credential message using the first public key to obtain a first refresh credential message and a first authentication credential message signature, where the first authentication credential message signature is obtained by encrypting the first authentication credential message using a private key of the authentication server.
In some optional implementations of this embodiment, the apparatus further includes: a second negotiation unit (not shown in the drawing) configured to perform key negotiation with the application server to obtain a second public key; an assembly unit (not shown in the figures) configured to assemble a service message comprising a first authentication credential message signature; an encryption unit (not shown in the drawings) configured to generate a service request after encrypting the service message by using the second public key; and a sending unit (not shown in the figure) configured to send the service request to the application server.
In some optional implementations of this embodiment, the apparatus further includes a renewal request unit (not shown in the drawings) configured to: responding to a received business request failure message which is returned by an application server and is caused by overtime, and sending a renewal request to an authentication server, wherein the renewal request comprises a first refreshing certificate message encrypted by a first public key; receiving a second authentication session certificate message which is sent by an authentication server and encrypted by a first public key; and decrypting the encrypted second authentication session certificate message by using the first public key to obtain a second refreshing certificate message and a second authentication certificate message signature, wherein the second authentication certificate message signature is obtained by encrypting the second authentication certificate message through a private key of the authentication server.
In some optional implementations of this embodiment, the apparatus further comprises a termination authentication unit (not shown in the drawings) configured to: in response to receiving the quit request, generating a termination request after encrypting the invalid refresh certificate message by a first public key; sending a termination request to an authentication server; in response to receiving a termination success message sent by the authentication server, decrypting the termination success message through the first public key to obtain a failed refresh certificate message; and deleting the invalid refreshing certificate message and the corresponding invalid authentication certificate message signature.
With further reference to fig. 7, as an implementation of the methods shown in the above-mentioned figures, the present disclosure provides an embodiment of an apparatus for maintaining a user authentication session, which is applied to an authentication server, and the apparatus embodiment corresponds to the method embodiment shown in fig. 3, and the apparatus may be applied to various electronic devices in particular.
As shown in fig. 7, the apparatus 700 for maintaining a user authentication session of the present embodiment includes: a third negotiation unit 701, a decryption unit 702, a verification unit 703, a first message assembly unit 704, a second message assembly unit 705, a private key encryption unit 706, a third message assembly unit 707, and an encryption transmission unit 708. The third negotiation unit 701 is configured to perform key negotiation with the client to obtain a first public key; a decryption unit 702 configured to, in response to receiving the authentication session request sent by the client, decrypt the authentication session request by using the first public key to obtain an account credential; a verification unit 703 configured to verify the account credential; a first message assembling unit 704 configured to, if the verification is successful, obtain user information according to the account credentials and assemble an authentication message; a second message assembling unit 705 configured to assemble the first authentication credential message according to the authentication message and the credential expiration time; a private key encryption unit 706 configured to encrypt the first authentication credential message using a private key to obtain a first authentication credential message signature; a third message assembling unit 707 configured to assemble a first refresh credential message according to a refresh invalidation time; and an encryption sending unit 708 configured to assemble a first authentication session credential message according to the first refresh credential message and the first authentication credential message signature, and send the first authentication session credential message to the client after being encrypted by using the first public key.
In some optional implementations of this embodiment, the apparatus further comprises a credential renewal unit (not shown in the figures) configured to: in response to receiving a renewal request sent by a client, decrypting the renewal request to obtain a first refreshing certificate message, wherein the renewal request comprises the first refreshing certificate message encrypted by a first public key; judging whether the first refreshing certificate message is invalid or not; if the first refreshing certificate message is not invalid, deleting the first refreshing certificate message; assembling a second authentication certificate message according to the authentication message and the updated certificate failure time; encrypting the second authentication certificate message by using a private key to obtain a second authentication certificate message signature; assembling a second refresh certificate according to the updated refresh failure time; and assembling a second authentication session certificate message according to the second refreshing certificate message and the second authentication certificate message signature, and encrypting the second authentication session certificate message by using the first public key and then sending the second authentication session certificate message to the client.
In some optional implementations of this embodiment, the apparatus further comprises a sending unit (not shown in the drawings) configured to: and if the client fails, sending a renewal request failure message to the client.
In some optional implementations of this embodiment, the apparatus further comprises a credential deleting unit (not shown in the drawings) configured to: in response to receiving a termination request sent by a client, decrypting the termination request by using a first public key to obtain a failed refresh certificate message; judging whether the invalid refreshing certificate message is invalid or not; if the terminal fails, sending a termination request failure message obtained by encrypting the first public key to the client; and if the certificate is not invalid, deleting the invalid refreshing certificate message, and sending a termination request success message obtained by encrypting the first public key to the client.
With further reference to fig. 8, as an implementation of the methods shown in the above-mentioned figures, the present disclosure provides an embodiment of an apparatus for maintaining a user authentication session, which is applied to an application server, and the apparatus embodiment corresponds to the method embodiment shown in fig. 4, and the apparatus may be applied to various electronic devices in particular.
As shown in fig. 8, the apparatus 800 for maintaining a user authentication session of the present embodiment includes: a fourth negotiation unit 801, a public key decryption unit 802, an acquisition unit 803, a public key decryption unit 804, a parsing unit 805, and a service processing unit 806. The fourth negotiation unit 801 is configured to perform key negotiation with the client to obtain a second public key; a public key decryption unit 802 configured to, in response to receiving the service request, decrypt the service request using the second public key to obtain a service message including a first authentication credential message signature; an obtaining unit 803 configured to obtain a public key of the authentication server; a public key decryption unit 804 configured to decrypt the first authentication credential message signature using a public key; the parsing unit 805 is configured to obtain a first authentication credential message if decryption is successful, and parse user information and credential failure time from the first authentication credential message; and the service processing unit 806 is configured to, if the credential failure time is not reached, perform service processing according to the user information, and send a service request success message to the client.
In some optional implementations of this embodiment, the apparatus further comprises a sending unit (not shown in the drawings) configured to: and if the decryption fails or the certificate failure time is reached, sending a service request failure message to the client.
Referring now to fig. 9, a schematic diagram of an electronic device (e.g., client, authentication server, application server in fig. 1) 900 suitable for use in implementing embodiments of the present disclosure is shown. The client, the authentication server, and the application server shown in fig. 9 are only one example, and should not bring any limitation to the functions and the use range of the embodiments of the present disclosure.
As shown in fig. 9, the electronic device 900 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 901 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)902 or a program loaded from a storage means 908 into a Random Access Memory (RAM) 903. In the RAM903, various programs and data necessary for the operation of the electronic apparatus 900 are also stored. The processing apparatus 901, the ROM 902, and the RAM903 are connected to each other through a bus 904. An input/output (I/O) interface 905 is also connected to bus 904.
Generally, the following devices may be connected to the I/O interface 905: input devices 906 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 907 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 908 including, for example, magnetic tape, hard disk, etc.; and a communication device 909. The communication device 909 may allow the electronic apparatus 900 to perform wireless or wired communication with other apparatuses to exchange data. While fig. 9 illustrates an electronic device 900 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided. Each block shown in fig. 9 may represent one device or may represent multiple devices as desired.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication device 909, or installed from the storage device 908, or installed from the ROM 902. The computer program, when executed by the processing apparatus 901, performs the above-described functions defined in the methods of the embodiments of the present disclosure. It should be noted that the computer readable medium described in the embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In embodiments of the disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In embodiments of the present disclosure, however, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: performing key agreement with an authentication server to obtain a first public key; the account certificate is encrypted through a first public key to generate an authentication session request, and the authentication session request is sent to an authentication server side; receiving a first authentication session certificate message which is sent by an authentication server and encrypted by a first public key; and decrypting the encrypted first authentication session certificate message by using a first public key to obtain a first refreshing certificate message and a first authentication certificate message signature, wherein the first authentication certificate message signature is obtained by encrypting the first authentication certificate message through a private key of an authentication server. Or cause the electronic device to: carrying out key agreement with a client to obtain a first public key; in response to receiving an authentication session request sent by a client, decrypting the authentication session request through a first public key to obtain an account certificate; checking the account certificate; if the verification is successful, acquiring user information according to the account certificate and assembling an authentication message; assembling a first authentication certificate message according to the authentication message and the certificate failure time; encrypting the first authentication certificate message by using a private key to obtain a first authentication certificate message signature; assembling a first refreshing certificate message according to the refreshing failure time; and assembling a first authentication session certificate message according to the first refreshing certificate message and the first authentication certificate message signature, encrypting by using a first public key, and sending to the client. Or cause the electronic device to: carrying out key agreement with the client to obtain a second public key; in response to receiving the service request, decrypting the service request by using a second public key to obtain a service message including a first authentication certificate message signature; acquiring a public key of an authentication server; decrypting the first authentication credential message signature using the public key; if the decryption is successful, obtaining a first authentication voucher message, and analyzing user information and voucher failure time from the first authentication voucher message; and if the failure time of the certificate is not reached, performing service processing according to the user information, and sending a service request success message to the client.
Computer program code for carrying out operations for embodiments of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes a first negotiation unit, an authentication request unit, a reception unit, and a decryption unit. The names of these units do not in some cases form a limitation on the unit itself, for example, the first negotiation unit may also be described as "a unit that performs key negotiation with the authentication server to obtain the first public key".
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the present disclosure is not limited to the specific combination of the above-mentioned features, but also encompasses other embodiments in which any combination of the above-mentioned features or their equivalents is possible without departing from the inventive concept. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.