CN111698264A - Method and apparatus for maintaining user authentication sessions - Google Patents
Method and apparatus for maintaining user authentication sessions Download PDFInfo
- Publication number
- CN111698264A CN111698264A CN202010595867.1A CN202010595867A CN111698264A CN 111698264 A CN111698264 A CN 111698264A CN 202010595867 A CN202010595867 A CN 202010595867A CN 111698264 A CN111698264 A CN 111698264A
- Authority
- CN
- China
- Prior art keywords
- authentication
- message
- certificate
- public key
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 82
- 230000004044 response Effects 0.000 claims description 31
- 238000012795 verification Methods 0.000 claims description 22
- 238000012545 processing Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000000644 propagated effect Effects 0.000 description 2
- 230000032683 aging Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
Embodiments of the present disclosure disclose methods and apparatus for maintaining a user authentication session. One embodiment of the method comprises: performing key agreement with an authentication server to obtain a first public key; the account certificate is encrypted through a first public key to generate an authentication session request, and the authentication session request is sent to an authentication server side; receiving a first authentication session certificate message which is sent by an authentication server and encrypted by a first public key; and decrypting the encrypted first authentication session certificate message by using a first public key to obtain a first refreshing certificate message and a first authentication certificate message signature, wherein the first authentication certificate message signature is obtained by encrypting the first authentication certificate message through a private key of an authentication server. The implementation mode improves the safety of the message and the signature checking efficiency of the application service.
Description
Technical Field
Embodiments of the present disclosure relate to the field of computer technologies, and in particular, to a method and an apparatus for maintaining a user authentication session.
Background
In the distributed system, the authentication session maintenance refers to a mechanism for maintaining the user authentication state on a stateless application server, a user only needs to log in the unified authentication system through a client to input authentication message information, after the login is successful, any application service of the distributed system can be requested through the authentication session credential message information within a period of time, and the application service sends a request for checking the authenticity of the credential message to the unified authentication system. If the verification fails, the application service controls not to allow the client to access; if the client side receives the request again, the application service locally backs up and stores the message information, the security of the interaction process between the client side and the server can be considered when the subsequent client side requests again, and when the client side responds to different application servers, access control can be carried out according to the certificate message information.
The above technical solution has the following disadvantages: 1. if the validity period of the user authentication session is set to be very long, as the authentication session certificate messages are kept unchanged and all the service request messages contain the certificate messages, once the authentication messages are leaked by a service system, a stealer can easily forge a client to initiate an illegal request to a service. 2. The application service needs to request the unified authentication service for authenticity check, network resources of the application service are consumed, performance is reduced, although a local cache mode can be adopted, the problem of cache synchronization is also faced, and when a user withdraws an authentication certificate, access control is invalid due to the fact that cache of the application service cannot be synchronized. 3. User information exists in the authentication session message of the user, and the user information is leaked because encryption processing is not performed.
Disclosure of Invention
Embodiments of the present disclosure propose methods and apparatuses for maintaining a user authentication session.
In a first aspect, an embodiment of the present disclosure provides a method for maintaining a user authentication session, which is applied to a client, and includes: performing key agreement with an authentication server to obtain a first public key; generating an authentication session request after an account certificate is encrypted by the first public key, and sending the authentication session request to the authentication server; receiving a first authentication session certificate message which is sent by the authentication server and encrypted by the first public key; and decrypting the encrypted first authentication session certificate message by using the first public key to obtain a first refreshing certificate message and a first authentication certificate message signature, wherein the first authentication certificate message signature is obtained by encrypting the first authentication certificate message through a private key of the authentication server.
In some embodiments, the method further comprises: performing key agreement with the application server to obtain a second public key; assembling a service message including a first authentication certificate message signature; encrypting the service message by using a second public key to generate a service request; and sending the service request to an application server.
In some embodiments, the method further comprises: responding to a received business request failure message which is returned by an application server and is caused by overtime, and sending a renewal request to an authentication server, wherein the renewal request comprises a first refreshing certificate message encrypted by a first public key; receiving a second authentication session certificate message which is sent by an authentication server and encrypted by a first public key; and decrypting the encrypted second authentication session certificate message by using the first public key to obtain a second refreshing certificate message and a second authentication certificate message signature, wherein the second authentication certificate message signature is obtained by encrypting the second authentication certificate message through a private key of the authentication server.
In some embodiments, the method further comprises: in response to receiving the quit request, generating a termination request after encrypting the invalid refresh certificate message by a first public key; sending a termination request to an authentication server; in response to receiving a termination success message sent by the authentication server, decrypting the termination success message through the first public key to obtain a failed refresh certificate message; and deleting the invalid refreshing certificate message and the corresponding invalid authentication certificate message signature.
In a second aspect, an embodiment of the present disclosure provides a method for maintaining a user authentication session, which is applied to an authentication server, and includes: carrying out key agreement with a client to obtain a first public key; in response to receiving an authentication session request sent by a client, decrypting the authentication session request through a first public key to obtain an account certificate; checking the account certificate; if the verification is successful, acquiring user information according to the account certificate and assembling an authentication message; assembling a first authentication certificate message according to the authentication message and the certificate failure time; encrypting the first authentication certificate message by using a private key to obtain a first authentication certificate message signature; assembling a first refreshing certificate message according to the refreshing failure time; and assembling a first authentication session certificate message according to the first refreshing certificate message and the first authentication certificate message signature, encrypting by using a first public key, and sending to the client.
In some embodiments, the method further comprises: in response to receiving a renewal request sent by a client, decrypting the renewal request to obtain a first refreshing certificate message, wherein the renewal request comprises the first refreshing certificate message encrypted by a first public key; judging whether the first refreshing certificate message is invalid or not; if the first refreshing certificate message is not invalid, deleting the first refreshing certificate message; assembling a second authentication certificate message according to the authentication message and the updated certificate failure time; encrypting the second authentication certificate message by using a private key to obtain a second authentication certificate message signature; assembling a second refresh certificate according to the updated refresh failure time; and assembling a second authentication session certificate message according to the second refreshing certificate message and the second authentication certificate message signature, and encrypting the second authentication session certificate message by using the first public key and then sending the second authentication session certificate message to the client.
In some embodiments, the method further comprises: and if the client fails, sending a renewal request failure message to the client.
In some embodiments, the method further comprises: in response to receiving a termination request sent by a client, decrypting the termination request by using a first public key to obtain a failed refresh certificate message; judging whether the invalid refreshing certificate message is invalid or not; if the terminal fails, sending a termination request failure message obtained by encrypting the first public key to the client; and if the certificate is not invalid, deleting the invalid refreshing certificate message, and sending a termination request success message obtained by encrypting the first public key to the client.
In a third aspect, an embodiment of the present disclosure provides a method for maintaining a user authentication session, which is applied to an application server, and includes: carrying out key agreement with the client to obtain a second public key; in response to receiving the service request, decrypting the service request by using a second public key to obtain a service message including a first authentication certificate message signature; acquiring a public key of an authentication server; decrypting the first authentication credential message signature using the public key; if the decryption is successful, obtaining a first authentication voucher message, and analyzing user information and voucher failure time from the first authentication voucher message; and if the failure time of the certificate is not reached, performing service processing according to the user information, and sending a service request success message to the client.
In some embodiments, the method further comprises: and if the decryption fails or the certificate failure time is reached, sending a service request failure message to the client.
In a fourth aspect, an embodiment of the present disclosure provides an apparatus for maintaining a user authentication session, which is applied to a client, and includes: the first negotiation unit is configured to perform key negotiation with the authentication server to obtain a first public key; the authentication request unit is configured to encrypt the account certificate through a first public key to generate an authentication session request and send the authentication session request to an authentication server; the receiving unit is configured to receive a first authentication session credential message which is sent by the authentication server and encrypted by a first public key; and the decryption unit is configured to decrypt the encrypted first authentication session certificate message by using the first public key to obtain a first refreshing certificate message and a first authentication certificate message signature, wherein the first authentication certificate message signature is obtained by encrypting the first authentication certificate message through a private key of the authentication server.
In some embodiments, the apparatus further comprises: the second negotiation unit is configured to perform key negotiation with the application server to obtain a second public key; an assembling unit configured to assemble a service message including a first authentication credential message signature; the encryption unit is configured to encrypt the service message by using a second public key to generate a service request; and the sending unit is configured to send the service request to the application server.
In some embodiments, the apparatus further comprises a renewal request unit configured to: responding to a received business request failure message which is returned by an application server and is caused by overtime, and sending a renewal request to an authentication server, wherein the renewal request comprises a first refreshing certificate message encrypted by a first public key; receiving a second authentication session certificate message which is sent by an authentication server and encrypted by a first public key; and decrypting the encrypted second authentication session certificate message by using the first public key to obtain a second refreshing certificate message and a second authentication certificate message signature, wherein the second authentication certificate message signature is obtained by encrypting the second authentication certificate message through a private key of the authentication server.
In some embodiments, the apparatus further comprises a termination authentication unit configured to: in response to receiving the quit request, generating a termination request after encrypting the invalid refresh certificate message by a first public key; sending a termination request to an authentication server; in response to receiving a termination success message sent by the authentication server, decrypting the termination success message through the first public key to obtain a failed refresh certificate message; and deleting the invalid refreshing certificate message and the corresponding invalid authentication certificate message signature.
In a fifth aspect, an embodiment of the present disclosure provides an apparatus for maintaining a user authentication session, where the apparatus is applied to an authentication server, and includes: the third negotiation unit is configured to perform key negotiation with the client to obtain a first public key; the decryption unit is configured to respond to the received authentication session request sent by the client, decrypt the authentication session request through the first public key and obtain an account certificate; the verification unit is configured to verify the account certificate; the first message assembling unit is configured to acquire user information according to the account certificate and assemble an authentication message if verification is successful; a second message assembly unit configured to assemble the first authentication credential message according to the authentication message and the credential expiration time; a private key encryption unit configured to encrypt the first authentication credential message using a private key to obtain a first authentication credential message signature; a third message assembly unit configured to assemble the first refresh credential message according to the refresh failure time; and the encryption sending unit is configured to assemble a first authentication session certificate message according to the first refreshing certificate message and the first authentication certificate message signature, encrypt the first authentication session certificate message by using a first public key and send the first authentication session certificate message to the client.
In some embodiments, the apparatus further comprises a credential renewal unit configured to: in response to receiving a renewal request sent by a client, decrypting the renewal request to obtain a first refreshing certificate message, wherein the renewal request comprises the first refreshing certificate message encrypted by a first public key; judging whether the first refreshing certificate message is invalid or not; if the first refreshing certificate message is not invalid, deleting the first refreshing certificate message; assembling a second authentication certificate message according to the authentication message and the updated certificate failure time; encrypting the second authentication certificate message by using a private key to obtain a second authentication certificate message signature; assembling a second refresh certificate according to the updated refresh failure time; and assembling a second authentication session certificate message according to the second refreshing certificate message and the second authentication certificate message signature, and encrypting the second authentication session certificate message by using the first public key and then sending the second authentication session certificate message to the client.
In some embodiments, the apparatus further comprises a transmitting unit configured to: and if the client fails, sending a renewal request failure message to the client.
In some embodiments, the apparatus further comprises a credential deletion unit configured to: in response to receiving a termination request sent by a client, decrypting the termination request by using a first public key to obtain a failed refresh certificate message; judging whether the invalid refreshing certificate message is invalid or not; if the terminal fails, sending a termination request failure message obtained by encrypting the first public key to the client; and if the certificate is not invalid, deleting the invalid refreshing certificate message, and sending a termination request success message obtained by encrypting the first public key to the client.
In a sixth aspect, an embodiment of the present disclosure provides an apparatus for maintaining a user authentication session, where the apparatus is applied to an application server, and the apparatus includes: the fourth negotiation unit is configured to perform key negotiation with the client to obtain a second public key; the public key decryption unit is configured to respond to the received service request, and decrypt the service request by using the second public key to obtain a service message including the signature of the first authentication certificate message; an acquisition unit configured to acquire a public key of an authentication server; a public key decryption unit configured to decrypt the first authentication credential message signature using a public key; the analysis unit is configured to obtain a first authentication voucher message if decryption is successful, and analyze user information and voucher failure time from the first authentication voucher message; and the service processing unit is configured to perform service processing according to the user information and send a service request success message to the client if the certificate failure time is not reached.
In some embodiments, the apparatus further comprises a transmitting unit configured to: and if the decryption fails or the certificate failure time is reached, sending a service request failure message to the client.
In a seventh aspect, an embodiment of the present disclosure provides a system for maintaining a user authentication session, including: a client configured to implement the method as in any one of the first aspects; an authentication server configured to implement the method as in any one of the second aspects; an application server configured to implement the method as in any one of the third aspects.
In an eighth aspect, embodiments of the present disclosure provide an electronic device for maintaining a user authentication session, comprising: one or more processors; a storage device having one or more programs stored thereon, which when executed by one or more processors, cause the one or more processors to implement a method as in any one of the first, second, and third aspects.
In a ninth aspect, embodiments of the present disclosure provide a computer readable medium on which a computer program is stored, wherein the program, when executed by a processor, implements a method as in any one of the first, second, third aspects.
According to the method and the device for maintaining the user authentication session, the authentication session credential message can be dynamically changed and is only effective in a short time each time within the validity period of the authentication session, so that the credential message is prevented from being stolen after being leaked. When the application server receives the client request, the authenticity of the authentication session message can be checked without depending on the authentication server. The client and the application server exchange dynamic keys directly in a key negotiation mode, and encrypt the user information of the authentication session message through the keys.
Has the following advantages: 1. if the signature of the authentication certificate message is dynamically changed and the validity period is short, the message cannot be spoofed even if the message is acquired by an eavesdropper due to overtime; 2. the refreshing certificate message is only stored in the client and the authentication server, so that the risk of network transmission leakage is reduced; 3. the application server side locally checks the label through the public key of the authentication server side, so that the label checking efficiency of the application server side is improved; 4. the client and different application servers perform key agreement, and the network transmission message is encrypted by a public key, so that the security of the message is improved.
Drawings
Other features, objects and advantages of the disclosure will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 is an exemplary system architecture diagram in which one embodiment of the present disclosure may be applied;
FIG. 2 is a flow diagram of one embodiment in which a method for maintaining a user authentication session is applied to a client in accordance with the present disclosure;
FIG. 3 is a flow diagram of one embodiment of a method for maintaining a user authentication session applied to an authentication server in accordance with the present disclosure;
FIG. 4 is a flow diagram of one embodiment of a method for maintaining a user authentication session applied to an application server in accordance with the present disclosure;
FIG. 5 is a schematic diagram of one application scenario of a method for maintaining a user authentication session according to the present disclosure;
FIG. 6 is a schematic structural diagram illustrating an embodiment of an apparatus for maintaining a user authentication session applied to a client according to the present disclosure;
FIG. 7 is a schematic structural diagram of an embodiment of an apparatus for maintaining a user authentication session according to the present disclosure applied to an authentication server;
FIG. 8 is a schematic structural diagram illustrating an embodiment of an apparatus for maintaining a user authentication session applied to an application server according to the present disclosure;
FIG. 9 is a schematic block diagram of a computer system suitable for use with an electronic device to implement embodiments of the present disclosure.
Detailed Description
The present disclosure is described in further detail below with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that, in the present disclosure, the embodiments and features of the embodiments may be combined with each other without conflict. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 illustrates an exemplary system architecture 100 to which embodiments of the disclosed method for maintaining a user authentication session or apparatus for maintaining a user authentication session may be applied.
As shown in fig. 1, the system architecture 100 may include a client 101, an authentication server 102, and an application server 103. The client 101, the authentication server 102 and the application server 103 are connected through a wired network or a wireless network.
A user may use the client 101 to interact with the authentication server 102, the application server 103 over a network to receive or send messages, etc. Various messaging client applications, such as a web browser application, a shopping-like application, a search-like application, an instant messaging tool, a mailbox client, social platform software, etc., may be installed on the client 101.
The client 101 may be hardware or software. When the client 101 is hardware, it may be various electronic devices supporting user name and password login, including but not limited to a smart phone, a tablet computer, an e-book reader, an MP3 player (Moving Picture Experts Group Audio Layer III, motion Picture Experts Group Audio Layer 3), an MP4 player (Moving Picture Experts Group Audio Layer IV, motion Picture Experts Group Audio Layer 4), a laptop computer, a desktop computer, and the like. When the terminal apparatuses 101, 102, 103 are software, they can be installed in the electronic apparatuses listed above. It may be implemented as multiple pieces of software or software modules (e.g., to provide distributed services) or as a single piece of software or software module. And is not particularly limited herein.
The authentication server 102 is configured to verify an account number and a password input by the user through the client. And if the verification is successful, sending the client-side certificate. The client can log in the application server by using the certificate. The application server is used for performing business processing, such as balance inquiry, account transfer and the like.
The authentication server 102 and the application server 103 may be hardware or software. When the authentication server 102 and the application server 103 are hardware, they may be implemented as a distributed server cluster composed of a plurality of servers, or may be implemented as a single server. When the authentication server 102 and the application server 103 are software, they may be implemented as multiple pieces of software or software modules (for example, multiple pieces of software or software modules for providing distributed services), or may be implemented as a single piece of software or software module. And is not particularly limited herein.
It should be noted that the method for maintaining the user authentication session provided by the embodiment of the present disclosure may be executed by the client 101, the authentication server 102, and the application server 103. Accordingly, means for maintaining the user authentication session may be provided in the client 101, the authentication server 102, and the application server 103.
It should be understood that the number of clients 101, authentication servers 102, and application servers 103 in fig. 1 is merely illustrative. There may be any number of clients 101, authentication servers 102, application servers 103, as desired for an implementation.
With continued reference to fig. 2, a flow 200 of one embodiment of a method for maintaining a user authentication session applied to a client in accordance with the present disclosure is shown. The method for maintaining a user authentication session comprises the following steps:
In this embodiment, an executing entity (for example, the client shown in fig. 1) of the method for maintaining the user authentication session may log in to the authentication server, perform key agreement with the authentication server, and obtain a public key only for the client and the authentication server, and since the key agreement is involved for 2 times in this application, the public key obtained by the negotiation between the client and the authentication server is referred to as a first public key. And the public key obtained by the client and the application server through negotiation is called a second public key.
The Key Agreement (Secret Key Agreement) is that two entities in the network establish a session Key together through the Agreement, and any participant affects the result without any credible third party. The principle is to use a function of key exchange (Diffie-Hellman), which is generally based on the mathematical theory of key consistency, i.e. two communicating parties can generate a shared cipher number only by exchanging some information that can be disclosed, and this cipher number can be used as the key of a symmetric cipher. A qualified key exchange function should have two main features:
1. for two secret original private keys, both sides can locally calculate and generate an identical shared secret key through public parameters,
2. it is difficult to back-calculate the shared secret key from the public information.
In the practical application of information security, if two parties transmit messages in an uncontrollable network, the two parties need to obtain a public key through key agreement, and then encrypt the messages, so that the encrypted data can be determined that only the two parties can decrypt the encrypted data.
In this embodiment, the account credentials are a user name and a password input by the user. And encrypting the account certificate by using a first public key known by the authentication server and then sending the encrypted account certificate to the authentication server. The authentication server can then perform steps 302-308.
In this embodiment, the authentication server finally generates an authentication session credential message, encrypts the authentication session credential message, and sends the encrypted authentication session credential message to the client. The authentication session credential message includes an authentication credential message signature (hereinafter abbreviated AT) and a refresh credential message (hereinafter abbreviated RT). Wherein the validity period of AT is relatively short, e.g. 2 minutes. The AT can be used repeatedly, and the information of the user can be obtained after the AT passes the public key signature verification of the authentication server. The validity period of the RT is larger than that of the AT, and can be one hour or even longer, but the RT can be used only once, is only stored in the client of the user, and can only be verified by the authentication server.
In the present application, in order to distinguish from the AT and RT of the credential renewal, the authentication session credential message before the renewal is referred to as a first authentication session credential message, and the authentication session credential message after the renewal is referred to as a second authentication session credential message.
And step 204, decrypting the encrypted first authentication session certificate message by using the first public key to obtain a first refreshing certificate message and a first authentication certificate message signature.
In this embodiment, the information exchanged between the client and the authentication server is sent by encrypting through the public key negotiated by the client and the authentication server, so that the receiver also needs to decrypt through the public key, where the first authentication credential message signature is obtained by encrypting the first authentication credential message through the private key of the authentication server. And the decrypted first refreshing certificate message RT and the first authentication certificate message signature AT are stored in the client of the user.
In some optional implementations of this embodiment, the method further includes: performing key agreement with the application server to obtain a second public key; assembling a service message including a first authentication certificate message signature; encrypting the service message by using a second public key to generate a service request; and sending the service request to an application server. The process corresponds to steps 401-406.
In some optional implementations of this embodiment, the method further includes: responding to a received business request failure message which is returned by an application server and is caused by overtime, and sending a renewal request to an authentication server, wherein the renewal request comprises a first refreshing certificate message encrypted by a first public key; receiving a second authentication session certificate message which is sent by an authentication server and encrypted by a first public key; and decrypting the encrypted second authentication session certificate message by using the first public key to obtain a second refreshing certificate message and a second authentication certificate message signature, wherein the second authentication certificate message signature is obtained by encrypting the second authentication certificate message through a private key of the authentication server. Due to the short aging of the AT, the AT can be expired quickly, but can be renewed through the RT, and if the RT is within the valid period, a renewal request can be sent to the authentication server and verified by the authentication server. And after the RT is generated, the RT is recorded AT the authentication server side, the RT can be used only once, if the RT is used, the corresponding AT is invalid and cannot be renewed, and AT the moment, a renewal failure message is sent to the client side. If the RT is not used, the RT is deleted from the record of the authentication server after the use.
In some optional implementations of this embodiment, the method further includes: in response to receiving the quit request, generating a termination request after encrypting the invalid refresh certificate message by a first public key; sending a termination request to an authentication server; in response to receiving a termination success message sent by the authentication server, decrypting the termination success message through the first public key to obtain a failed refresh certificate message; and deleting the invalid refreshing certificate message and the corresponding invalid authentication certificate message signature. When the user logs out, the client sends a log-out request to the authentication server. At this time, the user actively disables the refresh credential message.
With continued reference to fig. 3, a flow 300 of one embodiment of the method for maintaining a user authentication session according to the present disclosure is shown as applied to an authentication server. The method for maintaining a user authentication session comprises the following steps:
In this embodiment, an executing entity (for example, the authentication server shown in fig. 1) of the method for maintaining the user authentication session may receive a login request from the client, and perform key agreement with the client, and the specific process is substantially the same as step 201, and therefore is not described again.
In this embodiment, since the authentication session request is obtained by encrypting the account credential with the first public key, the account credential can be obtained by decrypting with the first public key.
In this embodiment, the registered information is queried according to the account credential, and whether the account credential is valid is verified. For example, the user name and password in the account credentials are matched with the user name and password in the registration information base, and if the matching is successful, the authentication is passed.
And 304, if the verification is successful, acquiring user information according to the account certificate and assembling an authentication message.
In this embodiment, if the verification is successful, the user information may be obtained according to the account credentials. Such as the user's name, gender, age, role, etc. The user information may be assembled into an authentication message in a predetermined format.
And if the verification fails, feeding back to a client authentication failure message. The authentication failure message can be sent to the client after being encrypted by the first public key. In order to save the overhead, the authentication failure message can also be directly sent without encryption. A special field is used to identify that the authentication failure message is unencrypted.
In this embodiment, the authentication credentials are valid for a period of time, e.g., 2 minutes, and the credential expiration time may be set according to the current time and the validity period, e.g., expiration times 2020-6-313: 20, indicated at 2020-6-313: after 20, the authentication credential message may be invalidated.
In this embodiment, the first authentication credential message is encrypted by using a message signing technique to obtain a first authentication credential message signature. The sender is encrypted with a private key and the receiver is decrypted with a public key.
Message Signature (Message Signature) technology is a technology widely used in the field of information security. The basic principle is that a sender carries out private key Encryption operation on the content of a sent message by using an Asymmetric Encryption (Asymmetric Encryption) function and outputs an encrypted bit string. Generally, the bit string is called a Message Signature, a receiver decrypts a ciphertext Message by obtaining a public key of a sender, if decryption is successful, the Message Signature is proved to be really sent by the sender, the decryption process is generally called a Signature Verification (Message Signature Verification), and a qualified asymmetric encryption function has four main characteristics:
1. for a given message plaintext, the message signature can be easily obtained by private key encryption,
2. for a given message signature, the plaintext of the message can be readily obtained by public key decryption,
3. it is difficult to find out that message signatures generated by two different private keys are decrypted by the same public key,
4. it is difficult to find a bit string signed by the public key and get an understandable plaintext of the original message.
In practical application of information security, if a piece of message signature data can be decrypted by a public key, the piece of data can be considered to be encrypted by a private key.
And 307, assembling a first refreshing certificate message according to the refreshing failure time.
In this embodiment, in addition to the authentication credentials, there are also refresh credentials. The validity period of the authentication voucher is short, and after the authentication voucher is expired, the refreshing voucher can be used for applying for the renewal of the authentication voucher. The refresh credential is also stale. And in the valid time, if the refreshing certificate is not used and the authentication service end can allow the authentication certificate to be renewed, sending new AT and RT to the client. The user can obtain authentication without inputting a user name and a password. The validity period of the refresh credential is longer than that of the authentication credential. The refresh credential expiration time may be set according to the current time and the validity duration of the refresh credential, e.g., expiration time 2020-6-317: 20, represented at 2020-6-317: after 20, the refresh credential message may fail.
And 308, assembling a first authentication session certificate message according to the first refreshing certificate message and the first authentication certificate message signature, encrypting by using a first public key, and sending to the client.
In this embodiment, the refresh credential message RT and the authentication credential message signature AT are merged together to form an authentication session credential message. Encrypted and sent to the client, and then the client executes step 203 and step 204.
In some optional implementations of this embodiment, the method further includes: in response to receiving a renewal request sent by a client, decrypting the renewal request to obtain a first refreshing certificate message, wherein the renewal request comprises the first refreshing certificate message encrypted by a first public key; judging whether the first refreshing certificate message is invalid or not; if the first refreshing certificate message is not invalid, deleting the first refreshing certificate message; assembling a second authentication certificate message according to the authentication message and the updated certificate failure time; encrypting the second authentication certificate message by using a private key to obtain a second authentication certificate message signature; assembling a second refresh certificate according to the updated refresh failure time; and assembling a second authentication session certificate message according to the second refreshing certificate message and the second authentication certificate message signature, and encrypting the second authentication session certificate message by using the first public key and then sending the second authentication session certificate message to the client. Failure here refers to a timeout or being used. The refresh certificate message comprises refresh failure time, and whether the RT is overtime can be judged according to the refresh failure time. The RT can only be used once and is deleted from the record when used, so it is known whether it has been used only by looking up whether there is an RT for renewal in the record. If the RT is valid, a renewal is allowed, which is the same as in step 305-308.
With continued reference to fig. 4, a flow 400 of one embodiment of the application server for applying the method for maintaining a user authentication session according to the present disclosure is shown. The method for maintaining a user authentication session comprises the following steps:
In this embodiment, an executing entity (for example, the application server shown in fig. 1) of the method for maintaining the user authentication session may perform key agreement with the client to obtain the second public key. The specific process is similar to step 201.
In this embodiment, the service request is from a client, and the client assembles a service message including a first authentication credential message signature; and encrypting the service message by using the second public key to generate a service request. Therefore, the service request can be decrypted through the second public key to obtain the service message including the signature of the first authentication certificate message.
In this embodiment, the public key of the authentication server notifies the whole system that the application server can also obtain the public key.
In this embodiment, since the first authentication credential message signature is obtained by the authentication server encrypting the first authentication credential message using its own private key, the first authentication credential message can be obtained by decrypting the first authentication credential message using the public key of the authentication server.
In this embodiment, if the decryption is successful, the first authentication credential message is obtained. Then, user information and voucher failure time are analyzed from the first authentication voucher message according to the format of the assembled first authentication voucher message. The process is the reverse of step 305.
And step 406, if the voucher failure time is not reached, performing service processing according to the user information, and sending a service request success message to the client.
In this embodiment, if the AT is not disabled, the user information may be directly used for service processing, and a service request success message may be fed back. The service request success message may not be encrypted for ease of processing.
In some optional implementation manners of this embodiment, if decryption fails or a credential expiration time is reached, a service request failure message is sent to the client.
With continued reference to fig. 5, fig. 5 is a schematic diagram of an application scenario of the method for maintaining a user authentication session according to the present embodiment. In the application scenario of fig. 5, 4 stages are involved, and the specific flow is as follows:
1. authentication message request phase:
a client and an authentication server of a user directly obtain a first safe public key through key agreement, and encrypt and transmit a message through the key;
the user inputs account number credentials (e.g. user name and password) and sends the credentials to the authentication server to request authentication session credentials, including authentication credential message signature AT (Access token) and refresh credential RT (refresh token). The AT has the validity period of 2 minutes and can be repeatedly used, and the AT can acquire the information of the user after the signature verification of the public key of the authentication service; the effective period of the RT is larger than that of the AT, can be one hour or even longer, but can be used only once, only stored in a client of a user, and only verified by an authentication server;
2. authentication session credential usage phase:
the user client and the application server directly obtain a safe second public key through key negotiation, assemble information and a message signature AT as a request message, and encrypt and transmit the message through the second public key;
the application server receives the user request message, obtains a plaintext through decryption of a second public key, then verifies the signature of the message signature AT through a public key of the authentication server, obtains the plaintext information of the user after the signature verification is successful, and returns the user access failure if the signature verification fails or the certificate is overtime;
3. authentication session credential renewal phase:
after the authentication session certificate AT of the client side is overtime, the first public key is used for encrypting the refreshing certificate message RT, the authentication server side decrypts the message after receiving the renewal request encryption message, judges whether the RT is used or not, and issues a message signature AT and the renewal certificate RT of a new authentication session certificate to the client side after the verification is passed;
the client may proceed to enter the authentication session credential usage phase using the new RT.
4. User termination authentication session phase:
the client side encrypts the refreshing certificate message RT by using the first public key, the authentication server side decrypts the message after receiving the authentication session termination request encryption message, judges whether the RT is used or not, deletes the RT after the authentication is passed, and the subsequent RT can not be renewed.
With further reference to fig. 6, as an implementation of the methods shown in the above-mentioned figures, the present disclosure provides an embodiment of an apparatus for maintaining a user authentication session, which is applied to a client, and the apparatus embodiment corresponds to the method embodiment shown in fig. 2, and the apparatus may be applied to various electronic devices in particular.
As shown in fig. 6, the apparatus 600 for maintaining a user authentication session of the present embodiment includes: a first negotiation unit 601, an authentication request unit 602, a receiving unit 603 and a decryption unit 604. The first negotiation unit 601 is configured to perform key negotiation with the authentication server to obtain a first public key; an authentication request unit 602 configured to encrypt the account credential with the first public key to generate an authentication session request, and send the authentication session request to an authentication server; a receiving unit 603 configured to receive a first authentication session credential message encrypted by a first public key sent by an authentication server; a decryption unit 604, configured to decrypt the encrypted first authentication session credential message using the first public key to obtain a first refresh credential message and a first authentication credential message signature, where the first authentication credential message signature is obtained by encrypting the first authentication credential message using a private key of the authentication server.
In some optional implementations of this embodiment, the apparatus further includes: a second negotiation unit (not shown in the drawing) configured to perform key negotiation with the application server to obtain a second public key; an assembly unit (not shown in the figures) configured to assemble a service message comprising a first authentication credential message signature; an encryption unit (not shown in the drawings) configured to generate a service request after encrypting the service message by using the second public key; and a sending unit (not shown in the figure) configured to send the service request to the application server.
In some optional implementations of this embodiment, the apparatus further includes a renewal request unit (not shown in the drawings) configured to: responding to a received business request failure message which is returned by an application server and is caused by overtime, and sending a renewal request to an authentication server, wherein the renewal request comprises a first refreshing certificate message encrypted by a first public key; receiving a second authentication session certificate message which is sent by an authentication server and encrypted by a first public key; and decrypting the encrypted second authentication session certificate message by using the first public key to obtain a second refreshing certificate message and a second authentication certificate message signature, wherein the second authentication certificate message signature is obtained by encrypting the second authentication certificate message through a private key of the authentication server.
In some optional implementations of this embodiment, the apparatus further comprises a termination authentication unit (not shown in the drawings) configured to: in response to receiving the quit request, generating a termination request after encrypting the invalid refresh certificate message by a first public key; sending a termination request to an authentication server; in response to receiving a termination success message sent by the authentication server, decrypting the termination success message through the first public key to obtain a failed refresh certificate message; and deleting the invalid refreshing certificate message and the corresponding invalid authentication certificate message signature.
With further reference to fig. 7, as an implementation of the methods shown in the above-mentioned figures, the present disclosure provides an embodiment of an apparatus for maintaining a user authentication session, which is applied to an authentication server, and the apparatus embodiment corresponds to the method embodiment shown in fig. 3, and the apparatus may be applied to various electronic devices in particular.
As shown in fig. 7, the apparatus 700 for maintaining a user authentication session of the present embodiment includes: a third negotiation unit 701, a decryption unit 702, a verification unit 703, a first message assembly unit 704, a second message assembly unit 705, a private key encryption unit 706, a third message assembly unit 707, and an encryption transmission unit 708. The third negotiation unit 701 is configured to perform key negotiation with the client to obtain a first public key; a decryption unit 702 configured to, in response to receiving the authentication session request sent by the client, decrypt the authentication session request by using the first public key to obtain an account credential; a verification unit 703 configured to verify the account credential; a first message assembling unit 704 configured to, if the verification is successful, obtain user information according to the account credentials and assemble an authentication message; a second message assembling unit 705 configured to assemble the first authentication credential message according to the authentication message and the credential expiration time; a private key encryption unit 706 configured to encrypt the first authentication credential message using a private key to obtain a first authentication credential message signature; a third message assembling unit 707 configured to assemble a first refresh credential message according to a refresh invalidation time; and an encryption sending unit 708 configured to assemble a first authentication session credential message according to the first refresh credential message and the first authentication credential message signature, and send the first authentication session credential message to the client after being encrypted by using the first public key.
In some optional implementations of this embodiment, the apparatus further comprises a credential renewal unit (not shown in the figures) configured to: in response to receiving a renewal request sent by a client, decrypting the renewal request to obtain a first refreshing certificate message, wherein the renewal request comprises the first refreshing certificate message encrypted by a first public key; judging whether the first refreshing certificate message is invalid or not; if the first refreshing certificate message is not invalid, deleting the first refreshing certificate message; assembling a second authentication certificate message according to the authentication message and the updated certificate failure time; encrypting the second authentication certificate message by using a private key to obtain a second authentication certificate message signature; assembling a second refresh certificate according to the updated refresh failure time; and assembling a second authentication session certificate message according to the second refreshing certificate message and the second authentication certificate message signature, and encrypting the second authentication session certificate message by using the first public key and then sending the second authentication session certificate message to the client.
In some optional implementations of this embodiment, the apparatus further comprises a sending unit (not shown in the drawings) configured to: and if the client fails, sending a renewal request failure message to the client.
In some optional implementations of this embodiment, the apparatus further comprises a credential deleting unit (not shown in the drawings) configured to: in response to receiving a termination request sent by a client, decrypting the termination request by using a first public key to obtain a failed refresh certificate message; judging whether the invalid refreshing certificate message is invalid or not; if the terminal fails, sending a termination request failure message obtained by encrypting the first public key to the client; and if the certificate is not invalid, deleting the invalid refreshing certificate message, and sending a termination request success message obtained by encrypting the first public key to the client.
With further reference to fig. 8, as an implementation of the methods shown in the above-mentioned figures, the present disclosure provides an embodiment of an apparatus for maintaining a user authentication session, which is applied to an application server, and the apparatus embodiment corresponds to the method embodiment shown in fig. 4, and the apparatus may be applied to various electronic devices in particular.
As shown in fig. 8, the apparatus 800 for maintaining a user authentication session of the present embodiment includes: a fourth negotiation unit 801, a public key decryption unit 802, an acquisition unit 803, a public key decryption unit 804, a parsing unit 805, and a service processing unit 806. The fourth negotiation unit 801 is configured to perform key negotiation with the client to obtain a second public key; a public key decryption unit 802 configured to, in response to receiving the service request, decrypt the service request using the second public key to obtain a service message including a first authentication credential message signature; an obtaining unit 803 configured to obtain a public key of the authentication server; a public key decryption unit 804 configured to decrypt the first authentication credential message signature using a public key; the parsing unit 805 is configured to obtain a first authentication credential message if decryption is successful, and parse user information and credential failure time from the first authentication credential message; and the service processing unit 806 is configured to, if the credential failure time is not reached, perform service processing according to the user information, and send a service request success message to the client.
In some optional implementations of this embodiment, the apparatus further comprises a sending unit (not shown in the drawings) configured to: and if the decryption fails or the certificate failure time is reached, sending a service request failure message to the client.
Referring now to fig. 9, a schematic diagram of an electronic device (e.g., client, authentication server, application server in fig. 1) 900 suitable for use in implementing embodiments of the present disclosure is shown. The client, the authentication server, and the application server shown in fig. 9 are only one example, and should not bring any limitation to the functions and the use range of the embodiments of the present disclosure.
As shown in fig. 9, the electronic device 900 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 901 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)902 or a program loaded from a storage means 908 into a Random Access Memory (RAM) 903. In the RAM903, various programs and data necessary for the operation of the electronic apparatus 900 are also stored. The processing apparatus 901, the ROM 902, and the RAM903 are connected to each other through a bus 904. An input/output (I/O) interface 905 is also connected to bus 904.
Generally, the following devices may be connected to the I/O interface 905: input devices 906 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 907 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 908 including, for example, magnetic tape, hard disk, etc.; and a communication device 909. The communication device 909 may allow the electronic apparatus 900 to perform wireless or wired communication with other apparatuses to exchange data. While fig. 9 illustrates an electronic device 900 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided. Each block shown in fig. 9 may represent one device or may represent multiple devices as desired.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication device 909, or installed from the storage device 908, or installed from the ROM 902. The computer program, when executed by the processing apparatus 901, performs the above-described functions defined in the methods of the embodiments of the present disclosure. It should be noted that the computer readable medium described in the embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In embodiments of the disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In embodiments of the present disclosure, however, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: performing key agreement with an authentication server to obtain a first public key; the account certificate is encrypted through a first public key to generate an authentication session request, and the authentication session request is sent to an authentication server side; receiving a first authentication session certificate message which is sent by an authentication server and encrypted by a first public key; and decrypting the encrypted first authentication session certificate message by using a first public key to obtain a first refreshing certificate message and a first authentication certificate message signature, wherein the first authentication certificate message signature is obtained by encrypting the first authentication certificate message through a private key of an authentication server. Or cause the electronic device to: carrying out key agreement with a client to obtain a first public key; in response to receiving an authentication session request sent by a client, decrypting the authentication session request through a first public key to obtain an account certificate; checking the account certificate; if the verification is successful, acquiring user information according to the account certificate and assembling an authentication message; assembling a first authentication certificate message according to the authentication message and the certificate failure time; encrypting the first authentication certificate message by using a private key to obtain a first authentication certificate message signature; assembling a first refreshing certificate message according to the refreshing failure time; and assembling a first authentication session certificate message according to the first refreshing certificate message and the first authentication certificate message signature, encrypting by using a first public key, and sending to the client. Or cause the electronic device to: carrying out key agreement with the client to obtain a second public key; in response to receiving the service request, decrypting the service request by using a second public key to obtain a service message including a first authentication certificate message signature; acquiring a public key of an authentication server; decrypting the first authentication credential message signature using the public key; if the decryption is successful, obtaining a first authentication voucher message, and analyzing user information and voucher failure time from the first authentication voucher message; and if the failure time of the certificate is not reached, performing service processing according to the user information, and sending a service request success message to the client.
Computer program code for carrying out operations for embodiments of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes a first negotiation unit, an authentication request unit, a reception unit, and a decryption unit. The names of these units do not in some cases form a limitation on the unit itself, for example, the first negotiation unit may also be described as "a unit that performs key negotiation with the authentication server to obtain the first public key".
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the present disclosure is not limited to the specific combination of the above-mentioned features, but also encompasses other embodiments in which any combination of the above-mentioned features or their equivalents is possible without departing from the inventive concept. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Claims (16)
1. A method for maintaining a user authentication session, applied to a client, comprising:
performing key agreement with an authentication server to obtain a first public key;
generating an authentication session request after an account certificate is encrypted by the first public key, and sending the authentication session request to the authentication server;
receiving a first authentication session certificate message which is sent by the authentication server and encrypted by the first public key;
and decrypting the encrypted first authentication session certificate message by using the first public key to obtain a first refreshing certificate message and a first authentication certificate message signature, wherein the first authentication certificate message signature is obtained by encrypting the first authentication certificate message through a private key of the authentication server.
2. The method of claim 1, wherein the method further comprises:
performing key agreement with the application server to obtain a second public key;
assembling a service message including the first authentication certificate message signature;
encrypting the service message by using the second public key to generate a service request;
and sending the service request to the application server.
3. The method of claim 2, wherein the method further comprises:
in response to receiving a service request failure message returned by the application server and caused by timeout, sending a renewal request to the authentication server, wherein the renewal request comprises the first refresh certificate message encrypted by the first public key;
receiving a second authentication session certificate message which is sent by the authentication server and encrypted by the first public key;
and decrypting the encrypted second authentication session certificate message by using the first public key to obtain a second refreshing certificate message and a second authentication certificate message signature, wherein the second authentication certificate message signature is obtained by encrypting the second authentication certificate message through a private key of the authentication server.
4. The method of claim 1, wherein the method further comprises:
in response to receiving the quit request, generating a termination request after encrypting the invalid refresh certificate message by the first public key;
sending the termination request to the authentication server;
in response to receiving a termination success message sent by the authentication server, decrypting the termination success message through the first public key to obtain a failed refresh certificate message;
and deleting the invalid refreshing certificate message and the corresponding invalid authentication certificate message signature.
5. A method for maintaining user authentication session is applied to an authentication server and comprises the following steps:
carrying out key agreement with a client to obtain a first public key;
in response to receiving an authentication session request sent by the client, decrypting the authentication session request through the first public key to obtain an account certificate;
verifying the account certificate;
if the verification is successful, acquiring user information according to the account certificate and assembling an authentication message;
assembling a first authentication certificate message according to the authentication message and the certificate failure time;
encrypting the first authentication certificate message by using a private key to obtain a first authentication certificate message signature;
assembling a first refreshing certificate message according to the refreshing failure time;
and assembling a first authentication session certificate message according to the first refreshing certificate message and the first authentication certificate message signature, encrypting by using the first public key, and sending to the client.
6. The method of claim 5, wherein the method further comprises:
in response to receiving a renewal request sent by the client, decrypting the renewal request to obtain a first refreshing certificate message, wherein the renewal request comprises the first refreshing certificate message encrypted by the first public key;
judging whether the first refreshing certificate message is invalid or not;
if the first refreshing certificate message is not invalid, deleting the first refreshing certificate message;
assembling a second authentication certificate message according to the authentication message and the updated certificate failure time;
encrypting the second authentication certificate message by using a private key to obtain a second authentication certificate message signature;
assembling a second refresh certificate according to the updated refresh failure time;
and assembling a second authentication session certificate message according to the second refreshing certificate message and the second authentication certificate message signature, and sending the second authentication session certificate message to the client after encrypting the second authentication session certificate message by using the first public key.
7. The method of claim 6, wherein the method further comprises:
and if the client fails, sending a renewal request failure message to the client.
8. The method of claim 5, wherein the method further comprises:
in response to receiving a termination request sent by the client, decrypting the termination request by using the first public key to obtain a failed refresh certificate message;
judging whether the invalid refreshing certificate message is invalid or not;
if the first public key fails, sending a termination request failure message obtained by encrypting the first public key to the client;
and if the update certificate message is not invalid, deleting the invalid refresh certificate message, and sending a termination request success message obtained by encrypting the first public key to the client.
9. A method for maintaining user authentication session is applied to an application server and comprises the following steps:
carrying out key agreement with the client to obtain a second public key;
in response to receiving a service request, decrypting the service request by using the second public key to obtain a service message including the first authentication certificate message signature;
acquiring a public key of an authentication server;
decrypting the first authentication credential message signature using the public key;
if the decryption is successful, obtaining a first authentication voucher message, and analyzing user information and voucher failure time from the first authentication voucher message;
and if the certificate failure time is not reached, performing service processing according to the user information, and sending a service request success message to the client.
10. The method of claim 9, wherein the method further comprises:
and if the decryption fails or the certificate failure time is reached, sending a service request failure message to the client.
11. An apparatus for maintaining a user authentication session, applied to a client, comprising:
the first negotiation unit is configured to perform key negotiation with the authentication server to obtain a first public key;
the authentication request unit is configured to encrypt an account certificate through the first public key to generate an authentication session request and send the authentication session request to the authentication server;
a receiving unit configured to receive a first authentication session credential message encrypted by the first public key sent by the authentication server;
and the decryption unit is configured to decrypt the encrypted first authentication session credential message by using the first public key to obtain a first refresh credential message and a first authentication credential message signature, wherein the first authentication credential message signature is obtained by encrypting the first authentication credential message by a private key of the authentication server.
12. An apparatus for maintaining a user authentication session, applied to an authentication server, includes:
the third negotiation unit is configured to perform key negotiation with the client to obtain a first public key;
the decryption unit is configured to respond to the received authentication session request sent by the client, decrypt the authentication session request through the first public key and obtain an account certificate;
a verification unit configured to verify the account credential;
the first message assembling unit is configured to acquire user information according to the account certificate and assemble an authentication message if verification is successful;
a second message assembly unit configured to assemble a first authentication credential message according to the authentication message and a credential expiration time;
a private key encryption unit configured to encrypt the first authentication credential message using a private key to obtain a first authentication credential message signature;
a third message assembly unit configured to assemble the first refresh credential message according to the refresh failure time;
and the encryption sending unit is configured to assemble a first authentication session certificate message according to the first refreshing certificate message and the first authentication certificate message signature, encrypt the first authentication session certificate message by using the first public key and send the encrypted first authentication session certificate message to the client.
13. An apparatus for maintaining a user authentication session, applied to an application server, includes:
the fourth negotiation unit is configured to perform key negotiation with the client to obtain a second public key;
a public key decryption unit configured to, in response to receiving a service request, decrypt the service request using the second public key to obtain a service packet including the first authentication credential packet signature;
an acquisition unit configured to acquire a public key of an authentication server;
a public key decryption unit configured to decrypt the first authentication credential message signature using the public key;
the analysis unit is configured to obtain a first authentication voucher message if decryption is successful, and analyze user information and voucher failure time from the first authentication voucher message;
and the service processing unit is configured to perform service processing according to the user information and send a service request success message to the client if the certificate failure time is not reached.
14. A system for maintaining a user authentication session, comprising:
a client configured to implement the method of any one of claims 1-4;
an authentication server configured to implement the method of any one of claims 5-8;
an application server configured to implement the method of any one of claims 9-10.
15. An electronic device for maintaining a user authentication session, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-10.
16. A computer-readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the method of any one of claims 1-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010595867.1A CN111698264A (en) | 2020-06-28 | 2020-06-28 | Method and apparatus for maintaining user authentication sessions |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010595867.1A CN111698264A (en) | 2020-06-28 | 2020-06-28 | Method and apparatus for maintaining user authentication sessions |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111698264A true CN111698264A (en) | 2020-09-22 |
Family
ID=72483855
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010595867.1A Pending CN111698264A (en) | 2020-06-28 | 2020-06-28 | Method and apparatus for maintaining user authentication sessions |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111698264A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112187780A (en) * | 2020-09-25 | 2021-01-05 | 杭州涂鸦信息技术有限公司 | Safety refreshing method and system for app login session |
| CN113965296A (en) * | 2021-10-20 | 2022-01-21 | 北京中科江南信息技术股份有限公司 | Message compensation method and device based on heterogeneous systems |
| CN114710281A (en) * | 2022-04-24 | 2022-07-05 | 中国工商银行股份有限公司 | Method and device for quitting Internet banking system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030217288A1 (en) * | 2002-05-15 | 2003-11-20 | Microsoft Corporation | Session key secruity protocol |
| CN104618362A (en) * | 2015-01-23 | 2015-05-13 | 华为技术有限公司 | Method and device for session message interaction between resource server and client side |
| CN104754030A (en) * | 2015-02-12 | 2015-07-01 | 腾讯科技(深圳)有限公司 | User information obtaining method and device |
| CN104980925A (en) * | 2015-06-01 | 2015-10-14 | 走遍世界(北京)信息技术有限公司 | Authentication method and authentication device for user request |
| CN106295394A (en) * | 2016-07-22 | 2017-01-04 | 飞天诚信科技股份有限公司 | Resource authorization method and system and authorization server and method of work |
| CN106453396A (en) * | 2016-11-18 | 2017-02-22 | 传线网络科技(上海)有限公司 | Double token account login method and login verification device |
| CN109379192A (en) * | 2018-09-21 | 2019-02-22 | 广州小鹏汽车科技有限公司 | A kind of login authentication processing method, system and device |
| CN109639649A (en) * | 2018-11-20 | 2019-04-16 | 福建亿榕信息技术有限公司 | A kind of single-point logging method |
| CN111030814A (en) * | 2019-12-25 | 2020-04-17 | 杭州迪普科技股份有限公司 | Key negotiation method and device |
| CN111131242A (en) * | 2019-12-24 | 2020-05-08 | 北京格林威尔科技发展有限公司 | Authority control method, device and system |
| CN111294354A (en) * | 2020-02-04 | 2020-06-16 | 北京嗨学网教育科技股份有限公司 | Signature verification method, apparatus, device and storage medium for distributed environment |
-
2020
- 2020-06-28 CN CN202010595867.1A patent/CN111698264A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030217288A1 (en) * | 2002-05-15 | 2003-11-20 | Microsoft Corporation | Session key secruity protocol |
| CN104618362A (en) * | 2015-01-23 | 2015-05-13 | 华为技术有限公司 | Method and device for session message interaction between resource server and client side |
| CN104754030A (en) * | 2015-02-12 | 2015-07-01 | 腾讯科技(深圳)有限公司 | User information obtaining method and device |
| CN104980925A (en) * | 2015-06-01 | 2015-10-14 | 走遍世界(北京)信息技术有限公司 | Authentication method and authentication device for user request |
| CN106295394A (en) * | 2016-07-22 | 2017-01-04 | 飞天诚信科技股份有限公司 | Resource authorization method and system and authorization server and method of work |
| CN106453396A (en) * | 2016-11-18 | 2017-02-22 | 传线网络科技(上海)有限公司 | Double token account login method and login verification device |
| CN109379192A (en) * | 2018-09-21 | 2019-02-22 | 广州小鹏汽车科技有限公司 | A kind of login authentication processing method, system and device |
| CN109639649A (en) * | 2018-11-20 | 2019-04-16 | 福建亿榕信息技术有限公司 | A kind of single-point logging method |
| CN111131242A (en) * | 2019-12-24 | 2020-05-08 | 北京格林威尔科技发展有限公司 | Authority control method, device and system |
| CN111030814A (en) * | 2019-12-25 | 2020-04-17 | 杭州迪普科技股份有限公司 | Key negotiation method and device |
| CN111294354A (en) * | 2020-02-04 | 2020-06-16 | 北京嗨学网教育科技股份有限公司 | Signature verification method, apparatus, device and storage medium for distributed environment |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112187780A (en) * | 2020-09-25 | 2021-01-05 | 杭州涂鸦信息技术有限公司 | Safety refreshing method and system for app login session |
| CN112187780B (en) * | 2020-09-25 | 2022-11-15 | 杭州涂鸦信息技术有限公司 | Safety refreshing method and system for app login session |
| CN113965296A (en) * | 2021-10-20 | 2022-01-21 | 北京中科江南信息技术股份有限公司 | Message compensation method and device based on heterogeneous systems |
| CN113965296B (en) * | 2021-10-20 | 2023-11-24 | 北京中科江南信息技术股份有限公司 | Message compensation method and device based on heterogeneous systems |
| CN114710281A (en) * | 2022-04-24 | 2022-07-05 | 中国工商银行股份有限公司 | Method and device for quitting Internet banking system |
| CN114710281B (en) * | 2022-04-24 | 2024-08-23 | 中国工商银行股份有限公司 | Method and device for exiting online banking system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2022206349A1 (en) | Information verification method, related apparatus, device, and storage medium | |
| US11676133B2 (en) | Method and system for mobile cryptocurrency wallet connectivity | |
| US11799656B2 (en) | Security authentication method and device | |
| Kalra et al. | Secure authentication scheme for IoT and cloud servers | |
| US9137017B2 (en) | Key recovery mechanism | |
| US9021552B2 (en) | User authentication for intermediate representational state transfer (REST) client via certificate authority | |
| US11134069B2 (en) | Method for authorizing access and apparatus using the method | |
| US9485246B2 (en) | Distributed authentication with data cloud | |
| US20120054491A1 (en) | Re-authentication in client-server communications | |
| US20050144439A1 (en) | System and method of managing encryption key management system for mobile terminals | |
| US20130219166A1 (en) | Hardware based identity manager | |
| CN113612605A (en) | Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology | |
| US20180375648A1 (en) | Systems and methods for data encryption for cloud services | |
| CN111698264A (en) | Method and apparatus for maintaining user authentication sessions | |
| CN112437044B (en) | Instant messaging method and device | |
| CN110493272B (en) | Communication method and communication system using multiple keys | |
| CN111835774A (en) | Data processing method, device, equipment and storage medium | |
| US20080306875A1 (en) | Method and system for secure network connection | |
| FR3043870A1 (en) | METHOD FOR SECURING AND AUTHENTICATING TELECOMMUNICATION | |
| CN111865761B (en) | Social chat information evidence storing method based on block chain intelligent contracts | |
| CN112927026A (en) | Coupon processing method and device, electronic equipment and computer storage medium | |
| JP2014147039A (en) | Cryptocommunication device, proxy server, cryptocommunication system, cryptocommunication program and proxy server program | |
| CN114158046B (en) | Method and device for realizing one-key login service | |
| US8312277B2 (en) | Method and system for secure communication between computers | |
| CN113381853B (en) | Method and device for generating random password and client authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 221, 2nd floor, Block C, 18 Kechuang 11th Street, Daxing Economic and Technological Development Zone, Beijing, 100176 Applicant after: Jingdong Technology Holding Co.,Ltd. Address before: Room 221, 2nd floor, Block C, 18 Kechuang 11th Street, Daxing Economic and Technological Development Zone, Beijing, 100176 Applicant before: Jingdong Digital Technology Holding Co.,Ltd. Address after: Room 221, 2nd floor, Block C, 18 Kechuang 11th Street, Daxing Economic and Technological Development Zone, Beijing, 100176 Applicant after: Jingdong Digital Technology Holding Co.,Ltd. Address before: Room 221, 2nd floor, Block C, 18 Kechuang 11th Street, Daxing Economic and Technological Development Zone, Beijing, 100176 Applicant before: JINGDONG DIGITAL TECHNOLOGY HOLDINGS Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200922 |
|
| RJ01 | Rejection of invention patent application after publication |