CN111784887A - Authorization releasing method, device and system for user access - Google Patents

Authorization releasing method, device and system for user access Download PDF

Info

Publication number
CN111784887A
CN111784887A CN201911204353.2A CN201911204353A CN111784887A CN 111784887 A CN111784887 A CN 111784887A CN 201911204353 A CN201911204353 A CN 201911204353A CN 111784887 A CN111784887 A CN 111784887A
Authority
CN
China
Prior art keywords
authorization
authorization token
access
result
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911204353.2A
Other languages
Chinese (zh)
Inventor
栾宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Wodong Tianjun Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN201911204353.2A priority Critical patent/CN111784887A/en
Publication of CN111784887A publication Critical patent/CN111784887A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an authorization and release method, device and system for user access, and relates to the technical field of computers. One embodiment of the method comprises: receiving an access request initiated by a user side, and sending the access request to an accessed side; receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises an encrypted signature of the authentication center system; and receiving an authorization token received by the access control system from the user side, performing information verification on information indicated by the authorization token, and sending an information verification result to the access control system so that the access control system determines a release result based on the information verification result. The implementation mode achieves the technical effects of effectively avoiding the risks of identity counterfeiting and information leakage, simplifying the authorization process, shortening the time required by authorization and having higher universality.

Description

Authorization releasing method, device and system for user access
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, and a system for granting authorization to a user for access.
Background
The security access control system often meets the scenes of temporary user access such as delivery of goods by couriers, customer visit and the like. Common temporary authorization is mainly classified into the following two ways in the implementation manner of passing through the gate: firstly, offline communication is carried out, and a user needs to communicate, confirm and register with an access security worker to obtain authorization; and secondly, the user submits an application by logging in a designated system, and authorization is obtained under the condition of passing the verification.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
1. the off-line communication is easy to have the risks of identity forgery and information leakage, and the time required by authorization is long;
2. the designated system has long auditing time, complex auditing process and narrow applicability, and is not suitable for scenes such as cells.
Disclosure of Invention
In view of this, embodiments of the present invention provide an authorization and release method, an apparatus, and a system for user access, which can effectively avoid risks of identity falsification and information leakage, simplify an authorization process, shorten time required for authorization, and have higher universality.
To achieve the above object, according to a first aspect of the embodiments of the present invention, there is provided a method for granting permission to a user for access, including:
receiving an access request initiated by a user side, and sending the access request to an accessed side;
receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises an encrypted signature of the authentication center system;
and receiving an authorization token received by the access control system from the user side, performing information verification on information indicated by the authorization token, and sending an information verification result to the access control system so that the access control system determines a release result based on the information verification result.
Further, before generating the authorization token, the method for granting the user access authorization further includes: and confirming that the accessed terminal has the authorization authority.
Further, the authorization token further comprises: user side number, accessed side number, token number and access time.
According to a second aspect of the embodiments of the present invention, there is provided a method for granting permission to a user for access, including:
receiving an authorization token sent by a user side, and sending the authorization token to an authentication center system for information verification;
and receiving an information verification result sent by the authentication center system, and sending a release result to the user side according to the information verification result.
Further, before the step of sending the authorization token to the authentication center system for information verification, the authorization release method for user access further includes: and confirming that the accessed terminal indicated by the authorization token has authorization authority.
According to a third aspect of the embodiments of the present invention, there is provided an apparatus for granting permission for user access, including:
the access request receiving module is used for receiving an access request initiated by a user side and sending the access request to an accessed side;
the authorization token generation module is used for receiving an authorization result determined by the access terminal based on the access request, generating an authorization token and sending the authorization token to the user terminal under the condition that the authorization result is the authorization agreement, wherein the authorization token comprises an encrypted signature of the authentication center system;
and the information verification module is used for receiving the authorization token received by the access control system from the user side, performing information verification on the information indicated by the authorization token, and sending an information verification result to the access control system so that the access control system determines a release result based on the information verification result.
According to a fourth aspect of the embodiments of the present invention, there is provided an apparatus for granting permission for user access, including:
the authorization token receiving module is used for receiving an authorization token sent by a user side and sending the authorization token to the authentication center system for information verification;
and the releasing module is used for receiving the information verification result sent by the authentication center system and sending the releasing result to the user side according to the information verification result.
According to a fifth aspect of the embodiments of the present invention, there is provided an authorization and release system for user access, including:
the user side is used for initiating an access request to the authentication center system and receiving an authorization token sent by the authentication center system; sending the authorization token to an access control system, and receiving a clearance result returned by the access control system;
the authorization releasing device for user access provided by the third aspect of the present invention is configured to receive an access request initiated by a user side, and send the access request to an accessed side; receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises an encrypted signature of the authentication center system; receiving an authorization token received by the access control system from a user side, performing information verification on information indicated by the authorization token, and sending an information verification result to the access control system so that the access control system determines a release result based on the information verification result;
the access terminal is used for receiving the access request sent by the authentication center system, confirming an authorization result based on the access request and sending the authorization result to the authentication center system;
the authorization release device for user access provided by the fourth aspect of the present invention is configured to receive the authorization token sent by the user side, and send the authorization token to the authentication center system for information verification; and receiving an information verification result sent by the authentication center system, and sending a release result to the user side according to the information verification result.
According to a sixth aspect of the embodiments of the present invention, there is provided a terminal apparatus including:
one or more processors;
a storage device for storing one or more programs,
when executed by one or more processors, cause the one or more processors to implement a method of granting permission for user access as provided in either the first or second aspects of the invention.
According to a seventh aspect of embodiments of the present invention, there is provided a computer readable medium having stored thereon a computer program which, when executed by a processor, implements a method of granting permission for user access as provided in any one of the first or second aspects of the present invention.
One embodiment of the above invention has the following advantages or benefits: because the access request initiated by the receiving user side is adopted, the access request is sent to the accessed side; receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises an encrypted signature of the authentication center system; the method comprises the steps of receiving an authorization token received by the access control system from a user side, carrying out information verification on information indicated by the authorization token, and sending an information verification result to the access control system, so that the access control system determines a technical means of releasing a result based on the information verification result, thereby overcoming the technical problems of easiness in identity counterfeiting, information leakage, long authorization time consumption and narrow applicability existing in the prior art, further achieving the technical effects of effectively avoiding the risks of identity counterfeiting and information leakage, simplifying an authorization flow, shortening the time required by authorization, and having higher universality.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic diagram of a main flow of an authorization and release method for user access provided according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of a main flow of an authorization and release method for user access provided according to a second embodiment of the present invention;
FIG. 3 is a schematic diagram of the main modules of an authorized release device for user access provided in accordance with a first embodiment of the present invention;
FIG. 4 is a schematic diagram of the main modules of an authorized release device for user access provided in accordance with a second embodiment of the present invention;
FIG. 5 is a schematic diagram of information interaction between primary devices of an authorized release system for user access provided in accordance with an embodiment of the present invention;
FIG. 6 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 7 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram of a main flow of an authorization and release method for user access provided according to a first embodiment of the present invention, which is mainly applicable to a certificate authority system; as shown in fig. 1, the method for granting authorization to access by a user according to the present invention mainly includes:
step S101, receiving an access request initiated by a user side, and sending the access request to an accessed side.
The method provided by the embodiment of the invention is mainly suitable for application scenes in which the user applies for authorization and release, and is particularly suitable for application scenes in which the user applies for temporary authorization (namely release according to authorization within a period of time). Such as a user visiting a company or going to a delivery within a cell, etc.
When a user wants to access a field with access control, such as a certain company or a certain cell, an access request is firstly initiated to an authentication center system, and the authentication center responds to the access request and sends the corresponding access request to an accessed terminal.
According to the embodiment of the invention, the access request indicates the user side number, the access time and the accessed side number. The user side number and the accessed side number refer to identifiers used for representing the user side or the accessed side identity, and can be mobile phone numbers, identity card numbers and the like of the user/the accessed side; the access indicates the starting and ending time of the user access, and if the time limit is exceeded, the authorization is invalid.
Step S102, receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises the encrypted signature of the authentication center system.
Specifically, the accessed terminal confirms whether to approve or disapprove the authorization according to the user terminal number and the access time indicated by the access request, and returns the authorization result to the authentication center system, if the authorization result shows that the authorization is approved, the authentication center system generates an authorization token, and the authorization token comprises the encrypted signature of the authentication center, so that the authorization token is prevented from being tampered or forged.
According to an embodiment of the invention, the authorization token further comprises: user side number, accessed side number, token number and access time. The user side number, the accessed side number and the token number are plain texts, and the encrypted signature of the authentication center is a ciphertext.
According to a specific implementation manner of the embodiment of the present invention, the generation of the authorization Token is mainly generated by using JWT (JOSNWeb Token, which is a very light specification, this specification allows us to use JWT to transfer safe and reliable information between the user and the server) technology, and combines the standards of OpenID and OAuth protocols.
JWT: the JSON-based open standard (RFC7519) executed for transferring statements between network application environments is used for safely transmitting information between all parties as a JSON object and mainly comprises three parts, namely a Header, a Payload and a Signature, and the information is signed, so that the information sent by a sender can be ensured to be not forged.
OpenID: a user-centric digital identification framework is open and decentralized. An identity authentication mode is provided, and the effect of distributed authentication is achieved.
Oauth: an authorization protocol provides a secure, open and easy standard for authorization of user resources.
According to an embodiment of the invention, the structure of the authorization token is shown in the following table:
Figure BDA0002296613740000071
the algorithm for encrypting the signature may use an existing encryption algorithm such as an HS256 algorithm.
Further, according to the embodiment of the present invention, before generating the authorization token, the method for authorizing the user to access further includes: and confirming that the accessed terminal has the authorization authority.
After receiving the authorization result, the authentication center system confirms whether the accessed terminal initiating the authorization result has authorization authority, and generates the authorization authority under the condition that the accessed terminal has the authorization authority, thereby further improving the security of the authorization token.
And S103, receiving the authorization token received by the access control system from the user side, performing information verification on the information indicated by the authorization token, and sending an information verification result to the access control system so that the access control system determines a release result based on the information verification result.
And after receiving the authorization token sent by the authentication center system, the user selects proper time to access. Specifically, the user side sends an authorization token to the access control system, the access control system sends the received authorization token to the authentication center system for information verification, and the information verification comprises verifying whether the authorization token is issued by the local authentication center system or not, whether the current access time is the access time indicated by the authorization token or not according to the authentication link and the like. Then the authentication center system sends an information verification result (the authorization token is valid or the authorization token is invalid) to the access control system, and if the information verification result shows that the authorization token is valid, the access control system determines to pass; and if the information verification result shows that the authorization token is invalid, the access control system determines not to give permission.
According to the technical scheme of the embodiment of the invention, the access request initiated by the receiving user side is adopted, and the access request is sent to the accessed side; receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises an encrypted signature of the authentication center system; the method comprises the steps of receiving an authorization token received by the access control system from a user side, carrying out information verification on information indicated by the authorization token, and sending an information verification result to the access control system, so that the access control system determines a technical means of releasing a result based on the information verification result, thereby overcoming the technical problems of easiness in identity counterfeiting, information leakage, long authorization time consumption and narrow applicability existing in the prior art, further achieving the technical effects of effectively avoiding the risks of identity counterfeiting and information leakage, simplifying an authorization flow, shortening the time required by authorization, and having higher universality.
Fig. 2 is a schematic diagram of a main flow of an authorization and release method for user access according to a second embodiment of the present invention, which is mainly applicable to an access control system; as shown in fig. 2, the method for granting permission to access by a user according to an embodiment of the present invention mainly includes:
step S201, receiving an authorization token sent by a user end, and sending the authorization token to an authentication center system for information verification.
Further, according to the embodiment of the present invention, before the step of sending the authorization token to the authentication center system for information verification, the authorization release method for user access further includes: and confirming that the accessed terminal indicated by the authorization token has authorization authority.
It should be noted that, regarding whether the accessed terminal indicated by the authorization token has the authorization right, the verification may be performed before the authentication center system generates the authorization token, or the verification may be performed after the user terminal sends the authorization token to the access control system. That is, the operation of confirming the authorization authority may be executed at the authentication center system or at the access control system.
And step S202, receiving an information verification result sent by the authentication center system, and sending a release result to the user side according to the information verification result.
And the authentication center system performs information verification on the information indicated by the authorization token according to the authorization token forwarded by the access control system, and the information verification comprises verifying whether the authorization token is issued by the local authentication center system or not, whether the current access time is in the access time indicated by the authorization token or not according to the authentication link and the like. Then the authentication center system sends an information verification result (the authorization token is valid or the authorization token is invalid) to the access control system, and if the information verification result shows that the authorization token is valid, the access control system determines to pass; and if the information verification result shows that the authorization token is invalid, the access control system determines not to give permission.
According to the technical scheme of the embodiment of the invention, the authorization token sent by the receiving user side is sent to the authentication center system for information verification; the technical means of receiving the information verification result sent by the authentication center system and sending the release result to the user side according to the information verification result overcomes the technical problems of easy identity forgery, information leakage, long authorization time consumption and narrow applicability existing in the prior art, thereby achieving the technical effects of effectively avoiding the risks of identity forgery and information leakage, simplifying the authorization process, shortening the authorization time and having higher universality.
Fig. 3 is a schematic diagram of main modules of an authorized release device for user access, which is mainly an authentication center system, provided according to a first embodiment of the present invention; as shown in fig. 3, an apparatus 300 for authorizing and releasing user access according to an embodiment of the present invention mainly includes:
an access request receiving module 301, configured to receive an access request initiated by a user side, and send the access request to an accessed side.
The device provided by the embodiment of the invention is mainly suitable for application scenes in which a user applies for authorization and release, and is particularly suitable for application scenes in which the user applies for temporary authorization (namely release according to authorization within a period of time). Such as a user visiting a company or going to a delivery within a cell, etc.
When a user wants to access a field with access control, such as a certain company or a certain cell, an access request is firstly initiated to an authentication center system, and the authentication center responds to the access request and sends the corresponding access request to an accessed terminal.
According to the embodiment of the invention, the access request indicates the user side number, the access time and the accessed side number. The user side number and the accessed side number refer to identifiers used for representing the user side or the accessed side identity, and can be mobile phone numbers, identity card numbers and the like of the user/the accessed side; the access indicates the starting and ending time of the user access, and if the time limit is exceeded, the authorization is invalid.
And an authorization token generation module 302, configured to receive an authorization result determined by the access terminal based on the access request, generate an authorization token and send the authorization token to the user terminal if the authorization result is an authorization agreement, where the authorization token includes a cryptographic signature of the certificate authority system.
Specifically, the accessed terminal confirms whether to approve or disapprove the authorization according to the user terminal number and the access time indicated by the access request, and returns the authorization result to the authentication center system, if the authorization result shows that the authorization is approved, the authentication center system generates an authorization token, and the authorization token comprises the encrypted signature of the authentication center, so that the authorization token is prevented from being tampered or forged.
According to an embodiment of the invention, the authorization token further comprises: user side number, accessed side number, token number and access time. The user side number, the accessed side number and the token number are plain texts, and the encrypted signature of the authentication center is a ciphertext.
Further, according to the embodiment of the present invention, the authorization apparatus 300 for user access further includes an authorization authority confirming module, which is configured to confirm that the accessed terminal has authorization authority before generating the authorization token.
After receiving the authorization result, the authentication center system confirms whether the accessed terminal initiating the authorization result has authorization authority, and generates the authorization authority under the condition that the accessed terminal has the authorization authority, thereby further improving the security of the authorization token.
The information verification module 303 is configured to receive an authorization token received by the access control system from the user side, perform information verification on information indicated by the authorization token, and send an information verification result to the access control system, so that the access control system determines a release result based on the information verification result.
And after receiving the authorization token sent by the authentication center system, the user selects proper time to access. Specifically, the user side sends an authorization token to the access control system, the access control system sends the received authorization token to the authentication center system for information verification, and the information verification comprises verifying whether the authorization token is issued by the local authentication center system or not, whether the current access time is the access time indicated by the authorization token or not according to the authentication link and the like. Then the authentication center system sends an information verification result (the authorization token is valid or the authorization token is invalid) to the access control system, and if the information verification result shows that the authorization token is valid, the access control system determines to pass; and if the information verification result shows that the authorization token is invalid, the access control system determines not to give permission.
According to the technical scheme of the embodiment of the invention, the access request initiated by the receiving user side is adopted, and the access request is sent to the accessed side; receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises an encrypted signature of the authentication center system; the method comprises the steps of receiving an authorization token received by the access control system from a user side, carrying out information verification on information indicated by the authorization token, and sending an information verification result to the access control system, so that the access control system determines a technical means of releasing a result based on the information verification result, thereby overcoming the technical problems of easiness in identity counterfeiting, information leakage, long authorization time consumption and narrow applicability existing in the prior art, further achieving the technical effects of effectively avoiding the risks of identity counterfeiting and information leakage, simplifying an authorization flow, shortening the time required by authorization, and having higher universality.
Fig. 4 is a schematic diagram of main modules of an authorized release device for user access, which is mainly an access control system, according to a second embodiment of the present invention; as shown in fig. 4, the authorization and release device 400 for user access provided by the present invention mainly includes:
the authorization token receiving module 401 is configured to receive an authorization token sent by a user side, and send the authorization token to the authentication center system for information verification.
Further, according to the embodiment of the present invention, the authorization and release device 400 for the user to access further includes an authorization and permission determination module, before the step of sending the authorization token to the authentication center system for information verification, the authorization and permission determination module is configured to: and confirming that the accessed terminal indicated by the authorization token has authorization authority.
It should be noted that the authorization module for determining that the accessed terminal indicated by the authorization token has the authorization right may be arranged in the authentication center system and executed before generating the authorization token, or may be arranged in the access control system and executed before the access control system sends the authorization token to the authentication center system.
And the releasing module 402 is configured to receive the information verification result sent by the authentication center system, and send a releasing result to the user side according to the information verification result.
And the authentication center system performs information verification on the information indicated by the authorization token according to the authorization token forwarded by the access control system, and the information verification comprises verifying whether the authorization token is issued by the local authentication center system or not, whether the current access time is in the access time indicated by the authorization token or not according to the authentication link and the like. Then the authentication center system sends an information verification result (the authorization token is valid or the authorization token is invalid) to the access control system, and if the information verification result shows that the authorization token is valid, the access control system determines to pass; and if the information verification result shows that the authorization token is invalid, the access control system determines not to give permission.
According to the technical scheme of the embodiment of the invention, the authorization token sent by the receiving user side is sent to the authentication center system for information verification; the technical means of receiving the information verification result sent by the authentication center system and sending the release result to the user side according to the information verification result overcomes the technical problems of easy identity forgery, information leakage, long authorization time consumption and narrow applicability existing in the prior art, thereby achieving the technical effects of effectively avoiding the risks of identity forgery and information leakage, simplifying the authorization process, shortening the authorization time and having higher universality.
It can be understood that, since the method embodiment and the apparatus embodiment are different presentation forms of the same technical concept, the content of the method embodiment portion in the present application should be synchronously adapted to the apparatus embodiment portion, and is not described herein again.
FIG. 5 is a schematic diagram of information interaction between primary devices of an authorized release system for user access provided in accordance with an embodiment of the present invention; as shown in fig. 5, the system for authorizing and releasing user access provided in the embodiment of the present invention mainly includes:
a user side: the system comprises a certificate authority system, a user terminal and a server, wherein the certificate authority system is used for initiating an access request to the certificate authority system and receiving an authorization token sent by the certificate authority system; and sending the authorization token to the access control system, and receiving a clearance result returned by the access control system.
The method provided by the embodiment of the invention is mainly suitable for application scenes in which the user applies for authorization and release, and is particularly suitable for application scenes in which the user applies for temporary authorization (namely release according to authorization within a period of time). Such as a user visiting a company or going to a delivery within a cell, etc.
When a user wants to access a field with access control, such as a certain company or a certain cell, an access request is firstly initiated to an authentication center system, and the authentication center responds to the access request and sends the corresponding access request to an accessed terminal.
The authentication center system: the access request is sent to the accessed terminal; receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises an encrypted signature of the authentication center system; and receiving an authorization token sent by the access control system, carrying out information verification on information indicated by the authorization token, and sending an information verification result to the access control system so that the access control system determines a release result based on the information verification result.
According to the embodiment of the invention, the access request indicates the user side number, the access time and the accessed side number. The user side number and the accessed side number refer to identifiers used for representing the user side or the accessed side identity, and can be mobile phone numbers, identity card numbers and the like of the user/the accessed side; the access indicates the starting and ending time of the user access, and if the time limit is exceeded, the authorization is invalid.
Specifically, the accessed terminal confirms whether to approve or disapprove the authorization according to the user terminal number and the access time indicated by the access request, and returns the authorization result to the authentication center system, if the authorization result shows that the authorization is approved, the authentication center system generates an authorization token, and the authorization token comprises the encrypted signature of the authentication center, so that the authorization token is prevented from being tampered or forged.
According to an embodiment of the invention, the authorization token further comprises: user side number, accessed side number, token number and access time. The user side number, the accessed side number and the token number are plain texts, and the encrypted signature of the authentication center is a ciphertext.
And the accessed terminal is used for receiving the access request sent by the authentication center system, confirming the authorization result based on the access request and sending the authorization result to the authentication center system.
An access control system: the authentication center system is used for receiving an authorization token sent by a user side and sending the authorization token to the authentication center system for information verification; and receiving an information verification result sent by the authentication center system, and sending a release result to the user side according to the information verification result.
And after receiving the authorization token sent by the authentication center system, the user selects proper time to access. Specifically, the user side sends an authorization token to the access control system, the access control system sends the received authorization token to the authentication center system for information verification, and the information verification comprises verifying whether the authorization token is issued by the local authentication center system or not, whether the current access time is the access time indicated by the authorization token or not according to the authentication link and the like. Then the authentication center system sends an information verification result (the authorization token is valid or the authorization token is invalid) to the access control system, and if the information verification result shows that the authorization token is valid, the access control system determines to pass; and if the information verification result shows that the authorization token is invalid, the access control system determines not to give permission.
It should be noted that the authorization module for determining that the accessed terminal indicated by the authorization token has the authorization right may be arranged in the authentication center system and executed before generating the authorization token, or may be arranged in the access control system and executed before the access control system sends the authorization token to the authentication center system.
According to the technical scheme of the embodiment of the invention, the access request initiated by the receiving user side is adopted, and the access request is sent to the accessed side; receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises an encrypted signature of the authentication center system; the method comprises the steps of receiving an authorization token received by the access control system from a user side, carrying out information verification on information indicated by the authorization token, and sending an information verification result to the access control system, so that the access control system determines a technical means of releasing a result based on the information verification result, thereby overcoming the technical problems of easiness in identity counterfeiting, information leakage, long authorization time consumption and narrow applicability existing in the prior art, further achieving the technical effects of effectively avoiding the risks of identity counterfeiting and information leakage, simplifying an authorization flow, shortening the time required by authorization, and having higher universality.
Fig. 6 shows an exemplary system architecture 600 to which the method for user access authorization and release or the device for user access authorization and release of embodiments of the present invention may be applied.
As shown in fig. 6, the system architecture 600 may include terminal devices 601, 602, 603, a network 604 and a server 605 (this architecture is merely an example, and the components included in a specific architecture may be adjusted according to the specific application). The network 604 serves to provide a medium for communication links between the terminal devices 601, 602, 603 and the server 605. Network 604 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 601, 602, 603 to interact with the server 605 via the network 604 to receive or send messages or the like. The terminal devices 601, 602, 603 may have installed thereon various communication client applications, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 601, 602, 603 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 605 may be a server providing various services, such as a background management server (for example only) providing support for shopping websites browsed by users using the terminal devices 601, 602, 603. The backend management server may analyze and perform other processing on the received data such as the access request, and feed back a processing result (for example, an authorization token and an information verification result — just an example) to the terminal device.
It should be noted that the authorization and release method for user access provided by the embodiment of the present invention is generally executed by the server 605, and accordingly, the authorization and release device for user access is generally disposed in the server 605.
It should be understood that the number of terminal devices, networks, and servers in fig. 6 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 7, shown is a block diagram of a computer system 700 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 701.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes an access request receiving module, an authorization token generating module, and an information checking module. The names of these modules do not in some cases form a limitation on the modules themselves, for example, the access request receiving module may also be described as a "module for receiving an access request initiated by a user side and sending the access request to a visited side".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: receiving an access request initiated by a user side, and sending the access request to an accessed side; receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises an encrypted signature of the authentication center system; and receiving an authorization token received by the access control system from the user side, performing information verification on information indicated by the authorization token, and sending an information verification result to the access control system so that the access control system determines a release result based on the information verification result.
According to the technical scheme of the embodiment of the invention, the access request initiated by the receiving user side is adopted, and the access request is sent to the accessed side; receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises an encrypted signature of the authentication center system; the method comprises the steps of receiving an authorization token received by the access control system from a user side, carrying out information verification on information indicated by the authorization token, and sending an information verification result to the access control system, so that the access control system determines a technical means of releasing a result based on the information verification result, thereby overcoming the technical problems of easiness in identity counterfeiting, information leakage, long authorization time consumption and narrow applicability existing in the prior art, further achieving the technical effects of effectively avoiding the risks of identity counterfeiting and information leakage, simplifying an authorization flow, shortening the time required by authorization, and having higher universality.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A method for authorizing and granting user access, comprising:
receiving an access request initiated by a user side, and sending the access request to an accessed side;
receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises a cryptographic signature of a certificate authority system;
and receiving an authorization token received by the access control system from the user side, performing information verification on information indicated by the authorization token, and sending an information verification result to the access control system so that the access control system determines a release result based on the information verification result.
2. The method of claim 1, wherein prior to the generating the authorization token, the method further comprises: and confirming that the accessed terminal has the authorization authority.
3. The method of claim 1, wherein the authorization token further comprises: user side number, accessed side number, token number and access time.
4. A method for authorizing and granting user access, comprising:
receiving an authorization token sent by a user side, and sending the authorization token to an authentication center system for information verification;
and receiving an information verification result sent by the authentication center system, and sending a release result to the user side according to the information verification result.
5. The method of claim 4, wherein prior to the step of sending the authorization token to the certificate authority system for information verification, the method further comprises: and confirming that the accessed terminal indicated by the authorization token has authorization authority.
6. An apparatus for authorizing access by a user, comprising:
the access request receiving module is used for receiving an access request initiated by a user side and sending the access request to an accessed side;
the authorization token generation module is used for receiving an authorization result determined by the access terminal based on the access request, generating an authorization token and sending the authorization token to the user terminal under the condition that the authorization result is the authorization agreement, wherein the authorization token comprises a cryptographic signature of a certificate authority system;
and the information checking module is used for receiving the authorization token received by the access control system from the user side, checking the information indicated by the authorization token, and sending an information checking result to the access control system so that the access control system determines a passing result based on the information checking result.
7. An apparatus for authorizing access by a user, comprising:
the authorization token receiving module is used for receiving an authorization token sent by a user side and sending the authorization token to the authentication center system for information verification;
and the releasing module is used for receiving the information verification result sent by the authentication center system and sending the releasing result to the user side according to the information verification result.
8. An authorized release system for user access, comprising:
the system comprises a user side and a certification center system, wherein the user side is used for initiating an access request to the certification center system and receiving an authorization token sent by the certification center system; sending the authorization token to an access control system, and receiving a clearance result returned by the access control system;
the apparatus for granting permission for user access according to claim 6, configured to receive an access request initiated by a user side, and send the access request to an accessed side; receiving an authorization result determined by the access terminal based on the access request, generating an authorization token under the condition that the authorization result is the authorization agreement, and sending the authorization token to the user terminal, wherein the authorization token comprises a cryptographic signature of a certificate authority system; receiving an authorization token received by the access control system from the user side, performing information verification on information indicated by the authorization token, and sending an information verification result to the access control system so that the access control system determines a release result based on the information verification result;
the access terminal is used for receiving an access request sent by the authentication center system, confirming an authorization result based on the access request and sending the authorization result to the authentication center system;
the user access authorization release device of claim 7, configured to receive an authorization token sent by a user end, send the authorization token to an authentication center system for information verification; and receiving an information verification result sent by the authentication center system, and sending a release result to the user side according to the information verification result.
9. A terminal device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-3 or claims 4-5.
10. A computer-readable medium, on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out the method of any one of claims 1-3 or 4-5.
CN201911204353.2A 2019-11-29 2019-11-29 Authorization releasing method, device and system for user access Pending CN111784887A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911204353.2A CN111784887A (en) 2019-11-29 2019-11-29 Authorization releasing method, device and system for user access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911204353.2A CN111784887A (en) 2019-11-29 2019-11-29 Authorization releasing method, device and system for user access

Publications (1)

Publication Number Publication Date
CN111784887A true CN111784887A (en) 2020-10-16

Family

ID=72755754

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911204353.2A Pending CN111784887A (en) 2019-11-29 2019-11-29 Authorization releasing method, device and system for user access

Country Status (1)

Country Link
CN (1) CN111784887A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112598810A (en) * 2020-12-16 2021-04-02 中国建设银行股份有限公司 Exhibition entrance processing method and device
CN113592695A (en) * 2021-08-06 2021-11-02 国网安徽省电力有限公司电力科学研究院 Identity information security authorization system and method
CN113742711A (en) * 2020-10-20 2021-12-03 北京沃东天骏信息技术有限公司 Container access method and device
WO2022226794A1 (en) * 2021-04-27 2022-11-03 华为技术有限公司 Access method, apparatus and system
CN115439967A (en) * 2022-09-22 2022-12-06 绿漫科技有限公司 Visitor passage verification method and device based on optical communication technology
CN117456646A (en) * 2023-11-23 2024-01-26 江苏南北木屋文化科技有限公司 Intelligent log cabin access control verification method and system based on Internet of things

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103679903A (en) * 2014-01-02 2014-03-26 苏州众天力信息科技有限公司 Access control method based on WeChat
CN105488887A (en) * 2015-12-28 2016-04-13 慧锐通智能科技股份有限公司 Entrance guard access control method
CN105913527A (en) * 2016-05-03 2016-08-31 武汉睿和智云科技有限公司 Intelligent visitor two-dimensional code verification system and intelligent visitor two-dimensional code verification method based on community cloud
CN106652129A (en) * 2016-11-29 2017-05-10 宁波飞拓电器有限公司 Door control system design method based on mobile phone APP (application)
CN106780908A (en) * 2016-12-30 2017-05-31 广州卡趴网络科技有限公司 A kind of gate inhibition's generation objective reservation system
KR20190021571A (en) * 2017-08-23 2019-03-06 주식회사 컴패니언시스템 Access management system and method using QR code

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103679903A (en) * 2014-01-02 2014-03-26 苏州众天力信息科技有限公司 Access control method based on WeChat
CN105488887A (en) * 2015-12-28 2016-04-13 慧锐通智能科技股份有限公司 Entrance guard access control method
CN105913527A (en) * 2016-05-03 2016-08-31 武汉睿和智云科技有限公司 Intelligent visitor two-dimensional code verification system and intelligent visitor two-dimensional code verification method based on community cloud
CN106652129A (en) * 2016-11-29 2017-05-10 宁波飞拓电器有限公司 Door control system design method based on mobile phone APP (application)
CN106780908A (en) * 2016-12-30 2017-05-31 广州卡趴网络科技有限公司 A kind of gate inhibition's generation objective reservation system
KR20190021571A (en) * 2017-08-23 2019-03-06 주식회사 컴패니언시스템 Access management system and method using QR code

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113742711A (en) * 2020-10-20 2021-12-03 北京沃东天骏信息技术有限公司 Container access method and device
CN112598810A (en) * 2020-12-16 2021-04-02 中国建设银行股份有限公司 Exhibition entrance processing method and device
WO2022226794A1 (en) * 2021-04-27 2022-11-03 华为技术有限公司 Access method, apparatus and system
CN113592695A (en) * 2021-08-06 2021-11-02 国网安徽省电力有限公司电力科学研究院 Identity information security authorization system and method
CN113592695B (en) * 2021-08-06 2024-02-02 国网安徽省电力有限公司电力科学研究院 Identity information security authorization system and method
CN115439967A (en) * 2022-09-22 2022-12-06 绿漫科技有限公司 Visitor passage verification method and device based on optical communication technology
CN117456646A (en) * 2023-11-23 2024-01-26 江苏南北木屋文化科技有限公司 Intelligent log cabin access control verification method and system based on Internet of things
CN117456646B (en) * 2023-11-23 2024-05-07 江苏南北木屋文化科技有限公司 Intelligent log cabin access control verification method and system based on Internet of things

Similar Documents

Publication Publication Date Title
US11665006B2 (en) User authentication with self-signed certificate and identity verification
US10277409B2 (en) Authenticating mobile applications using policy files
CN111784887A (en) Authorization releasing method, device and system for user access
CN113347206B (en) Network access method and device
CN112583834B (en) Method and device for single sign-on through gateway
CN110958119A (en) Identity verification method and device
CN110149354A (en) A kind of encryption and authentication method and device based on https agreement
CN112131599A (en) Method, device, equipment and computer readable medium for checking data
CN113918899A (en) Identity authentication method, certificate holding system and verification system
CN114049122A (en) Service processing method and system
CN114584381A (en) Security authentication method and device based on gateway, electronic equipment and storage medium
CN112905990A (en) Access method, client, server and access system
CN110751467B (en) Digital currency generation method and system
CN113055186B (en) Cross-system service processing method, device and system
CN114186994A (en) Method, terminal and system for using digital currency wallet application
CN110166226B (en) Method and device for generating secret key
CN110619236A (en) File authorization access method, device and system based on file credential information
CN110611656B (en) Identity management method, device and system based on master identity multiple mapping
CN113420331B (en) Method and device for managing file downloading permission
CN110634062B (en) Digital currency quota putting method and system
CN115828309B (en) Service calling method and system
CN110602074B (en) Service identity using method, device and system based on master-slave association
CN110602076B (en) Identity using method, device and system based on master identity multiple authentication
CN116418586A (en) Data docking method and device
CN115499845A (en) Identity recognition method and device based on NFC

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination