CN111835713A - Security authentication method, device and storage medium - Google Patents

Security authentication method, device and storage medium Download PDF

Info

Publication number
CN111835713A
CN111835713A CN202010486102.4A CN202010486102A CN111835713A CN 111835713 A CN111835713 A CN 111835713A CN 202010486102 A CN202010486102 A CN 202010486102A CN 111835713 A CN111835713 A CN 111835713A
Authority
CN
China
Prior art keywords
user
authentication
information
request information
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010486102.4A
Other languages
Chinese (zh)
Other versions
CN111835713B (en
Inventor
胡贵超
刘闯
王洋
王艳辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Visionvera Information Technology Co Ltd
Original Assignee
Visionvera Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Visionvera Information Technology Co Ltd filed Critical Visionvera Information Technology Co Ltd
Priority to CN202010486102.4A priority Critical patent/CN111835713B/en
Publication of CN111835713A publication Critical patent/CN111835713A/en
Application granted granted Critical
Publication of CN111835713B publication Critical patent/CN111835713B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a security authentication method, a security authentication device and a storage medium, wherein the method comprises the following steps: acquiring authentication level information and key carrier identification information corresponding to a user of a second terminal, wherein the authentication level information represents an operation authority level of the user; generating user authentication request information according to the authentication level information, and sending the user authentication request information to a key carrier corresponding to the user according to the key carrier identification information; and receiving request information to be checked returned by the key carrier according to the user authentication request information, and performing security authentication on the user according to the request information to be checked. The embodiment of the invention realizes the safety certification aiming at the users with different operation authority levels, improves the flexibility of the safety certification and improves the safety of the video network.

Description

Security authentication method, device and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a security authentication method, device, and storage medium.
Background
The video network is a special network for transmitting high-definition video and a special protocol at high speed based on Ethernet hardware, is a higher-level form of the Ethernet and is a real-time network.
With the rapid development of the video networking service, the application scenarios of the video networking are becoming more and more abundant, such as education, medical treatment, e-government affairs, emergency command, and the like. At present, the security authentication mode of the terminal is the same whether the terminal has higher operation authority or lower operation authority, and the terminal is suitable for various application scenes. As long as the terminal registers in the network management server and the transmitted data meets the video networking protocol, the terminal can access the video networking and realize corresponding video networking services. Under the condition that the number and the types of terminals in the video network are more and more, the video network has larger potential safety hazard.
Disclosure of Invention
In view of the above, embodiments of the present invention are proposed in order to provide a security authentication method, apparatus and storage medium that overcome or at least partially solve the above-mentioned problems.
In order to solve the above problem, according to a first aspect of the embodiments of the present invention, a security authentication method is disclosed, which is applied to a first terminal, and the method includes: acquiring authentication level information and key carrier identification information corresponding to a user of a second terminal, wherein the authentication level information represents an operation authority level of the user; generating user authentication request information according to the authentication level information, and sending the user authentication request information to a key carrier corresponding to the user according to the key carrier identification information; and receiving request information to be checked returned by the key carrier according to the user authentication request information, and performing security authentication on the user according to the request information to be checked.
Optionally, the obtaining authentication level information and key carrier identification information corresponding to the user of the second terminal includes: receiving user identity authentication request information from the second terminal, and judging whether the user is legal or not according to the user identity authentication request information; and under the condition that the user is legal, retrieving to obtain the authentication level information and the key carrier identification information corresponding to the user.
Optionally, the retrieving to obtain the authentication level information and the key carrier identification information corresponding to the user includes: analyzing the user identity authentication request information to obtain user identification information; and retrieving the corresponding authentication level information and the corresponding key carrier identification information according to the user identification information.
Optionally, the generating user authentication request information according to the authentication level information includes: and generating a random number, and generating the user authentication request information according to the random number and the authentication level information.
Optionally, the performing security authentication on the user according to the to-be-checked request information includes: analyzing the request information to be checked to obtain key identification information; retrieving a corresponding digital certificate according to the key identification information; extracting a public key from the digital certificate; carrying out signature verification operation on the request information to be verified by using the public key; allowing the user to log in under the condition that the signature verification operation passes; and when the signature verification operation is not passed, forbidding the user to log in.
According to a second aspect of the embodiments of the present invention, there is also disclosed a security authentication method applied to a key carrier, the method including: receiving user authentication request information from a first terminal, wherein the user authentication request information is generated by the first terminal according to authentication level information corresponding to a user of a second terminal, and the authentication level information represents an operation authority level of the user; and generating request information to be checked and signed according to the user authentication request information, and returning the request information to be checked and signed to the first terminal, wherein the first terminal is used for carrying out security authentication on the user according to the request information to be checked and signed.
Optionally, the user authentication request information includes a random number; the generating of the request information to be checked according to the user authentication request information includes: responding to the authentication operation of the user, and acquiring user identity authentication credential data; and under the condition that the user identity authentication certificate data is legal, generating the request information to be checked according to the authentication level information, preset key identification information, the random number and key carrier identification information of the key carrier.
Optionally, the authentication level information includes first information and second information; the generating the request information to be signed according to the authentication level information, the preset key identification information, the random number and the key carrier identification information of the key carrier comprises: when the authentication level information is the first information, retrieving a corresponding first private key according to the key identification information, performing signature operation on the random number and the key carrier identification information according to the first private key to obtain first signature data, and taking the first signature data and the private key identification information of the first private key as the request information to be checked.
Optionally, the generating the request information to be signed according to the authentication level information, preset key identification information, the random number, and key carrier identification information of the key carrier includes: and when the authentication level information is the second information, retrieving a corresponding second private key according to the key identification information, performing signature operation on the random number and the key carrier identification information according to the second private key to obtain second signature data, and taking the second signature data and the private key identification information of the second private key as the request information to be checked.
According to a third aspect of the embodiments of the present invention, there is also disclosed a security authentication apparatus applied to a first terminal, the apparatus including: the acquisition module is used for acquiring authentication level information and key carrier identification information corresponding to a user of a second terminal, wherein the authentication level information represents the operation authority level of the user; the first generation module is used for generating user authentication request information according to the authentication level information and sending the user authentication request information to a key carrier corresponding to the user according to the key carrier identification information; and the authentication module is used for receiving the request information to be checked and signed returned by the key carrier according to the user authentication request information and carrying out safety authentication on the user according to the request information to be checked and signed.
Optionally, the obtaining module includes: the judging module is used for receiving the user identity authentication request information from the second terminal and judging whether the user is legal or not according to the user identity authentication request information; and the retrieval module is used for retrieving the authentication level information and the key carrier identification information corresponding to the user under the condition that the user is legal.
Optionally, the retrieval module is configured to obtain user identification information by parsing from the user identity authentication request information; and retrieving the corresponding authentication level information and the corresponding key carrier identification information according to the user identification information.
Optionally, the first generating module is configured to generate a random number, and generate the user authentication request information according to the random number and the authentication level information.
Optionally, the authentication module includes: the identification analysis module is used for analyzing the request information to be checked to obtain key identification information; the certificate retrieval module is used for retrieving the corresponding digital certificate according to the key identification information; the public key extraction module is used for extracting a public key from the digital certificate; the signature verification module is used for performing signature verification operation on the request information to be verified by using the public key; the determining module is used for allowing the user to log in under the condition that the signature checking operation passes; and when the signature verification operation is not passed, forbidding the user to log in.
According to a fourth aspect of the embodiments of the present invention, there is also disclosed a security authentication apparatus applied to a key carrier, the apparatus including: the terminal comprises a receiving module, a judging module and a judging module, wherein the receiving module is used for receiving user authentication request information from a first terminal, the user authentication request information is generated by the first terminal according to authentication level information corresponding to a user of a second terminal, and the authentication level information represents the operation authority level of the user; and the second generation module is used for generating request information to be checked and signed according to the user authentication request information and returning the request information to be checked and signed to the first terminal, and the first terminal is used for carrying out safety authentication on the user according to the request information to be checked and signed.
Optionally, the user authentication request information includes a random number; the second generation module includes: the credential acquisition module is used for responding to the authentication operation of the user and acquiring user identity authentication credential data; and the request generation module is used for generating the request information to be checked according to the authentication level information, preset key identification information, the random number and the key carrier identification information of the key carrier under the condition that the user identity authentication credential data is legal.
Optionally, the authentication level information includes first information and second information; the request generation module is configured to, when the authentication level information is the first information, retrieve a corresponding first private key according to the key identification information, perform a signature operation on the random number and the key carrier identification information according to the first private key to obtain first signature data, and use the first signature data and the private key identification information of the first private key as the request information to be checked.
Optionally, the request generating module is further configured to, when the authentication level information is the second information, retrieve a corresponding second private key according to the key identification information, perform a signature operation on the random number and the key carrier identification information according to the second private key to obtain second signature data, and use the second signature data and the private key identification information of the second private key as the request information to be signed.
In a fifth aspect of the embodiments of the present invention, a device is further disclosed, including: one or more processors; and one or more machine readable media having instructions stored thereon, which when executed by the one or more processors, cause the apparatus to perform a secure authentication method as described in the first or second aspect.
According to a sixth aspect of the embodiments of the present invention, there is also disclosed a computer-readable storage medium storing a computer program for causing a processor to execute the security authentication method according to the first or second aspect.
The embodiment of the invention has the following advantages:
the embodiment of the invention provides a security authentication scheme, wherein a first terminal acquires authentication level information and key carrier identification information corresponding to a user on a second terminal, wherein the authentication level information represents an operation authority level of the user on the second terminal. And the first terminal generates user authentication request information according to the authentication level information and sends the user authentication request information to the key carrier according to the key carrier identification information. And the key carrier generates and returns request information to be checked to the first terminal according to the user authentication request information, and the first terminal performs security authentication on the user on the second terminal according to the request information to be checked.
When the embodiment of the invention is used for carrying out security authentication on the user on the second terminal, the security authentication is carried out on the user with different authentication level information according to the request information to be checked and generated by the key carrier corresponding to the user, so that the security authentication on the user with different operation authority levels is realized, the flexibility of the security authentication is improved, and the security of the video network is improved.
Drawings
FIG. 1 is a flow chart of the steps of one embodiment of a security authentication method of the present invention;
FIG. 2 is a flow diagram of the steps of another secure authentication method embodiment of the present invention;
FIG. 3 is a schematic diagram of a video telephone service implementation scheme based on video networking according to the present invention;
FIG. 4 is a schematic diagram of the steps of a security authentication method based on video network according to the present invention;
FIG. 5 is a block diagram of a security authentication device according to an embodiment of the present invention;
FIG. 6 is a block diagram of another embodiment of a security authentication apparatus according to the present invention;
fig. 7 is a block diagram of a video telephone service implementation system based on video networking according to the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
In the security authentication scheme provided by the embodiment of the invention, a user on the second terminal requests to log in to the first terminal, and the second terminal responds to the login request operation of the user and sends user identity authentication request information to the first terminal. And the first terminal acquires authentication level information and key carrier identification information corresponding to the user on the second terminal according to the user identity authentication request information. The authentication level information represents the operation authority level of the user, and the key carrier identification information represents the identification of the key carrier for collecting the identity authentication voucher data of the user. And the key carrier completes the bidirectional authentication with the network management server. The first terminal generates user authentication request information according to the authentication level information, sends the user authentication request information to the secret key carrier, collects identity authentication voucher data of the user by the secret key carrier, returns the request information to be checked to the first terminal according to the identity authentication voucher data, and the first terminal performs security authentication on the user according to the request information to be checked.
Referring to fig. 1, a flow chart of steps of an embodiment of a security authentication method of the present invention is shown, which may be applied in a first terminal. The embodiment of the present invention does not specifically limit the type, model, configuration, state, operating system, and the like of the first terminal. In addition, the embodiment of the present invention does not specifically limit the network environment where the first terminal is located. The method specifically comprises the following steps:
step 101, obtaining authentication level information and key carrier identification information corresponding to a user of a second terminal.
In an embodiment of the invention, a user on the second terminal requests to log in to the first terminal, and the user inputs login request information on the second terminal. The login request information may include user identification information, terminal identification information of the first terminal, and the like. The second terminal may generate user authentication request information according to the login request information. The user identification request information may include user identification information and the like. In practical applications, the user identification information may be a user name, a user number, a mobile phone number, or the like. The user identity authentication request information and the login request information may be message data in JSON (javascript object Notation) format. The embodiment of the present invention does not specifically limit the content, format, type, etc. of the user identification information.
The user on the second terminal has corresponding operation authority, and the authentication level information corresponding to the user can indicate the operation authority level of the user. Furthermore, the user on the second terminal also has a corresponding key carrier. The key carrier may correspond to the user, the second terminal, or both the user and the second terminal. The key carrier can collect the identity authentication voucher data of the user, the identity authentication voucher data can comprise fingerprint data, facial feature data and the like, and the embodiment of the invention does not specifically limit the content, format, type and the like of the identity authentication voucher data. The key carrier identification information of the key carrier is used to uniquely represent the key carrier. The key carrier identification information may be a number, an IP, a physical address, and the like of the key carrier, and the content, the format, the type, and the like of the key carrier identification information are not specifically limited in the embodiment of the present invention.
And 102, generating user authentication request information according to the authentication level information, and sending the user authentication request information to a key carrier corresponding to the user according to the key carrier identification information.
In the embodiment of the invention, the user authentication request information containing the authentication level information can be generated, the position of the key carrier is determined according to the key carrier identification information, and the user authentication request information is sent to the key carrier. The key carrier can generate the request information to be checked according to the authentication level information in the user authentication request information.
And 103, receiving request information to be checked returned by the key carrier according to the user authentication request information, and performing security authentication on the user according to the request information to be checked.
In the embodiment of the invention, after receiving the request information to be checked, the first terminal carries out security authentication on the user according to the request information to be checked. If the authentication is passed, allowing the user of the second terminal to log in the first terminal through the second terminal; and if the authentication is not passed, prohibiting the user of the second terminal from logging in the first terminal through the second terminal.
The embodiment of the invention provides a security authentication scheme, wherein a first terminal acquires authentication level information and key carrier identification information corresponding to a user on a second terminal, wherein the authentication level information represents an operation authority level of the user on the second terminal. And the first terminal generates user authentication request information according to the authentication level information and sends the user authentication request information to the key carrier according to the key carrier identification information. And the key carrier generates and returns request information to be checked to the first terminal according to the user authentication request information, and the first terminal performs security authentication on the user on the second terminal according to the request information to be checked.
When the embodiment of the invention is used for carrying out security authentication on the user on the second terminal, the security authentication is carried out on the user with different authentication level information according to the request information to be checked and generated by the key carrier corresponding to the user, so that the security authentication on the user with different operation authority levels is realized, the flexibility of the security authentication is improved, and the security of the video network is improved.
In an exemplary embodiment of the present invention, in the process of performing step 101, the first terminal may receive user authentication request information from the second terminal, and determine whether the user is legitimate according to the user authentication request information. And under the condition that the user is legal, retrieving to obtain the authentication level information and the key carrier identification information corresponding to the user. When judging whether the user is legal or not, the first terminal can extract the user identification information from the identity authentication request information and judge whether the user identification information is located in a legal user database or not. If the user database has user identification information, the user is considered to be legal; and if the user identification information does not exist in the user database, the user is considered to be illegal. In case that the user is legitimate, the user database may be further searched for authentication level information and key carrier identification information corresponding to the user identification information.
In an exemplary embodiment of the present invention, in the course of performing step 102, the first terminal may generate a random number and a time stamp. The random number can satisfy GB/T32915-2016 (information security technology binary sequence randomness detection method) and NIST SP 800-22. The time stamp is used to ensure freshness of the user authentication request information. The time stamp can meet the requirements of GB/T20519 and 2006 time stamp Specification. Then, user authentication request information is generated based on the random number, the time stamp, and the authentication level information.
In an exemplary embodiment of the present invention, in the process of executing step 103, the key identification information may be parsed from the request information to be checked. The key identification information is derived from a key carrier. And retrieving a corresponding digital certificate in the certificate database according to the key identification information, extracting a public key from the digital certificate, and performing signature verification operation on the request information to be verified by using the public key. Allowing the user to log in under the condition that the signature verification operation passes; and when the signature checking operation is not passed, the user is prohibited from logging in.
When the public key is used for performing signature checking operation on the request information to be checked, a random number can be extracted from the request information to be checked, the extracted random number is compared with the random number generated in the step 102, and if the random number is the same as the random number, the signature checking operation is considered to be passed; and if the two are different, the signature verification operation is not passed. And also. User login may also be prohibited when a digital certificate is not retrieved in the certificate database.
Referring to fig. 2, a flow chart of steps of another embodiment of the security authentication method of the present invention is shown, which may be applied in a key carrier. The method specifically comprises the following steps:
step 201, receiving user authentication request information from a first terminal.
In the embodiment of the present invention, the user authentication request information may be generated by the first terminal according to the authentication level information corresponding to the user of the second terminal, and the specific generation process may refer to the related description of step 102, which is not described herein again.
Step 202, generating request information to be checked according to the user authentication request information, and returning the request information to be checked to the first terminal.
In an embodiment of the present invention, after receiving the user authentication request information, the key carrier may prompt the user of the second terminal to input the user authentication credential data. The key carrier responds to the authentication operation of the user, acquires the user identity authentication certificate data, and carries out validity verification on the user identity authentication certificate data. And under the condition that the user identity authentication certificate data is legal, generating request information to be checked according to the authentication level information, preset key identification information, the random number and key carrier identification information of the key carrier. When the user identity authentication certificate data is legally verified, the user identity authentication certificate data can be compared with stored certificate data, and if the user identity authentication certificate data is consistent with the stored certificate data, the user identity authentication certificate data is considered to be legal; if the two are not consistent, the user identity authentication certificate data is considered to be illegal.
The authentication level information may include first information and second information. Wherein the first information may indicate that the operation authority level of the user is lower. The second information may indicate that the operation authority of the user is higher. When the key carrier generates the request information to be verified, it may first determine whether the authentication level information is the first information or the second information.
When the authentication level information is the first information, the corresponding first private key can be retrieved according to the key identification information, then the random number and the key carrier identification information are signed according to the first private key to obtain first signature data, and the first signature data and the private key identification information of the first private key are used as the request information to be checked.
When the authentication level information is the second information, the corresponding second private key can be retrieved according to the key identification information, then the random number and the key carrier identification information are signed according to the second private key to obtain second signature data, and the second signature data and the private key identification information of the second private key are used as the request information to be checked.
After the key carrier generates the request information to be checked and signed, the request information to be checked and signed is sent to the first terminal, and the first terminal can perform security authentication on a user of the second terminal according to the request information to be checked and signed.
Based on the above-mentioned related description about a security authentication method, a video telephony service implementation scheme based on video networking is introduced below. As shown in fig. 3, fig. 3 is a schematic diagram of a video telephony service implementation scheme based on video networking. The video telephone service implementation scheme relates to a terminal a and a server c in a video network located at A, a terminal B and a server d in a video network located at B, and a certificate distribution server. The specific operation flow of the terminal a and the terminal b for the videophone service is as follows:
after the terminal a and the terminal b register in the respective video networks, the terminal a and the terminal b need to apply for a digital certificate from the certificate distribution server. The digital certificate indicates the validity of identifying the terminal a and the terminal b. The digital certificate is a digital certificate for marking identity information of each communication party in communication, and can be used for identifying the identity of the other party. Before the videophone service is performed, the terminal a and the terminal b need to determine that the identities of each other are safe and reliable according to the above security authentication method. And if the terminal a determines that the terminal b passes the authentication, exchanging a key with the terminal b, wherein the key is used for subsequent data encryption. In practical application, a party actively initiating the video telephone service is equivalent to the second terminal, and a party passively receiving the video telephone service is equivalent to the first terminal. After the terminal a and the terminal b are authenticated with each other, all data except the video networking protocol are encrypted and decrypted by the key exchanged with each other.
As shown in fig. 4, fig. 4 is a schematic diagram illustrating steps of a security authentication method based on a video network.
Step 401, when the client receives the login request information of the user, the client sends the user identity authentication request information to the server.
The user identification request information includes user identification information and the like. The user identification information may be a job number, a mobile phone number, etc. The login request information and the user identity authentication request information may be message data in a JSON format.
Step 402, the server receives and analyzes the user identity authentication request information to obtain user identification information, and judges whether the user identification information is legal or not according to the registered user information. If not, go to step 403; if it is legal, go to step 404.
In step 403, the server side prompts the client that the login request information is wrong, and requests the user to input the login request information again.
In step 404, the server retrieves the corresponding key carrier identification information and authentication level information according to the user identification information, generates a challenge value at the same time, and composes a user authentication request message according to the key carrier identification information, the authentication level information and the challenge value.
And establishing association between the key carrier corresponding to the key carrier identification information and the authentication level information and the user in the registration process. The authentication level information can be an authentication level mark, and comprises a basic level and an enhanced level, wherein the basic level is suitable for users with general security level requirements and limited operation authority, and the enhanced level is suitable for users with higher security level requirements and richer operation authority. The key carrier can be an UKey, such as an intelligent password key comprising a screen display and a key, or a mobile intelligent terminal supporting multiple authentication modes, such as a mobile phone.
The challenge value generated by the server side can be a random number meeting GB/T32915-2016 (binary sequence randomness detection method for information security technology), and can also be a random number meeting NIST SP 800-22.
Step 405, the server transparently transmits the user authentication request information to the key carrier.
The user authentication request information includes an authentication level identification, a challenge value, and a time stamp. The timestamp can ensure the freshness of the user authentication request information and should meet the requirements of GB/T20519 and 2006 timestamp Specification.
And step 406, the key carrier receives the user authentication request information sent by the server, and starts the authentication module to prompt the user to enter the user identity authentication credential data.
The key carrier can support various authentication modes, such as Personal Identification Number (PIN) codes, fingerprints and the like, and a user can input corresponding user identity authentication certificate data according to the prompt of the authentication module.
Step 407, the key carrier judges the validity of the user identity authentication voucher data input by the user. If yes, go to step 408; if not, go to step 406.
Under the condition that the user identity authentication credential data input by the user is illegal, when the user re-inputs the data, a threshold value (for example, not more than 6 times) should be set for the illegal times, and after the threshold value is exceeded, the key carrier is locked, and an administrator needs to be contacted for unlocking.
The key carrier determines whether the authentication level identification is a basic level or an enhanced level, step 408. If so, go to step 409; if it is the basic level, step 412 is performed.
Step 409, the key carrier prompts the user for interactive confirmation and waits.
The user can execute key confirmation according to the prompt message, voice confirmation or other confirmation modes.
In step 410, the key carrier determines whether the user has performed a confirmation operation, if yes, step 411 is performed, and if not, step 409 is performed.
The key carrier enables the interactive signature, step 411.
And the key carrier retrieves a corresponding interactive private key according to the key identification information, digitally signs the challenge value, and generates request information 01 to be checked by combining the identification information of the interactive private key.
The key carrier enables the generic signature, step 412.
The key carrier retrieves a corresponding common private key according to the key identification information, digitally signs the challenge value, and generates to-be-checked request information 02 by combining the identification information of the common private key.
In step 413, the key carrier sends the request information to be verified to the server.
And step 414, the server receives and analyzes the request information to be checked to obtain the identification information of the interactive private key or the identification information of the common private key, and retrieves the corresponding digital certificate according to the identification information of the interactive private key or the identification information of the common private key.
Step 415, the server side extracts the public key in the corresponding digital certificate, checks the digital signature, if the digital signature fails, executes step 416, and if the digital signature succeeds, executes step 417.
In step 416, the server returns an error prompt to the client, and the client jumps to step 401.
In step 417, the server returns a success prompt to the client, and executes step 418.
At step 418, the user is allowed to log in, and the process ends.
The embodiment of the invention provides a security authentication scheme, wherein a first terminal acquires authentication level information and key carrier identification information corresponding to a user on a second terminal, wherein the authentication level information represents an operation authority level of the user on the second terminal. And the first terminal generates user authentication request information according to the authentication level information and sends the user authentication request information to the key carrier according to the key carrier identification information. And the key carrier generates and returns request information to be checked to the first terminal according to the user authentication request information, and the first terminal performs security authentication on the user on the second terminal according to the request information to be checked.
When the embodiment of the invention is used for carrying out security authentication on the user on the second terminal, the security authentication is carried out on the user with different authentication level information according to the request information to be checked and generated by the key carrier corresponding to the user, so that the security authentication on the user with different operation authority levels is realized, the flexibility of the security authentication is improved, and the security of the video network is improved.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 5, a block diagram of a security authentication apparatus according to an embodiment of the present invention is shown, where the apparatus may be applied in a first terminal, and the apparatus may specifically include the following modules:
an obtaining module 51, configured to obtain authentication level information and key carrier identification information corresponding to a user of a second terminal, where the authentication level information indicates an operation permission level that the user has;
a first generating module 52, configured to generate user authentication request information according to the authentication level information, and send the user authentication request information to a key carrier corresponding to the user according to the key carrier identification information;
and the authentication module 53 is configured to receive request information to be checked and signed returned by the key carrier according to the user authentication request information, and perform security authentication on the user according to the request information to be checked and signed.
In an exemplary embodiment of the present invention, the obtaining module 51 includes:
the judging module is used for receiving the user identity authentication request information from the second terminal and judging whether the user is legal or not according to the user identity authentication request information;
and the retrieval module is used for retrieving the authentication level information and the key carrier identification information corresponding to the user under the condition that the user is legal.
In an exemplary embodiment of the present invention, the retrieving module is configured to parse the user identification information from the user identity authentication request information; and retrieving the corresponding authentication level information and the corresponding key carrier identification information according to the user identification information.
In an exemplary embodiment of the present invention, the first generating module 52 is configured to generate a random number, and generate the user authentication request information according to the random number and the authentication level information.
In an exemplary embodiment of the present invention, the authentication module 53 includes:
the identification analysis module is used for analyzing the request information to be checked to obtain key identification information;
the certificate retrieval module is used for retrieving the corresponding digital certificate according to the key identification information;
the public key extraction module is used for extracting a public key from the digital certificate;
the signature verification module is used for performing signature verification operation on the request information to be verified by using the public key;
the determining module is used for allowing the user to log in under the condition that the signature checking operation passes; and when the signature verification operation is not passed, forbidding the user to log in.
Referring to fig. 6, a block diagram of another embodiment of the security authentication apparatus of the present invention is shown, where the apparatus may be applied to a key carrier, and the apparatus may specifically include the following modules:
a receiving module 61, configured to receive user authentication request information from a first terminal, where the user authentication request information is generated by the first terminal according to authentication level information corresponding to a user of a second terminal, and the authentication level information indicates an operation permission level that the user has;
and a second generating module 62, configured to generate request information to be checked according to the user authentication request information, and return the request information to be checked to the first terminal, where the first terminal is configured to perform security authentication on the user according to the request information to be checked.
In an exemplary embodiment of the present invention, the user authentication request information includes a random number; the second generating module 62 includes:
the credential acquisition module is used for responding to the authentication operation of the user and acquiring user identity authentication credential data;
and the request generation module is used for generating the request information to be checked according to the authentication level information, preset key identification information, the random number and the key carrier identification information of the key carrier under the condition that the user identity authentication credential data is legal.
In an exemplary embodiment of the present invention, the authentication level information includes first information and second information; the request generation module is configured to, when the authentication level information is the first information, retrieve a corresponding first private key according to the key identification information, perform a signature operation on the random number and the key carrier identification information according to the first private key to obtain first signature data, and use the first signature data and the private key identification information of the first private key as the request information to be checked.
In an exemplary embodiment of the present invention, the request generating module is further configured to, when the authentication level information is the second information, retrieve a corresponding second private key according to the key identification information, perform a signature operation on the random number and the key carrier identification information according to the second private key to obtain second signature data, and use the second signature data and the private key identification information of the second private key as the request information to be signed.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
Referring to fig. 7, a block diagram of a video telephone service implementation system based on video networking according to the present invention is shown, where the system may include a terminal a and a terminal b, where the terminal a is used as a client side of security authentication, and the terminal b is used as a server side of security authentication.
After the terminal a accesses the network, the security identity identification module of the terminal a interacts with the distribution module of the certificate distribution server to obtain the digital certificate of the terminal a. And after the terminal b accesses the network, the safety identity identification module of the terminal b interacts with the distribution module of the certificate distribution server to acquire the digital certificate of the terminal b.
The terminal a and the terminal b need to mutually determine that the identities of each other are safe and reliable, and if the identities of the terminal a and the terminal b are both safe and reliable, the terminal a and the terminal b exchange keys for subsequent data encryption.
After the terminal a and the terminal b negotiate the key pair for encryption, the data for performing the video telephone service can be communicated only after being encrypted. The data module of the terminal a acquires the encrypted video telephone data and transmits the video telephone data to the scheduling module of the terminal a, and the scheduling module of the terminal a transmits the video telephone data to the scheduling module of the video networking server. The scheduling module of the video networking server transmits the video telephone data of the terminal a to the scheduling module of the terminal b, and the scheduling module of the terminal b transmits the received video telephone data to the data module of the terminal b. And the data module of the terminal b decrypts the received video telephone data. Similarly, the process of transmitting the encrypted videophone data to the terminal a by the terminal b and decrypting the received videophone data by the terminal a may refer to the above description, and will not be described herein again.
It should be noted that the security identity module of the video network server also needs to interact with the distribution module of the certificate distribution server to obtain the digital certificate of the security identity module. Moreover, the data module of the video network server can receive the video telephone data of the terminal a and the terminal b from the scheduling module of the video network server, and perform processing such as monitoring and storage.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The security authentication method, device and storage medium provided by the present invention are introduced in detail, and a specific example is applied in the text to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (13)

1. A security authentication method applied to a first terminal, the method comprising:
acquiring authentication level information and key carrier identification information corresponding to a user of a second terminal, wherein the authentication level information represents an operation authority level of the user;
generating user authentication request information according to the authentication level information, and sending the user authentication request information to a key carrier corresponding to the user according to the key carrier identification information;
and receiving request information to be checked returned by the key carrier according to the user authentication request information, and performing security authentication on the user according to the request information to be checked.
2. The method of claim 1, wherein the obtaining authentication level information and key carrier identification information corresponding to the user of the second terminal comprises:
receiving user identity authentication request information from the second terminal, and judging whether the user is legal or not according to the user identity authentication request information;
and under the condition that the user is legal, retrieving to obtain the authentication level information and the key carrier identification information corresponding to the user.
3. The method of claim 2, wherein the retrieving the authentication level information and the key carrier identification information corresponding to the user comprises:
analyzing the user identity authentication request information to obtain user identification information;
and retrieving the corresponding authentication level information and the corresponding key carrier identification information according to the user identification information.
4. The method of claim 1, wherein the generating user authentication request information according to the authentication level information comprises:
and generating a random number, and generating the user authentication request information according to the random number and the authentication level information.
5. The method according to claim 1, wherein the securely authenticating the user according to the request information to be checked comprises:
analyzing the request information to be checked to obtain key identification information;
retrieving a corresponding digital certificate according to the key identification information;
extracting a public key from the digital certificate;
carrying out signature verification operation on the request information to be verified by using the public key;
allowing the user to log in under the condition that the signature verification operation passes; and when the signature verification operation is not passed, forbidding the user to log in.
6. A secure authentication method applied to a key carrier, the method comprising:
receiving user authentication request information from a first terminal, wherein the user authentication request information is generated by the first terminal according to authentication level information corresponding to a user of a second terminal, and the authentication level information represents an operation authority level of the user;
and generating request information to be checked and signed according to the user authentication request information, and returning the request information to be checked and signed to the first terminal, wherein the first terminal is used for carrying out security authentication on the user according to the request information to be checked and signed.
7. The method according to claim 6, wherein the user authentication request information includes a random number; the generating of the request information to be checked according to the user authentication request information includes:
responding to the authentication operation of the user, and acquiring user identity authentication credential data;
and under the condition that the user identity authentication certificate data is legal, generating the request information to be checked according to the authentication level information, preset key identification information, the random number and key carrier identification information of the key carrier.
8. The method according to claim 7, wherein the authentication level information includes first information and second information; the generating the request information to be signed according to the authentication level information, the preset key identification information, the random number and the key carrier identification information of the key carrier comprises:
when the authentication level information is the first information, retrieving a corresponding first private key according to the key identification information, performing signature operation on the random number and the key carrier identification information according to the first private key to obtain first signature data, and taking the first signature data and the private key identification information of the first private key as the request information to be checked.
9. The method according to claim 8, wherein the generating the request information to be verified according to the authentication level information, preset key identification information, the random number and key carrier identification information of the key carrier comprises:
and when the authentication level information is the second information, retrieving a corresponding second private key according to the key identification information, performing signature operation on the random number and the key carrier identification information according to the second private key to obtain second signature data, and taking the second signature data and the private key identification information of the second private key as the request information to be checked.
10. A security authentication apparatus, applied to a first terminal, the apparatus comprising:
the acquisition module is used for acquiring authentication level information and key carrier identification information corresponding to a user of a second terminal, wherein the authentication level information represents the operation authority level of the user;
the first generation module is used for generating user authentication request information according to the authentication level information and sending the user authentication request information to a key carrier corresponding to the user according to the key carrier identification information;
and the authentication module is used for receiving the request information to be checked and signed returned by the key carrier according to the user authentication request information and carrying out safety authentication on the user according to the request information to be checked and signed.
11. A security authentication apparatus, applied to a key carrier, the apparatus comprising:
the terminal comprises a receiving module, a judging module and a judging module, wherein the receiving module is used for receiving user authentication request information from a first terminal, the user authentication request information is generated by the first terminal according to authentication level information corresponding to a user of a second terminal, and the authentication level information represents the operation authority level of the user;
and the second generation module is used for generating request information to be checked and signed according to the user authentication request information and returning the request information to be checked and signed to the first terminal, and the first terminal is used for carrying out safety authentication on the user according to the request information to be checked and signed.
12. An apparatus, comprising:
one or more processors; and
one or more machine-readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform the method of any of claims 1-5 or cause the apparatus to perform the method of any of claims 6-9.
13. A computer-readable storage medium, characterized in that it stores a computer program that causes a processor to perform the method of any of claims 1 to 5 or causes the processor to perform the method of any of claims 6 to 9.
CN202010486102.4A 2020-06-01 2020-06-01 Security authentication method, device and storage medium Active CN111835713B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010486102.4A CN111835713B (en) 2020-06-01 2020-06-01 Security authentication method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010486102.4A CN111835713B (en) 2020-06-01 2020-06-01 Security authentication method, device and storage medium

Publications (2)

Publication Number Publication Date
CN111835713A true CN111835713A (en) 2020-10-27
CN111835713B CN111835713B (en) 2023-09-15

Family

ID=72897530

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010486102.4A Active CN111835713B (en) 2020-06-01 2020-06-01 Security authentication method, device and storage medium

Country Status (1)

Country Link
CN (1) CN111835713B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100332820A1 (en) * 2008-02-25 2010-12-30 Hideki Matsushima Information security device and information security system
CN106936761A (en) * 2015-12-29 2017-07-07 株式会社日立制作所 A kind of secure log authentication method and system based on Quick Response Code and hardware information
US20180191501A1 (en) * 2016-12-31 2018-07-05 Nok Nok Labs, Inc. System and method for sharing keys across authenticators
CN109328348A (en) * 2016-09-30 2019-02-12 华为技术有限公司 A kind of service authentication method, system and relevant device
JP6571847B1 (en) * 2018-09-03 2019-09-04 笠▲衆▼實業有限公司 Intelligent vehicle electronic key system
CN110505198A (en) * 2019-07-05 2019-11-26 中国平安财产保险股份有限公司 A kind of checking request method, apparatus, computer equipment and storage medium
CN110879880A (en) * 2019-10-24 2020-03-13 南京东科优信网络安全技术研究院有限公司 Password device for user to autonomously control data security level protection

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100332820A1 (en) * 2008-02-25 2010-12-30 Hideki Matsushima Information security device and information security system
CN106936761A (en) * 2015-12-29 2017-07-07 株式会社日立制作所 A kind of secure log authentication method and system based on Quick Response Code and hardware information
CN109328348A (en) * 2016-09-30 2019-02-12 华为技术有限公司 A kind of service authentication method, system and relevant device
US20180191501A1 (en) * 2016-12-31 2018-07-05 Nok Nok Labs, Inc. System and method for sharing keys across authenticators
JP6571847B1 (en) * 2018-09-03 2019-09-04 笠▲衆▼實業有限公司 Intelligent vehicle electronic key system
CN110505198A (en) * 2019-07-05 2019-11-26 中国平安财产保险股份有限公司 A kind of checking request method, apparatus, computer equipment and storage medium
CN110879880A (en) * 2019-10-24 2020-03-13 南京东科优信网络安全技术研究院有限公司 Password device for user to autonomously control data security level protection

Also Published As

Publication number Publication date
CN111835713B (en) 2023-09-15

Similar Documents

Publication Publication Date Title
CN107332808B (en) Cloud desktop authentication method, server and terminal
Kim et al. A design of user authentication system using QR code identifying method
CN106330850B (en) Security verification method based on biological characteristics, client and server
CN108834144B (en) Method and system for managing association of operator number and account
RU2458481C2 (en) Method and system for trusted third party-based two-way object identification
CN110086608A (en) User authen method, device, computer equipment and computer readable storage medium
CN111414599A (en) Identity authentication method, device, terminal, server and readable storage medium
CN114900338B (en) Encryption and decryption method, device, equipment and medium
CN111901346B (en) Identity authentication system
CN110417790B (en) Block chain real-name system queuing system and method
KR101451359B1 (en) User account recovery
CN105099690A (en) OTP and user behavior-based certification and authorization method in mobile cloud computing environment
CN111800378A (en) Login authentication method, device, system and storage medium
US9954853B2 (en) Network security
CN112383401B (en) User name generation method and system for providing identity authentication service
US20150328119A1 (en) Method of treating hair
KR102372503B1 (en) Method for providing authentification service by using decentralized identity and server using the same
CN115842680B (en) Network identity authentication management method and system
CN109462572B (en) Multi-factor authentication method, system, storage medium and security gateway based on encryption card and UsbKey
CN110995661B (en) Network card platform
JP4426030B2 (en) Authentication apparatus and method using biometric information
CN108667801A (en) A kind of Internet of Things access identity safety certifying method and system
CN116112242B (en) Unified safety authentication method and system for power regulation and control system
CN105071993B (en) Encryption state detection method and system
CN111835713B (en) Security authentication method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant