CN111901290B - Identity authentication method and device - Google Patents
Identity authentication method and device Download PDFInfo
- Publication number
- CN111901290B CN111901290B CN202010494072.1A CN202010494072A CN111901290B CN 111901290 B CN111901290 B CN 111901290B CN 202010494072 A CN202010494072 A CN 202010494072A CN 111901290 B CN111901290 B CN 111901290B
- Authority
- CN
- China
- Prior art keywords
- permission information
- management interface
- access request
- authentication
- authorization permission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000013475 authorization Methods 0.000 claims abstract description 102
- 230000003993 interaction Effects 0.000 claims description 37
- 230000004044 response Effects 0.000 claims description 8
- 230000006855 networking Effects 0.000 claims 1
- 230000006870 function Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an identity authentication method and device, wherein the method comprises the following steps: receiving an access request sent to a management interface of the Internet of things equipment by a proxy gateway built in the Internet of things equipment; if the access request does not contain authorization permission information, the access request is sent to an authentication entrance of the management interface; caching and forwarding the authorization permission information issued by the management interface to an accessor; and if the access request contains authorization permission information and the authorization permission information is matched with the cached authorization permission information of the proxy gateway, sending the access request to the requested management interface address.
Description
[ technical field ] A method for producing a semiconductor device
The present application relates to the field of computer application technologies, and in particular, to a method and an apparatus for identity authentication.
[ background of the invention ]
This section is intended to provide a background or context to the embodiments of the application that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
The Internet of things (IoT) is an information carrier based on The Internet, traditional telecommunication networks, etc., which allows all common physical objects that can be addressed independently to form an inter-working network. With the development of the internet of things technology, a large number of internet of things terminals are accessed to the internet, but due to the market growth, the safety protection of the internet of things terminals still has many weak points. In the newly published vulnerability ranking of the internet of things by the international organization OWASP (Open Web Application Security Project), the unsafe network service and the unsafe ecological interface caused by the imprecise identity authentication are respectively higher than the second place and the third place of the vulnerability ranking list. Therefore, the attack surface of the IoT equipment can be effectively reduced by innovating on IoT identity authentication, and the IoT security threat is reduced.
[ summary of the invention ]
In view of the above, the present application provides a method and an apparatus for identity authentication, so as to reduce IoT security threats.
The specific technical scheme is as follows:
in a first aspect, the present application provides a method for identity authentication, including:
receiving an access request sent to a management interface of the Internet of things equipment by a proxy gateway built in the Internet of things equipment;
if the access request does not contain authorization permission information, the access request is sent to an authentication entrance of the management interface; caching and forwarding the authorization permission information issued by the management interface to an accessor;
and if the access request contains authorization permission information and the authorization permission information is matched with the cached authorization permission information of the proxy gateway, sending the access request to the requested management interface address.
According to a preferred embodiment of the present application, the proxy gateway is built in the internet of things device in the form of an executable file.
According to a preferred embodiment of the present application, the access request includes:
the visitor triggers an access request sent to a management interface of the Internet of things equipment on other equipment; or,
and the visitor triggers an access request sent to a management interface of the Internet of things equipment on the Internet of things equipment.
According to a preferred embodiment of the present application, before caching and forwarding the authorization permission information issued by the management interface to the visitor, the method further includes:
forwarding an identity authentication interface provided by an authentication inlet of the management interface to the visitor;
and forwarding the identity information input by the visitor on the identity authentication interface to the management interface so that the management interface authenticates the identity authentication information and sends authorization permission information.
According to a preferred embodiment of the present application, the method further comprises:
and if the access request contains authorization permission information and the authorization permission information is not matched with the authorization permission information cached by the proxy gateway, sending the access request to an authentication inlet of the management interface, or returning an authentication failure response.
According to a preferred embodiment of the present application, the method further comprises:
and the authorization permission information cached by the proxy gateway is deleted after the validity period is reached.
In a second aspect, the present application further provides an identity authentication apparatus, where the apparatus is built in an internet of things device, and the apparatus includes: the system comprises a first interaction unit, a cooperative authentication unit and a second interaction unit;
the first interaction unit is used for receiving an access request sent to a management interface of the Internet of things equipment;
the cooperative authentication unit is configured to trigger the second interaction unit to send the access request to the authentication entry of the management interface if it is determined that the access request does not include authorization permission information; if the access request contains authorization permission information and the authorization permission information is matched with the cached authorization permission information, triggering the second interaction unit to send the access request to the requested management interface address;
the second interaction unit is configured to send the access request to an authentication entry of the management interface under the trigger of the cooperative authentication unit; receiving authorization permission information issued by the management interface and providing the authorization permission information to the cooperative authentication unit; sending the access request to the requested management interface address under the trigger of the cooperative authentication unit;
the cooperative authentication unit is further configured to cache authorization permission information issued by the management interface and trigger the first interaction unit to forward the authorization permission information to an accessor;
the first interaction unit is further configured to forward the authorization permission information to an visitor under the trigger of the cooperative authentication unit.
According to a preferred embodiment of the present application, the apparatus is built in the internet of things device in the form of an executable file.
According to a preferred embodiment of the present application, before caching the authorization permission information issued by the management interface, the cooperative authentication unit is further configured to trigger the first interaction unit to forward an identity authentication interface provided by an authentication entry of the management interface to the visitor;
the first interaction unit is further configured to forward the identity authentication interface to the visitor under the trigger of the cooperative authentication unit; receiving identity information input by the visitor on the identity authentication interface;
the second interaction unit is further configured to forward the identity information input by the visitor on the identity authentication interface to the management interface, so that the management interface authenticates the identity authentication information and sends authorization permission information.
According to a preferred embodiment of the present application, the cooperative authentication unit is further configured to trigger the second interaction unit to send the access request to the authentication entry of the management interface, or trigger the first interaction unit to return an authentication failure response, if the access request includes authorization permission information and the authorization permission information does not match with the authorization permission information cached by the proxy gateway.
In a third aspect, the present application further provides an apparatus, comprising:
one or more processors;
a storage device to store one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method as described above.
In a fourth aspect, the present application also provides a storage medium containing computer-executable instructions for performing the method as described above when executed by a computer processor.
According to the technical scheme, the proxy gateway built in the IoT equipment can intercept and capture the access request sent to the management interface of the IoT equipment, and the access request which does not contain the authorization permission information is sent to the authentication inlet of the management interface, so that the management interface performs identity authentication on an accessor and sends the authorization permission information; access to the requested management interface address is allowed for access requests containing the correct authorization permission information. Through the cooperative authentication of the proxy gateway, a malicious visitor can be prevented from bypassing the identity authentication of the management interface and directly accessing the management interface, and the IoT security threat is reduced.
[ description of the drawings ]
FIG. 1 is a diagram of a system architecture provided by an embodiment of the present application;
FIG. 2 is a flow chart of a method provided by an embodiment of the present application;
FIG. 3 is a block diagram of an apparatus according to an embodiment of the present disclosure;
FIG. 4 illustrates a block diagram of an exemplary computer system/server suitable for use in implementing embodiments of the present invention.
[ detailed description ] A
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in detail below with reference to the accompanying drawings and specific embodiments.
At present, when a management interface of some types of IoT devices is accessed, identity authentication needs to be performed through an identity authentication interface provided by the management interface, and only an accessor who passes the identity authentication can access the management interface smoothly. However, some malicious visitors may find the vulnerability of the management interface, thereby directly accessing the management interface by bypassing the identity authentication. In view of the above, a core idea of the present application is to embed a proxy gateway in an IoT device, where the proxy gateway is located in an intermediate position between an accessor and a management interface, acquire an access request sent by the accessor to the management interface, and perform cooperative identity authentication to determine whether to allow the access request to be sent to the management interface. The corresponding system architecture diagram can be as shown in fig. 1, and the method provided in the present application is described in detail below with reference to the embodiments.
Fig. 2 is a flowchart of a method provided in an embodiment of the present application, where the method is executed by a proxy gateway built in an IoT device. The IoT devices referred to in this application may be various IoT terminal class devices, ioT network connection devices, ioT server devices, and so on. The IoT terminal-class devices may include, but are not limited to, various smart home devices, smart transportation devices, smart wearable-class devices, smart medical devices, smart security devices, and the like. The network connection devices of the IoT may include, but are not limited to, intelligent relay devices, switching devices, routers, and the like. As shown in fig. 2, the method includes:
in 201, a proxy gateway built into an IoT device receives an access request sent to a management interface of the IoT device.
The method and the device have the advantages that the proxy gateway is additionally arranged in front of the management interface in the IoT device, and the proxy gateway can be arranged in the IoT device in an executable file mode. The proxy gateway is responsible for monitoring and intercepting the access request sent to the management interface and executing the processing of the subsequent steps.
The management interface of the IoT device in this application may include a portal responsible for registering a visitor, a portal responsible for authenticating an identity of a visitor, an interface responsible for forwarding an access request to other devices or websites, and so on. That is, in the present application, the interfaces responsible for the functional management of the IoT devices are collectively referred to as a management interface. When a visitor needs to use a specific function of the IoT device, the visitor needs to access a management interface address corresponding to the specific function, and send a corresponding access request to the management interface address to use the function. For example, when a visitor needs to register, the visitor needs to access the registration entry of the management interface and perform identity registration on the registration interface provided by the management interface. For another example, when the visitor needs to perform identity authentication, the visitor needs to access the authentication entry of the management interface and perform identity authentication on the identity authentication interface provided by the management interface. For another example, when the visitor needs to access a specific web page by using the IoT device, the visitor needs to access the forwarding interface address of the IoT device management interface, and the forwarding interface of the management interface implements forwarding of the url request. Etc. are not intended to be exhaustive of the specific functions described herein.
In addition, the above-described visitor may trigger on other devices to send a request to the IoT device to access the management interface of the IoT device. For example, when a visitor is to use a smart tv access router, the visitor triggers on the smart tv to send an access request to the management interface of the router.
The visitor may also trigger on the IoT device to send an access request to the management interface of the IoT device. For example, when a visitor wants to view a privacy space on a smart television, the visitor triggers sending an access request to a management interface of the smart television on an interface provided by the smart television.
In 202, judging whether the access request contains authorization permission information, if not, executing 203; otherwise 205 is performed.
For the case that the visitor first accesses the management interface of the IoT device, the authorization permission information is not included in its access request. In the case where the visitor accesses the management interface of the IoT device again after performing the subsequent steps 203 and 204, the authorization permission information is included in the access request.
That is, if authorization permission information issued by the management interface of the IoT device is locally stored in the visitor, the authorization permission information may be carried in the access request sent to the management interface. If the authorization permission information issued by the management interface of the IoT device is not stored locally, the authorization permission information is not carried in the access request sent to the management interface.
At 203, the access request is sent to the authentication portal of the management interface.
For access requests which do not contain authorization permission information, the access requests are redirected to an authentication entry of the management interface by the proxy gateway. After the access request is sent to the authentication entrance, the authentication entrance of the management interface provides an identity authentication interface for the visitor. The proxy gateway forwards the identity authentication interface provided by the authentication inlet of the management interface to the visitor, and forwards the identity information input by the visitor on the identity authentication interface to the management interface, so that the management interface authenticates the identity authentication information. For the visitor who passes the authentication, the management interface issues authorization permission information, and for the visitor who fails the authentication, a response of authentication failure can be returned.
The identity information entered by the visitor on the identity authentication interface may be identity information that the visitor previously registered on the IoT device. For example, the identity information may be a user name, a password, etc.
The authorization license information issued by the management interface may be signature information, token (Token), password, character string, etc., and the specific form of the authorization license information is not limited in the present application.
In 204, the authorization permission information issued by the management interface is cached and forwarded to the visitor, and the visitor waits for sending the request for accessing the management interface of the IoT device again, and the process goes to execute step 201.
After receiving the authorization permission information issued to the visitor by the management interface of the IoT device, the proxy gateway caches the authorization permission information in an authentication cache in the system shown in fig. 1. And the authorization permission information is forwarded to the visitor, so that the authorization permission information can be carried in the access request sent again by the visitor.
In addition, the authorization permission information cached by the proxy gateway can have a certain validity period and is deleted after the authorization permission information reaches the validity period.
In 205, judging whether the authorization permission information contained in the access request is matched with the authorization permission information cached by the proxy gateway, if so, executing 206; otherwise 207 is performed.
In 206, the access request is allowed to access the management interface address requested by the access request, and the current process is ended.
For the management interface, after receiving the access request, the management interface may also perform verification by using the authorization permission information included in the access request, and if the access request is consistent with the issued authorization permission information, the management interface performs a corresponding function according to the access request through verification. For example, if the visitor wants to access a specific url, the visitor forwards the access request of the url through the corresponding forwarding interface after the authentication is passed. For another example, if the visitor wants to access the private space of the smart television, the visitor is allowed to access the private space of the smart television after the verification is passed.
At 207, an authentication failure response is returned.
If the access request contains the authorization permission information, whether the authorization permission information is consistent with the authorization permission information cached by the proxy gateway or not can be further compared, and if so, the access request is sent to the requested management interface address so as to realize the function to be accessed by the access request. If not, the authorization permission information may be considered to be spoofed, and an authentication failure response may be returned directly to the visitor. Alternatively, if not, the authorization permission information may be considered to have expired, so that the access request may be redirected to the authentication entry of the management interface again for identity authentication to retrieve the authorization permission information, that is, go to step 203 (in this case, not shown in fig. 2).
The above is a detailed description of the method provided in the present application, and the following is a detailed description of the apparatus provided in the present application with reference to the embodiments.
Fig. 3 is a structural diagram of an apparatus provided in an embodiment of the present application, where the apparatus is built in an IoT device, and the apparatus is built in the IoT device in the form of an executable file to implement the function of a proxy gateway in the method. As shown in fig. 3, the apparatus may include: a first interaction unit 01, a cooperative authentication unit 02 and a second interaction unit 03. The main functions of each constituent unit are as follows:
the first interaction unit 01 receives an access request sent by a visitor to a management interface of an IoT device.
The visitor described above may trigger on the other device to send a request to the IoT device to access the management interface of the IoT device. The visitor may also trigger on the IoT device to send an access request to the management interface of the IoT device.
If the cooperative authentication unit 02 judges that the access request does not contain the authorization permission information, the second interaction unit 03 is triggered to send the access request to the authentication entry of the management interface; if the access request includes the authorization permission information and the authorization permission information matches with the cached authorization permission information, the second interaction unit 03 is triggered to send the access request to the requested management interface address.
The second interaction unit 03 sends the access request to the authentication entry of the management interface under the trigger of the cooperative authentication unit 02; receiving the authorization permission information issued by the management interface and providing the authorization permission information to the cooperative authentication unit 02; the access request is sent to the requested management interface address under the trigger of the cooperative authentication unit 02.
The cooperative authentication unit 02 caches the authorization permission information issued by the management interface and triggers the first interaction unit 01 to forward the authorization permission information to the visitor.
The first interaction unit 01 forwards the authorization permission information to the visitor under the trigger of the cooperative authentication unit 02.
Further, the cooperative authentication unit 02 triggers the first interaction unit 01 to forward the identity authentication interface provided by the authentication entry of the management interface to the visitor before caching the authorization permission information issued by the management interface.
The first interaction unit 01 forwards the identity authentication interface to the visitor under the trigger of the cooperative authentication unit 02; and receiving identity information input by the visitor on the identity authentication interface.
The identity information entered by the visitor on the identity authentication interface may be identity information that the visitor previously registered on the IoT device. For example, the identity information may be a user name, a password, etc.
The second interaction unit 03 forwards the identity information input by the visitor on the identity authentication interface to the management interface, so that the management interface authenticates the identity authentication information and sends authorization permission information.
The authorization license information issued by the management interface may be signature information, token (Token), password, character string, etc., and the specific form of the authorization license information is not limited in the present application.
The cooperative authentication unit 02 is further configured to trigger the second interaction unit 03 to send the access request to the authentication entry of the management interface, or trigger the first interaction unit 01 to return an authentication failure response, if the access request includes the authorization permission information and the authorization permission information does not match the authorization permission information cached by the proxy gateway.
In addition, the authorization permission information cached by the proxy gateway may have a certain validity period, and is deleted by the cooperative authentication unit 02 after the authorization permission information reaches the validity period.
According to the technical scheme, through the cooperative authentication of the proxy gateway, malicious visitors can be prevented from bypassing the identity authentication of the management interface and directly accessing the management interface, and the IoT security threat is reduced. The method is easy to implement, and can effectively prevent the vulnerability of unauthorized access to the management interface.
Fig. 4 illustrates a block diagram of an exemplary computer system/server 012 suitable for use in implementing embodiments of the invention. The computer system/server 012 shown in fig. 4 is only an example, and should not bring any limitation to the function and the scope of use of the embodiment of the present invention.
As shown in fig. 4, the computer system/server 012 is embodied as a general purpose computing device. The components of computer system/server 012 may include, but are not limited to: one or more processors or processing units 016, a system memory 028, and a bus 018 that couples various system components including the system memory 028 and the processing unit 016.
Computer system/server 012 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 012 and includes both volatile and nonvolatile media, removable and non-removable media.
Program/utility 040 having a set (at least one) of program modules 042 can be stored, for example, in memory 028, such program modules 042 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof might include an implementation of a network environment. Program modules 042 generally perform the functions and/or methodologies of embodiments of the present invention as described herein.
The computer system/server 012 may also communicate with one or more external devices 014 (e.g., keyboard, pointing device, display 024, etc.), hi the present invention, the computer system/server 012 communicates with an external radar device, and may also communicate with one or more devices that enable a user to interact with the computer system/server 012, and/or with any device (e.g., network card, modem, etc.) that enables the computer system/server 012 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 022. Also, the computer system/server 012 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 020. As shown, the network adapter 020 communicates with the other modules of the computer system/server 012 via bus 018. It should be appreciated that although not shown in fig. 4, other hardware and/or software modules may be used in conjunction with computer system/server 012, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 016 executes programs stored in the system memory 028, thereby executing various functional applications and data processing, such as implementing the method flow provided by the embodiment of the present invention.
The computer program described above may be provided in a computer storage medium encoded with a computer program that, when executed by one or more computers, causes the one or more computers to perform the method flows and/or apparatus operations shown in the above-described embodiments of the invention. For example, the method flows provided by the embodiments of the invention are executed by one or more processors described above.
With the development of time and technology, the meaning of the medium is more and more extensive, and the propagation path of the computer program is not limited to a tangible medium any more, and can also be directly downloaded from a network and the like. Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A method of identity authentication, the method comprising:
receiving an access request sent to a management interface of the Internet of things equipment by a proxy gateway built in the Internet of things equipment;
if the access request does not contain authorization permission information, the access request is sent to an authentication entrance of the management interface;
forwarding an identity authentication interface provided by an authentication inlet of the management interface to the visitor;
the identity information input by the visitor on the identity authentication interface is forwarded to the management interface, so that the management interface authenticates the identity authentication information and issues authorization permission information to the visitor passing the authentication;
caching and forwarding the authorization permission information issued by the management interface to an accessor;
and if the access request contains authorization permission information and the authorization permission information is matched with the authorization permission information cached by the proxy gateway, sending the access request to the requested management interface address.
2. The method of claim 1, wherein the proxy gateway is built into the internet of things device in the form of an executable file.
3. The method of claim 1, wherein the access request comprises:
the visitor triggers an access request sent to a management interface of the Internet of things equipment on other equipment; or,
and the visitor triggers an access request sent to a management interface of the Internet of things equipment on the Internet of things equipment.
4. The method of claim 1, further comprising:
and if the access request contains authorization permission information and the authorization permission information is not matched with the authorization permission information cached by the proxy gateway, sending the access request to an authentication inlet of the management interface, or returning an authentication failure response.
5. The method of claim 1, further comprising:
and the authorization permission information cached by the proxy gateway is deleted after the validity period is reached.
6. The utility model provides an identity authentication's device, its characterized in that places thing networking equipment in the device, the device includes: the system comprises a first interaction unit, a cooperative authentication unit and a second interaction unit;
the first interaction unit is used for receiving and sending an access request sent to a management interface of the Internet of things equipment;
the cooperative authentication unit is configured to trigger the second interaction unit to send the access request to the authentication entry of the management interface if it is determined that the access request does not include authorization permission information; if the access request contains authorization permission information and the authorization permission information is matched with the cached authorization permission information, triggering the second interaction unit to send the access request to the requested management interface address;
the second interaction unit is configured to send the access request to an authentication entry of the management interface under the trigger of the cooperative authentication unit; the identity information input by the visitor on the identity authentication interface is forwarded to the management interface, so that the management interface authenticates the identity authentication information and issues authorization permission information to the visitor passing the authentication; receiving authorization permission information issued by the management interface and providing the authorization permission information to the cooperative authentication unit; sending the access request to the requested management interface address under the trigger of the cooperative authentication unit;
the cooperative authentication unit is further configured to trigger the first interaction unit to forward an identity authentication interface provided by an authentication entry of the management interface to the visitor; caching the authorization permission information issued by the management interface and triggering the first interaction unit to forward the authorization permission information to an accessor;
the first interaction unit is further configured to forward the identity authentication interface to the visitor under the trigger of the cooperative authentication unit; receiving identity information input by the visitor on the identity authentication interface; and forwarding the authorization permission information to an accessor under the trigger of the cooperative authentication unit.
7. The apparatus of claim 6, wherein the apparatus is built into an internet of things device in the form of an executable file.
8. The apparatus according to claim 6, wherein the cooperative authentication unit is further configured to trigger the second interaction unit to send the access request to the authentication entry of the management interface, or trigger the first interaction unit to return an authentication failure response, if the access request includes authorization permission information and the authorization permission information does not match the authorization permission information cached by the proxy gateway.
9. An apparatus, characterized in that the apparatus comprises:
one or more processors;
a storage device for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method recited in any of claims 1-5.
10. A storage medium containing computer-executable instructions for performing the method of any one of claims 1-5 when executed by a computer processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010494072.1A CN111901290B (en) | 2020-06-03 | 2020-06-03 | Identity authentication method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010494072.1A CN111901290B (en) | 2020-06-03 | 2020-06-03 | Identity authentication method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111901290A CN111901290A (en) | 2020-11-06 |
CN111901290B true CN111901290B (en) | 2022-10-11 |
Family
ID=73207283
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010494072.1A Active CN111901290B (en) | 2020-06-03 | 2020-06-03 | Identity authentication method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111901290B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113556349A (en) * | 2021-07-23 | 2021-10-26 | 海信集团控股股份有限公司 | Gateway authentication method and device and electronic equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108924154A (en) * | 2018-07-24 | 2018-11-30 | 华数传媒网络有限公司 | Identity identifying method and device |
CN109617907A (en) * | 2019-01-04 | 2019-04-12 | 平安科技(深圳)有限公司 | Authentication method, electronic device and computer readable storage medium |
CN109726025A (en) * | 2018-12-29 | 2019-05-07 | 北京神舟航天软件技术有限公司 | A kind of api interface access method based on API gateway |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110874464A (en) * | 2018-09-03 | 2020-03-10 | 巍乾全球技术有限责任公司 | Method and equipment for managing user identity authentication data |
-
2020
- 2020-06-03 CN CN202010494072.1A patent/CN111901290B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108924154A (en) * | 2018-07-24 | 2018-11-30 | 华数传媒网络有限公司 | Identity identifying method and device |
CN109726025A (en) * | 2018-12-29 | 2019-05-07 | 北京神舟航天软件技术有限公司 | A kind of api interface access method based on API gateway |
CN109617907A (en) * | 2019-01-04 | 2019-04-12 | 平安科技(深圳)有限公司 | Authentication method, electronic device and computer readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN111901290A (en) | 2020-11-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8806627B1 (en) | Content randomization for thwarting malicious software attacks | |
AU2014235174B2 (en) | Controlling physical access to secure areas via client devices in a networked environment | |
CN102098158B (en) | Cross-domain name single sign on and off method and system as well as corresponding equipment | |
CN111698312B (en) | Service processing method, device, equipment and storage medium based on open platform | |
US8813200B2 (en) | Online password management | |
CN112511565B (en) | Request response method and device, computer readable storage medium and electronic equipment | |
CN111901289B (en) | Identity authentication method, device, equipment and storage medium | |
WO2018112878A1 (en) | Token mechanism-based system and method for detecting and defending against cc attack | |
CN114938288B (en) | Data access method, device, equipment and storage medium | |
CN111901290B (en) | Identity authentication method and device | |
US11075922B2 (en) | Decentralized method of tracking user login status | |
US8904487B2 (en) | Preventing information theft | |
CN110177096B (en) | Client authentication method, device, medium and computing equipment | |
CN112836186A (en) | Page control method and device | |
CN114666299B (en) | Mail receiving and sending method, device, equipment and medium for satellite measurement, operation and control system | |
CN113194088B (en) | Access interception method, device, log server and computer readable storage medium | |
CN109857488B (en) | Application program call control method and device, terminal and readable storage medium | |
CN114006757A (en) | GIS service access control method, device, framework, medium and equipment | |
CN112966277A (en) | Webpage protection method and device, computer equipment and storage medium | |
KR101319570B1 (en) | Method for connection certification between pc and server, relay device and computer readable recording medium applying the same | |
CN112187786A (en) | Service processing method, device, server and storage medium of network service | |
CN109684818A (en) | A kind of server log method for the cross-terminal formula for preventing owner's login password from revealing | |
CN114143056B (en) | Terminal access method and device, electronic equipment and storage medium | |
CN112751844B (en) | Portal authentication method and device and electronic equipment | |
US11985165B2 (en) | Detecting web resources spoofing through stylistic fingerprints |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |