CN111953634B - Access control method and device for terminal equipment, computer equipment and storage medium - Google Patents
Access control method and device for terminal equipment, computer equipment and storage medium Download PDFInfo
- Publication number
- CN111953634B CN111953634B CN201910402238.XA CN201910402238A CN111953634B CN 111953634 B CN111953634 B CN 111953634B CN 201910402238 A CN201910402238 A CN 201910402238A CN 111953634 B CN111953634 B CN 111953634B
- Authority
- CN
- China
- Prior art keywords
- client
- identification
- access control
- random number
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an access control method and device of terminal equipment, computer equipment and a storage medium. The access control method of the terminal equipment comprises the following steps: receiving a terminal identification authentication request sent by a client, wherein the terminal identification authentication request comprises an identification token of terminal equipment and identity information of the terminal equipment; authenticating the identification token to generate an authentication result; sending an authentication result carrying identity information to an access control platform; receiving an access information searching request sent by an access control platform; searching the access information corresponding to the identity information in the access information searching request in the stored first corresponding relation, wherein the first corresponding relation is the corresponding relation between the access information and the identity information; and sending the searched access information to the access control platform so that the access control platform can carry out access control on the terminal equipment according to the access information. By the invention, the safety of access control of the access control platform can be improved.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for controlling access to a terminal device, a computer device, and a storage medium.
Background
In the prior art, based on meeting the requirements of business operation and the like, when a terminal device accesses a business system, reads data or calls a business interface, an access control platform can perform access control on the terminal device. For example, some control policies may be set in the access control platform, and when the access control platform receives a service access request from the terminal device, the access control platform may determine whether the service access is released according to the control policies.
However, the inventor researches and discovers that in the above access control method, the security of access control implemented by the access control platform is poor, and when an attacker, a user impersonator and other abnormal terminal devices access the service system, the service system can only judge whether the service access is released according to the control policy, and the terminal devices cannot be effectively identified.
Therefore, it is a technical problem in the art to be urgently needed to provide an access control method and apparatus for a terminal device, a computer device, and a storage medium, so that an access control platform can better identify the terminal device.
Disclosure of Invention
The present invention provides an access control method and apparatus for a terminal device, a computer device and a storage medium, which are used to solve the above technical problems in the prior art.
In one aspect, the present invention provides an access control method for a terminal device.
The access control method of the terminal equipment comprises the following steps: receiving a terminal identification authentication request sent by a client, wherein the terminal identification authentication request comprises an identification token of terminal equipment and identity information of the terminal equipment; authenticating the identification token to generate an authentication result; sending an authentication result carrying identity information to an access control platform; receiving an access information searching request sent by an access control platform, wherein the access information searching request comprises identity information; searching access information corresponding to the identity information in the access information searching request in a stored first corresponding relation, wherein the first corresponding relation is the corresponding relation between the access information and the identity information; and sending the searched access information to the access control platform so that the access control platform can carry out access control on the terminal equipment according to the access information.
Further, the step of identifying the token includes an identification string and an identification digital signature, the identification string includes identity information, a first random number negotiated with the client, and a incremental code, the identification digital signature is a digital signature made to the identification string by using a private key of the client, and the step of authenticating the identification token to generate an authentication result includes: verifying the identification digital signature by using a stored public key of the client, wherein the public key of the client and a private key of the client are a key pair; when the identification digital signature is successfully verified, judging whether a first random number and an incremental code in the identification character string are matched with the stored first random number and incremental code; when the first random number in the identification character string is respectively and correspondingly matched with the stored first random number and the increment code in the identification character string is respectively and correspondingly matched with the stored increment code, determining that the authentication result is successful; and when the first random number in the identification character string is not matched with the stored first random number and/or the increment code in the identification character string is not matched with the stored increment code, determining that the authentication result is authentication failure.
Further, the identification token in the terminal identification authentication request is data encrypted by the public key of the server, and before the step of authenticating the identification token to generate the authentication result, the access control method of the terminal device further includes: and decrypting the identification token in the terminal identification authentication request by adopting a private key of the server, wherein the public key of the server and the private key of the server are a key pair.
Further, before the step of receiving the terminal identifier authentication request sent by the client, the access control method of the terminal device further includes: receiving an identification token request sent by a client, wherein the identification token request comprises identity information and an identity digital signature, and the identity digital signature is a digital signature made on the identity information by using a private key of the client; verifying the identity digital signature by using the stored public key of the client; when the identity digital signature is successfully verified, generating a first random number and an incremental code; storing the corresponding relation between the identity information and the first random number and the incremental code as a second corresponding relation; and sending the first random number and the incremental code to the client.
Further, the step of judging whether the first random number and the incremental code in the identification character string are matched with the stored first random number and the incremental code comprises the following steps: searching a first random number and an incremental code corresponding to the identity information in the identification character string in the second corresponding relation; judging whether the searched first random number is the same as the first random number in the identification character string; searching a first random number corresponding to the identity information in the identification character string in the second corresponding relation; carrying out incremental processing on the searched incremental codes according to a preset incremental mode; and judging whether the increment code after the increment processing is the same as the increment code in the identification character string.
Further, before the step of authenticating the identification token to generate the authentication result, the access control method of the terminal device further includes: receiving a terminal equipment authentication request sent by a client; generating a second random number and sending the second random number to the client; receiving a random number digital signature and a certificate fingerprint sent by a client; searching a trusted certificate corresponding to the certificate fingerprint in a third corresponding relation, wherein the third corresponding relation is the corresponding relation between the certificate fingerprint and the trusted certificate; acquiring a public key of the client according to the trusted certificate; and verifying the random number digital signature by using the public key of the client, wherein when the random number digital signature is successfully verified by using the public key of the client, the step of authenticating the identification token is executed.
Further, before the step of receiving the random number digital signature and the certificate fingerprint transmitted by the client, the access control method of the terminal device further includes: receiving a trusted certificate application request sent by a client, wherein the trusted certificate application request comprises a public key, identity information and customization information of the client; determining whether a trusted certificate can be issued to the client according to the customized information and a predetermined certificate issuing strategy; if the trusted certificate can be issued to the client, generating the trusted certificate and the certificate fingerprint of the trusted certificate according to the public key and the identity information of the client; and sending the trusted certificate and the certificate fingerprint to the client.
In one aspect, to achieve the above object, the present invention provides an access control apparatus for a terminal device.
The access control device of the terminal equipment comprises: the terminal comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving a terminal identification authentication request sent by a client, and the terminal identification authentication request comprises an identification token of terminal equipment and identity information of the terminal equipment; the first authentication module is used for authenticating the identification token to generate an authentication result; the first sending module is used for sending the authentication result carrying the identity information to the access control platform; the second receiving module is used for receiving an access information searching request sent by the access control platform, wherein the access information searching request comprises identity information; the first searching module is used for searching the access information corresponding to the identity information in the access information searching request in the stored first corresponding relation, wherein the first corresponding relation is the corresponding relation between the access information and the identity information; and the second sending module is used for sending the searched access information to the access control platform so that the access control platform can carry out access control on the terminal equipment according to the access information.
To achieve the above object, the present invention also provides a computer device, which includes a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the method when executing the computer program.
To achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the above method.
According to the access control method and device of the terminal equipment, the client needs to carry the identification token and the identity information to be authenticated at the server, the server sends the authentication result carrying the identity information to the access control platform, the access control platform can search the corresponding authentication result according to the identity information of the terminal equipment when receiving the service access of the terminal equipment, and the access control platform can further search the access information only when the authentication result of the identification token of the terminal equipment is successful; the server can store the corresponding relation between the access information and the identity information, after receiving an access control platform access information searching request, the server searches the access information according to the identity information and feeds the access information back to the access control platform, so that the access control platform judges the access information according to a control strategy on the platform, finally determines how to perform access control, and can improve the security of the access control platform on the terminal equipment access control.
Drawings
Fig. 1 is a flowchart of an access control method of a terminal device according to an embodiment of the present invention;
fig. 2 is a flowchart of an access control method of a terminal device according to a second embodiment of the present invention;
fig. 3 is a block diagram of an access control apparatus of a terminal device according to a third embodiment of the present invention; and
fig. 4 is a hardware configuration diagram of a computer device according to a fourth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides an access control method and device of terminal equipment, computer equipment and a computer readable storage medium. According to the access control method of the terminal equipment, an identification token of a client is authenticated to obtain an authentication result, the authentication result carrying identity information is sent to an access control platform, the access control platform can search a corresponding authentication result according to the identity information of the terminal equipment when receiving service access of the terminal equipment, the access control platform can further search access information only when the terminal equipment is equipment with the identification token authentication result being successful, access control is conducted on the terminal equipment according to the searched access information, and when the terminal equipment is equipment with the identification token authentication result being unsuccessful, the access control platform does not make judgment on an access control strategy, access is directly intercepted, and the security of the access control platform for access control of the terminal equipment is improved.
Specific embodiments of the method, the apparatus, the computer device, and the computer-readable storage medium for controlling access to a terminal device according to the present invention will be described in detail below.
Example one
An embodiment of the present invention provides an access control method for a terminal device, where the access control method for the terminal device may be applied to the following service scenarios, specifically: the execution main body server side of the access control method realizes the authentication of the identification token of the terminal equipment and feeds back the authentication result to the access control platform through the interaction with the access control platform and the client side on the terminal equipment, meanwhile, the server side can provide the access information of the terminal equipment for the access control platform, and the access control platform can utilize the access information to carry out access control on the terminal equipment. By the access control method, the security of the access control platform for the terminal equipment can be improved. Specifically, fig. 1 is a flowchart of an access control method of a terminal device according to an embodiment of the present invention, and as shown in fig. 1, the access control method of the terminal device according to the embodiment includes steps S101 to S106.
Step S101: and receiving a terminal identification authentication request sent by a client.
Before accessing the service system, the client needs to first authenticate the terminal identifier with the server, and the terminal identifier authentication request includes an identifier token of the terminal device and identity information of the terminal device.
Optionally, the identification token of the terminal device may be token information generated by the client according to the identity information of the client and data negotiated with the server; the identity information of the terminal device may be hardware identification information of the terminal device, for example, the identity information is a hardware identification code of the terminal device, which may identify the hardware of the terminal device, and may be calculated and generated from identification information of several hardware parts of the terminal device, and further calculated according to a CPU identification of the terminal device, a hard disk serial number, and/or an MAC address of a physical network card. The CPU identification comprises the type, model, manufacturer information, trademark information, cache size, clock speed and the like of the information processor; the hard disk serial number refers to a physical serial number of the hard disk, refers to a factory code of the hard disk, and has uniqueness; the MAC (Media Access Control) address of the physical network card is hardware address information burned in the physical network card, and is a unique identifier allocated by a physical network card manufacturer.
The hardware identification code of the terminal equipment is calculated by adopting the CPU identification, the hard disk serial number and/or the MAC address of the physical network card, on one hand, the terminal equipment can be identified better from the aspect of hardware, so that different terminal equipment has different hardware identification codes; on the other hand, when the terminal equipment has temporary faults or changes such as magnetic disk track damage, temporary addition of peripheral equipment and the like, the hardware identification code cannot be changed, and the stability of the identification token is favorably improved.
Step S102: the identification token is authenticated to generate an authentication result.
The server side authenticates the identification token according to the stored information related to the identification token, generates an authentication result which is successfully authenticated when the authentication is passed, and generates an authentication result which is failed when the authentication is not passed.
Optionally, in an embodiment, the identification token includes an identification string and an identification number signature, the identification string includes identity information, a first random number negotiated with the client, and an incremental code, and the first random number and the incremental code may be specifically generated by the client and may also be generated by the server, and the first random number and the incremental code are stored at both ends, respectively, whichever end is generated. The identification digital signature is a digital signature made on the identification character string by using a private key of the client. When the client installs the program, a key pair is generated, and the key pair comprises a client public key and a client private key. The step S102 includes the steps of:
step S1021: the identifying digital signature is verified using the stored public key of the client.
In the process of communication between the client and the server, the public key of the client can be sent to the server, and the server correspondingly stores the identity information of the client and the public key. When a terminal identification authentication request is received, a stored public key of a client is obtained through identity information in the terminal identification authentication request, then the public key of the client is used for operating an identification character string in the terminal identification authentication request to obtain a verification signature, and the identification digital signature is verified by matching the verification signature with the identification digital signature in the terminal identification authentication request. When the verification signature matches the identification digital signature, it indicates that the identification digital signature is verified successfully, that is, the identification character string is not tampered in the transmission process of the terminal identification authentication request, and the following step S1022 is executed. When the verification signature is not matched with the identification digital signature, the verification of the identification digital signature fails, that is, the identification character string is tampered in the sending process of the terminal identification authentication request, and no subsequent processing is performed.
Step S1022: and when the identification digital signature is successfully verified, judging whether a first random number and an incremental code in the identification character string are matched with the stored first random number and incremental code.
When the identification digital signature is successfully verified, the server side obtains a first random number and an incremental code which are locally stored and correspond to the client side, and then the obtained first random number and the incremental code are respectively matched with the first random number and the incremental code in the identification character string.
Step S1023: and when the first random number in the identification character string is correspondingly matched with the stored first random number and the increment code in the identification character string is correspondingly matched with the stored increment code respectively, determining that the authentication result is successful.
Step S1024: and when the first random number in the identification character string is not matched with the stored first random number and/or the increment code in the identification character string is not matched with the stored increment code, determining that the authentication result is authentication failure.
Further optionally, the server also generates a key pair when installing the program, where the key pair includes a server public key and a server private key. The installation program of the client can be generated at the server, wherein the server public key is written into the installation program of the client, and the server public key can be stored when the client is installed. The identification token in the terminal identification authentication request is data encrypted by a public key of the server, and before step S102 and after step S101, the access control method of the terminal device further includes: and decrypting the identification token in the terminal identification authentication request by adopting a private key of the server, wherein the public key of the server and the private key of the server are a key pair.
Step S103: and sending the authentication result carrying the identity information to the access control platform.
After the authentication result is obtained, the authentication result carrying the identity information is sent to the access control platform, so that a trusted terminal device can be identified through the authentication result at one end of the access control platform, after a service access request sent by the terminal device is received, the authentication result corresponding to the terminal device is inquired, and after the authentication result which is successfully authenticated is checked, an access information search request is sent to the server side.
Step S104: and receiving an access information searching request sent by the access control platform.
The access information is a basis for judging by using a control strategy in the access control platform, that is, the access control platform judges the access information by using the control strategy and determines whether the service system can be accessed according to a judgment result. The access information may be operation information issued by the service system for the terminal device, or may also be network environment information of the terminal device itself, device environment information, device user information, and other environment perception information. The server stores the identity information of the terminal device and the access information corresponding to the identity information as a corresponding relationship, and the corresponding relationship is defined as a first corresponding relationship.
In the present invention, for example, "first" and "second" in the above "first correspondence" and "second correspondence" in the following "second correspondence" are used only for conceptual distinction, and do not constitute a limitation in order.
The access information search request includes the identity information, and therefore, the access information searched in the first corresponding relationship can be obtained through the identity information in the access information search request.
Step S105: and searching the stored first corresponding relation for the access information corresponding to the identity information in the access information searching request.
Step S106: and sending the searched access information to the access control platform so that the access control platform can carry out access control on the terminal equipment according to the access information.
In the access control method for the terminal device provided in this embodiment, the client needs to carry the identification token and the identity information to authenticate at the server, the server sends the authentication result carrying the identity information to the access control platform, the access control platform can search the corresponding authentication result according to the identity information of the terminal device when receiving the service access of the terminal device, and the access control platform can further search the access information only when the authentication result of the identification token of the terminal device is the device which succeeds in authentication; the server can store the corresponding relation between the access information and the identity information, after receiving an access control platform access information searching request, the server searches the access information according to the identity information and feeds the access information back to the access control platform, so that the access control platform judges the access information according to a control strategy on the platform, finally determines how to perform access control, and can improve the security of the access control platform on the access control of the terminal equipment.
Example two
Second embodiment of the present invention provides a method for controlling access to a preferred terminal device on the basis of the first embodiment, and the same technical features and technical effects are not described in detail in the second embodiment, and reference may be made to the first embodiment for details. Specifically, fig. 2 is a flowchart of an access control method of a terminal device according to a second embodiment of the present invention, and as shown in fig. 2, the access control method of the terminal device according to the second embodiment includes steps S201 to S208 as follows.
Step S201: and responding to a trusted certificate application request sent by the client, and sending the trusted certificate and the certificate fingerprint to the client.
The operation personnel or security maintenance personnel of the service system can set a strategy for sending the trusted certificate to the client at the server, and when receiving a trusted certificate application request sent by the client, whether to send the trusted certificate and the certificate fingerprint to the client is determined according to the strategy. Optionally, in an embodiment, the step S201 includes the following steps S2011 to S2014.
Step S2011: and receiving a trusted certificate application request sent by a client.
The trusted certificate application request comprises a public key, identity information and customization information of the client. The customized information is information based on the requirement of issuing a strategy for sending a trusted certificate.
Step S2012: and determining whether the trusted certificate can be issued to the client according to the customized information and a preset certificate issuing strategy.
Step S2013: and if the trusted certificate can be issued to the client, generating the trusted certificate and the certificate fingerprint of the trusted certificate according to the public key and the identity information of the client.
Wherein the certificate fingerprint may be obtained by encrypting binary information of the trusted certificate.
Step S2014: and sending the trusted certificate and the certificate fingerprint to the client.
After the trusted certificate and the certificate fingerprint are sent to the client, the trusted certificate can be verified before the client operates each time, for example, the certificate fingerprint is verified first, then the identity information in the trusted certificate is verified through the locally stored identity information, and the client in the trusted certificate is always verified through the private key of the client, so that the authentication of the trusted certificate is realized.
After the trusted certificate passes the authentication, the client completes the initialization, the authentication of the equipment to the server is realized through the following steps, and the server defaults to be unsafe equipment for equipment which is not authenticated.
Step S202: and responding to a terminal equipment authentication request sent by the client to authenticate the terminal equipment.
When the server side authenticates the client side, the client side can authenticate the client side through the related information of the trusted certificate. Optionally, in an embodiment, the step S202 includes the following steps S2021 to S2026.
Step S2021: and receiving a terminal equipment authentication request sent by the client.
Step S2022: and generating a second random number and sending the second random number to the client.
Step S2023: and receiving the random number digital signature and the certificate fingerprint sent by the client.
The random number digital signature may be a digital signature of the client on the second random number by using a private key of the client.
Step S2024: the trusted certificate corresponding to the certificate fingerprint is looked up in the third correspondence.
When the server generates the trusted certificate and the certificate fingerprint in step S2013, the server stores the correspondence between the certificate fingerprint and the trusted certificate, where the correspondence is defined as a third correspondence.
Step S2025: and acquiring the public key of the client according to the trusted certificate.
Step S2026: and verifying the random number digital signature by using the public key of the client.
The public key of the client can be used for operating the second random number, and the operation result is compared with the random number digital signature to verify the random number digital signature. And when the random number digital signature is successfully verified by using the public key of the client, the authentication of the terminal equipment is successful.
In order to enable the service end to authenticate the identification token when the application in the terminal device sends a service request to the service system, after the terminal device succeeds in authentication, the client end requests the identification token to the service end, that is, the following step S203 is executed.
Step S203: the first random number and the increment code are transmitted to the client in response to an identification token request transmitted by the client.
The server side receives an identification token request sent by the client side, generates a first random number and an incremental code and sends the first random number and the incremental code to the client side, and the client side can generate an identification token according to the first random number, the incremental code and other locally stored information when receiving the first random number and the incremental code. Optionally, in an embodiment, the step S203 includes the following steps S2031 to S2035.
Step S2031: and receiving an identification token request sent by the client.
The identification token request comprises identity information and an identity digital signature, wherein the identity digital signature is a digital signature made on the identity information by using a private key of the client.
Step S2032: and verifying the identity digital signature by utilizing the stored public key of the client.
Step S2033: and when the identity digital signature is successfully verified, generating a first random number and an incremental code.
Step S2034: storing the correspondence of the identity information with the first random number and the incremental code as a second correspondence.
Step S2035: the first random number and the incremental code are sent to the client.
After receiving the first random number and the incremental code, the client may generate an identification token, and further may send a terminal identification authentication request to the server, that is, execute the following step S204.
Step S204: and responding to a terminal identification authentication request sent by the client, and authenticating the identification token to generate an authentication result.
The terminal identification authentication request comprises an identification token of the terminal equipment and identity information of the terminal equipment. The identification token comprises an identification character string and an identification digital signature, the identification character string comprises identity information, a first random number negotiated with the client and a delivery code, and the identification digital signature is a digital signature made on the identification character string by using a private key of the client. Optionally, in an embodiment, the step S204 includes the following steps S2041 to S2048.
Step S2041: the identifying digital signature is verified using the stored public key of the client.
Step S2042: and when the identification digital signature is successfully verified, searching a first random number and an incremental code corresponding to the identity information in the identification character string in the second corresponding relation.
Step S2043: and judging whether the searched first random number is the same as the first random number in the identification character string.
Step S2044: and searching the first random number corresponding to the identity information in the identification character string in the second corresponding relation.
Step S2045: and carrying out incremental processing on the searched incremental codes according to a preset incremental mode.
Step S2046: and judging whether the incremental code after the incremental processing is the same as the incremental code in the identification character string.
Step S2047: and when the first random number in the identification character string is correspondingly matched with the stored first random number and the increment code in the identification character string is correspondingly matched with the stored increment code respectively, determining that the authentication result is successful.
Step S2048: and when the first random number in the identification character string is not matched with the stored first random number and/or the increment code in the identification character string is not matched with the stored increment code, determining that the authentication result is authentication failure.
Step S205: and sending the authentication result carrying the identity information to the access control platform.
Step S206: and receiving an access information searching request sent by the access control platform.
Wherein the access information lookup request includes identity information.
Step S207: and searching the stored first corresponding relation for the access information corresponding to the identity information in the access information searching request.
Wherein, the first corresponding relation is the corresponding relation between the access information and the identity information.
Step S208: and sending the searched access information to the access control platform so that the access control platform can carry out access control on the terminal equipment according to the access information.
In the access control method for the terminal device provided in this embodiment, the server issues the trusted certificate to the client, the client verifies the trusted certificate during each operation, and the server authenticates the terminal device first when issuing the identification token to the client; the issued identification token information comprises information of a random number and an incremental code, so that when the identification token is authenticated, the random number and the incremental code can be used for authentication, and therefore, reliability guarantee of terminal equipment can be improved through each verification and authentication link, and safety of access control of the access control platform is further improved.
EXAMPLE III
Corresponding to the first embodiment and the second embodiment, a third embodiment of the present invention provides an access control device for a terminal device, which may be a component of a server disposed on a server device, where the access control device corresponds to the access control method for the terminal device provided in the first embodiment and the second embodiment, and corresponding technical features and technical effects are not described in detail in this embodiment, and reference may be made to the first embodiment and the second embodiment for relevant points.
Fig. 3 is a block diagram of an access control apparatus of a terminal device according to a third embodiment of the present invention, and as shown in fig. 3, the apparatus includes a first receiving module 301, a first authentication module 302, a first sending module 303, a second receiving module 304, a first searching module 305, and a second sending module 306.
The first receiving module 301 is configured to receive a terminal identifier authentication request sent by a client, where the terminal identifier authentication request includes an identifier token of a terminal device and identity information of the terminal device; the first authentication module 302 is configured to authenticate the identification token to generate an authentication result; the first sending module 303 is configured to send an authentication result carrying the identity information to the access control platform; the second receiving module 304 is configured to receive an access information search request sent by an access control platform, where the access information search request includes identity information; the first searching module 305 is configured to search for access information corresponding to the identity information in the access information search request in a stored first corresponding relationship, where the first corresponding relationship is a corresponding relationship between the access information and the identity information; the second sending module 306 is configured to send the found access information to the access control platform, so that the access control platform performs access control on the terminal device according to the access information.
Optionally, in an embodiment, the identification token includes an identification string and an identification digital signature, the identification string includes identity information, a first random number negotiated with the client, and a delivery code, the identification digital signature is a digital signature of the identification string by using a private key of the client, and the first authentication module 302 includes: the device comprises an identification digital signature verification unit, an identification character string judgment unit and an authentication result generation unit.
The identification digital signature verification unit is used for verifying the identification digital signature by using a stored public key of the client, wherein the public key of the client and a private key of the client are a key pair. The identification character string judging unit is used for judging whether a first random number and an incremental code in the identification character string are matched with the stored first random number and the incremental code when the identification digital signature is successfully verified; the authentication result generating unit is used for determining that the authentication is successful when the first random number in the identification character string is correspondingly matched with the stored first random number and the increment code in the identification character string is correspondingly matched with the stored increment code, and determining that the authentication is failed when the first random number in the identification character string is not matched with the stored first random number and/or the increment code in the identification character string is not matched with the stored increment code.
Optionally, in an embodiment, the identifier token in the terminal identifier authentication request is data encrypted by a public key of the server, and the access control device of the terminal device further includes a decryption module, configured to decrypt the identifier token in the terminal identifier authentication request by using a private key of the server before the first authentication module 302 authenticates the identifier token to generate an authentication result, where the public key of the server and the private key of the server are a key pair.
Optionally, in an embodiment, the access control apparatus of the terminal device further includes a first response module, configured to send the first random number and the increment code to the client in response to an identification token request sent by the client before the first authentication module 302 authenticates the identification token to generate an authentication result. Specifically, the first response module comprises an identification token request receiving unit, an identity digital signature verification unit, a random number and increment code generation unit, a random number and increment code storage unit and a random number and increment code sending unit.
The identification token request receiving unit is used for receiving an identification token request sent by a client, wherein the identification token request comprises identity information and an identity digital signature, and the identity digital signature is a digital signature made on the identity information by using a private key of the client. The identity digital signature verification unit is used for verifying the identity digital signature by using the stored public key of the client. The random number and increment code generation unit is used for generating a first random number and an increment code when the identity digital signature is successfully verified. The random number and increment code storage unit is used for storing the corresponding relation between the identity information and the first random number and increment code as a second corresponding relation. The random number and increment code sending unit is used for sending the first random number and the increment code to the client.
Optionally, in an embodiment, the identification character string determining unit specifically performs the following steps when determining whether the first random number and the incremental code in the identification character string match the stored first random number and the incremental code: searching a first random number and a delivery code corresponding to the identity information in the identification character string in the second corresponding relation; judging whether the searched first random number is the same as the first random number in the identification character string; searching a first random number corresponding to the identity information in the identification character string in the second corresponding relation; carrying out incremental processing on the searched incremental codes according to a preset incremental mode; and judging whether the increment code after the increment processing is the same as the increment code in the identification character string.
Optionally, in an embodiment, the access control apparatus of the terminal device further includes a second response module, configured to authenticate the terminal device in response to a terminal device authentication request sent by the client before the first authentication module 302 authenticates the identification token to generate an authentication result. Specifically, the second response module comprises a terminal device authentication request receiving unit, a second random number generating and sending unit, a certificate fingerprint receiving unit, a trusted certificate searching unit, a public key obtaining unit and a digital signature verifying unit.
The terminal equipment authentication request receiving unit is used for receiving a terminal equipment authentication request sent by a client; the second random number generating and sending unit is used for generating a second random number and sending the second random number to the client; the certificate fingerprint receiving unit is used for receiving the random number digital signature and the certificate fingerprint sent by the client; the trusted certificate searching unit is used for searching a trusted certificate corresponding to the certificate fingerprint in a third corresponding relation, wherein the third corresponding relation is the corresponding relation between the certificate fingerprint and the trusted certificate; the public key obtaining unit is used for obtaining a public key of the client according to the trusted certificate; the digital signature verification unit is configured to verify the random number digital signature by using the public key of the client, where the first authentication module 302 performs the step of authenticating the identity token when the random number digital signature is successfully verified by using the public key of the client.
Optionally, in an embodiment, the access control apparatus of the terminal device further includes a third response module, configured to send the trusted certificate and the certificate fingerprint to the client in response to a trusted certificate application request sent by the client before the certificate fingerprint receiving unit receives the random number digital signature and the certificate fingerprint sent by the client. Specifically, the third response module includes a trusted certificate application request receiving unit, a determining unit, a trusted certificate generating unit, and a trusted certificate sending unit.
The trusted certificate application request receiving unit is used for receiving a trusted certificate application request sent by a client, wherein the trusted certificate application request comprises a public key, identity information and customization information of the client; the judging unit is used for determining whether a trusted certificate can be issued to the client according to the customized information and a preset certificate issuing strategy; if the trusted certificate can be issued to the client, the trusted certificate generation unit is used for generating the trusted certificate and the certificate fingerprint of the trusted certificate according to the public key and the identity information of the client; the trusted certificate sending unit is used for sending the trusted certificate and the certificate fingerprint to the client.
Example four
The fourth embodiment further provides a computer device, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster formed by multiple servers) capable of executing programs, and the like. As shown in fig. 4, the computer device 01 of the present embodiment at least includes but is not limited to: a memory 011 and a processor 012, which are communicatively connected to each other via a system bus, as shown in fig. 3. It is noted that fig. 4 only shows the computer device 01 having a component memory 011 and a processor 012, but it is to be understood that not all shown components are required to be implemented and that more or less components can be implemented instead.
In this embodiment, the memory 011 (i.e., a readable storage medium) includes a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 011 can be an internal storage unit of the computer device 01, such as a hard disk or a memory of the computer device 01. In other embodiments, the memory 011 can also be an external storage device of the computer device 01, such as a plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash memory Card (Flash Card), etc. provided on the computer device 01. Of course, the memory 011 can also include both internal and external memory units of the computer device 01. In this embodiment, the memory 011 is generally used to store an operating system installed in the computer device 01 and various application software, for example, a program code of the access control method of the terminal device in the first embodiment. Further, the memory 011 can also be used to temporarily store various kinds of data that have been output or are to be output.
The processor 012 may be a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor, or other data Processing chip in some embodiments. The processor 012 is generally used to control the overall operation of the computer device 01. In the present embodiment, the processor 012 is configured to run a program code stored in the memory 011 or process data, and for example, is configured to perform an access control method of a terminal device.
EXAMPLE five
The fifth embodiment further provides a computer-readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application store, etc., on which a computer program is stored, which when executed by a processor implements corresponding functions. The computer-readable storage medium of this embodiment is used for storing an access control method of a terminal device, and when executed by a processor, implements the access control method of the terminal device of the first embodiment.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a component of' 8230; \8230;" does not exclude the presence of another like element in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, and all equivalent structures or equivalent processes performed by the present invention or directly or indirectly applied to other related technical fields are also included in the scope of the present invention.
Claims (10)
1. An access control method for a terminal device, comprising:
receiving a terminal identification authentication request sent by a client, wherein the terminal identification authentication request comprises an identification token of terminal equipment and identity information of the terminal equipment;
authenticating the identification token to generate an authentication result;
sending the authentication result carrying the identity information to an access control platform, wherein at one end of the access control platform, a trusted terminal device is identified through the authentication result, after a service access request sent by the terminal device is received, an authentication result corresponding to the terminal device is inquired, and after an authentication result of successful authentication is inquired, an access information search request is sent to a server;
receiving an access information search request sent by the access control platform, wherein the access information search request comprises the identity information;
searching access information corresponding to the identity information in the access information searching request in a stored first corresponding relation, wherein the first corresponding relation is the corresponding relation between the access information and the identity information;
and sending the found access information to the access control platform so that the access control platform performs access control on the terminal equipment according to the access information.
2. The method according to claim 1, wherein the identification token includes an identification string and an identification digital signature, the identification string includes the identity information, a first random number negotiated with the client, and an incremental code, the identification digital signature is a digital signature of the identification string by using a private key of the client, and the step of authenticating the identification token to generate the authentication result includes:
verifying the identification digital signature by using the stored public key of the client, wherein the public key of the client and the private key of the client are a key pair;
when the identification digital signature is successfully verified, judging whether a first random number and an incremental code in the identification character string are matched with a stored first random number and an incremental code;
when the first random number in the identification character string is respectively and correspondingly matched with the stored first random number and the increment code in the identification character string is respectively and correspondingly matched with the stored increment code, determining that the authentication result is successful; and
and when the first random number in the identification character string is not matched with the stored first random number and/or the increment code in the identification character string is not matched with the stored increment code, determining that the authentication result is authentication failure.
3. The method according to claim 2, wherein the identification token in the terminal identification authentication request is data encrypted by a public key of a server, and before the step of authenticating the identification token to generate the authentication result, the method further comprises:
and decrypting the identification token in the terminal identification authentication request by adopting a private key of a server, wherein the public key of the server and the private key of the server are a key pair.
4. The method according to claim 2, wherein prior to the step of receiving the terminal identifier authentication request sent by the client, the method further comprises:
receiving an identification token request sent by the client, wherein the identification token request comprises the identity information and an identity digital signature, and the identity digital signature is a digital signature made on the identity information by using a private key of the client;
verifying the identity digital signature by using the stored public key of the client;
when the identity digital signature is verified successfully, generating a first random number and an incremental code;
storing the corresponding relation between the identity information and the first random number and the incremental code as a second corresponding relation; and
and sending the first random number and the increment code to the client.
5. The access control method of the terminal device according to claim 4, wherein the step of determining whether the first random number and the incremental code in the identification string match the stored first random number and the incremental code comprises:
searching a first random number and an incremental code corresponding to the identity information in the identification character string in the second corresponding relation;
judging whether the searched first random number is the same as the first random number in the identification character string;
searching a first random number corresponding to the identity information in the identification character string in the second corresponding relation;
carrying out incremental processing on the searched incremental codes according to a preset incremental mode;
and judging whether the increment code after the increment processing is the same as the increment code in the identification character string.
6. The method according to claim 4, wherein prior to the step of authenticating the identification token to generate the authentication result, the method further comprises:
receiving a terminal equipment authentication request sent by the client;
generating a second random number and sending the second random number to the client;
receiving a random number digital signature and a certificate fingerprint sent by the client;
searching a trusted certificate corresponding to the certificate fingerprint in a third corresponding relation, wherein the third corresponding relation is the corresponding relation between the certificate fingerprint and the trusted certificate;
acquiring a public key of the client according to the trusted certificate;
verifying the nonce digital signature using the client's public key,
wherein the step of authenticating the identification token is performed when the random number digital signature is successfully verified using the public key of the client.
7. The access control method of a terminal device according to claim 6, wherein before the step of receiving the random number digital signature and the certificate fingerprint transmitted by the client, the access control method of a terminal device further comprises:
receiving a trusted certificate application request sent by the client, wherein the trusted certificate application request comprises a public key of the client, the identity information and the customization information;
determining whether a trusted certificate can be issued to the client according to the customized information and a predetermined certificate issuing strategy;
if the trusted certificate can be issued to the client, generating the trusted certificate and the certificate fingerprint of the trusted certificate according to the public key of the client and the identity information;
and sending the trusted certificate and the certificate fingerprint to the client.
8. An access control apparatus of a terminal device, comprising:
the terminal comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving a terminal identification authentication request sent by a client, and the terminal identification authentication request comprises an identification token of terminal equipment and identity information of the terminal equipment;
the first authentication module is used for authenticating the identification token to generate an authentication result;
the first sending module is used for sending the authentication result carrying the identity information to an access control platform, wherein at one end of the access control platform, a trusted terminal device is identified through the authentication result, after a service access request sent by the terminal device is received, the authentication result corresponding to the terminal device is inquired firstly, and after the authentication result of successful authentication is inquired, an access information searching request is sent to a server side;
a second receiving module, configured to receive an access information search request sent by the access control platform, where the access information search request includes the identity information;
the first searching module is used for searching the access information corresponding to the identity information in the access information searching request in a stored first corresponding relationship, wherein the first corresponding relationship is the corresponding relationship between the access information and the identity information;
and the second sending module is used for sending the searched access information to the access control platform so that the access control platform can carry out access control on the terminal equipment according to the access information.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 7 are implemented by the processor when executing the computer program.
10. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when executed by a processor implements the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910402238.XA CN111953634B (en) | 2019-05-15 | 2019-05-15 | Access control method and device for terminal equipment, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910402238.XA CN111953634B (en) | 2019-05-15 | 2019-05-15 | Access control method and device for terminal equipment, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111953634A CN111953634A (en) | 2020-11-17 |
| CN111953634B true CN111953634B (en) | 2023-02-17 |
Family
ID=73336308
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910402238.XA Active CN111953634B (en) | 2019-05-15 | 2019-05-15 | Access control method and device for terminal equipment, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111953634B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910854B (en) * | 2021-01-18 | 2022-07-26 | 深圳万物安全科技有限公司 | Method and device for safe operation and maintenance of Internet of things, terminal equipment and storage medium |
| CN113221188B (en) * | 2021-04-25 | 2024-02-02 | 亿海蓝(北京)数据技术股份公司 | AIS data evidence storage method, evidence obtaining method, device and storage medium |
| CN115150145B (en) * | 2022-06-28 | 2023-05-23 | 腾讯科技(深圳)有限公司 | Crowd-sourced device communication method, device, computer device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101729541A (en) * | 2009-11-26 | 2010-06-09 | 广东宇天信通通信科技有限公司 | Method and system for accessing resources of multi-service platform |
| CN102201915A (en) * | 2010-03-22 | 2011-09-28 | 中国移动通信集团公司 | Terminal authentication method and device based on single sign-on |
| CN103763631A (en) * | 2014-01-07 | 2014-04-30 | 青岛海信信芯科技有限公司 | Authentication method, server and television |
| CN104158802A (en) * | 2014-07-28 | 2014-11-19 | 百度在线网络技术(北京)有限公司 | Platform authorization method, platform service side, application client side and system |
| CN109391468A (en) * | 2017-08-14 | 2019-02-26 | 杭州萤石网络有限公司 | A kind of authentication method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| SG10201702881VA (en) * | 2017-04-07 | 2018-11-29 | Mastercard International Inc | Systems and methods for processing an access request |
-
2019
- 2019-05-15 CN CN201910402238.XA patent/CN111953634B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101729541A (en) * | 2009-11-26 | 2010-06-09 | 广东宇天信通通信科技有限公司 | Method and system for accessing resources of multi-service platform |
| CN102201915A (en) * | 2010-03-22 | 2011-09-28 | 中国移动通信集团公司 | Terminal authentication method and device based on single sign-on |
| CN103763631A (en) * | 2014-01-07 | 2014-04-30 | 青岛海信信芯科技有限公司 | Authentication method, server and television |
| CN104158802A (en) * | 2014-07-28 | 2014-11-19 | 百度在线网络技术(北京)有限公司 | Platform authorization method, platform service side, application client side and system |
| CN109391468A (en) * | 2017-08-14 | 2019-02-26 | 杭州萤石网络有限公司 | A kind of authentication method and system |
Non-Patent Citations (1)
| Title |
|---|
| 基于身份认证和访问控制的云安全管理平台;田燕等;《测控技术》;20130218(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111953634A (en) | 2020-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111756753B (en) | Authority verification method and system | |
| EP2550768B1 (en) | System and method for remote maintenance of client systems in an electronic network using software testing by a virtual machine | |
| JP4993122B2 (en) | Platform integrity verification system and method | |
| EP3284000B1 (en) | Secure software authentication and verification | |
| CN102027480B (en) | System and method for providing a system management command | |
| CN111953634B (en) | Access control method and device for terminal equipment, computer equipment and storage medium | |
| CN103677892A (en) | Authorization scheme to enable special privilege mode in secure electronic control unit | |
| CN103679005A (en) | Method to enable development mode of a secure electronic control unit | |
| CN110661779B (en) | Block chain network-based electronic certificate management method, system, device and medium | |
| CN109086578A (en) | A kind of method that soft ware authorization uses, equipment and storage medium | |
| CN112165382A (en) | Software authorization method and device, authorization server and terminal equipment | |
| CN112257093B (en) | Authentication method, terminal and storage medium for data object | |
| CN111291345A (en) | Voiceprint data processing method and device, computer equipment and storage medium | |
| CN111953477B (en) | Terminal equipment, generation method of identification token of terminal equipment and interaction method of client | |
| CN111143808B (en) | System security authentication method and device, computing equipment and storage medium | |
| CN112637167A (en) | System login method and device, computer equipment and storage medium | |
| CN109302442B (en) | Data storage proving method and related equipment | |
| JP6343928B2 (en) | Portable terminal, authentication system, authentication method, and authentication program | |
| CN108270767B (en) | Data verification method | |
| CN111753308B (en) | Information verification method and electronic equipment | |
| CN111090841A (en) | Authentication method and device for industrial control system | |
| US20210083871A1 (en) | Method and device for implementation of safe transactions in blockchain infrastructure | |
| CN109586922A (en) | Dynamic password offline authentication method and device | |
| JP2009260688A (en) | Security system and method thereof for remote terminal device in wireless wide-area communication network | |
| US11941158B2 (en) | Electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: Qianxin Technology Group Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |