CN111984958B - Authentication method supporting VNC double factors - Google Patents
Authentication method supporting VNC double factors Download PDFInfo
- Publication number
- CN111984958B CN111984958B CN202010785426.8A CN202010785426A CN111984958B CN 111984958 B CN111984958 B CN 111984958B CN 202010785426 A CN202010785426 A CN 202010785426A CN 111984958 B CN111984958 B CN 111984958B
- Authority
- CN
- China
- Prior art keywords
- vnc
- authentication
- token
- double
- factor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 238000004364 calculation method Methods 0.000 claims abstract description 11
- 238000012423 maintenance Methods 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 3
- 230000009977 dual effect Effects 0.000 claims 3
- 230000003993 interaction Effects 0.000 abstract description 3
- 238000012795 verification Methods 0.000 description 4
- 101100206196 Arabidopsis thaliana TCP3 gene Proteins 0.000 description 1
- 101100260060 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) CCT3 gene Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses an authentication method supporting VNC double factors, which inquires double Factor information according to Two Factor Token; assembling the double-factor value of the user password I TwoFactorToken query, and then performing checksum calculation by using the 16-byte key of the TwoFactorToken query to obtain a 16-byte checksum; and judging whether the calculated 16-byte checksum is equal to the checksum transmitted by the VNC client, and if so, successful authentication. The invention supports the double-factor authentication through the protocol agent in the VNC protocol flow, the double-factor authentication failure can be repeatedly input into the authentication, and the authentication is completed by generating a plurality of double-factor authentication token at one time, thereby effectively reducing the interaction times with the server.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to an authentication method supporting VNC double factors.
Background
The VNC authentication is different from authentication of other protocols, and is based on a form of challenge code as an authentication mode. For example, SSH protocol authentication, the client directly transmits the password to the server, and the server can directly perform comparison authentication after receiving the password. The authentication process of the VNC is as follows:
1: TCP3 handshake, connection establishment completion
2: the server sends 16 bytes key information to the client
3: the client uses the key information and the password entered by the user to perform checksum calculation. A 16 byte check value is obtained. (the verification method is that the dotted type MD5 performs hash calculation to finally obtain a verification value with fixed length)
4: the client sends the user name and the check value to the server
5: and the server performs 3-step checksum calculation on the 16-byte key information plus the user password stored in the server. Obtaining the checksum calculated by the server
6: the server compares the checksum calculated by itself with the checksum transmitted from the client. And finally judging whether the authentication is successful or not.
The security of the password is ensured by verifying the VNC by using the form of the challenge code, and meanwhile, the complexity of verification is increased. The fort program not only needs password authentication in authentication, but also needs to check a second factor such as a short message authentication code, an AliMFA code, a Google token and the like. Therefore, the invention provides a scheme for solving the double-factor check during the VNC login.
Disclosure of Invention
The invention aims to provide an authentication method supporting two factors of VNC, which supports two factor authentication through a protocol agent in a VNC protocol flow, wherein the failure of the two factor authentication can be repeatedly input into the authentication, and the authentication is completed through a mode of generating a plurality of two factor authentication token at one time, so that the interaction times with a server are effectively reduced.
The invention is realized mainly by the following technical scheme: an authentication method supporting VNC double factors mainly comprises the following steps:
step S4: analyzing Token data, and assembling a username|TwoFactor Token into a user name field and a password|TwoFactor value into a password field; then transferred to the client program;
step S5: acquiring a 16-byte key of the VNC protocol agent, and performing checksum calculation on the assembled password and the 16-byte key to obtain a 16-field checksum; then analyzing the user name field to obtain a real user name and a Two Factor Token; acquiring a real password of a user according to the user name;
step S6: inquiring the double-Factor information according to the Two Factor Token; assembling the double-factor value of the user password I TwoFactorToken query, and then performing checksum calculation by using the 16-byte key of the TwoFactorToken query to obtain a 16-byte checksum;
step S7: and judging whether the calculated 16-byte checksum is equal to the checksum transmitted by the VNC client, and if so, successful authentication.
In order to better realize the invention, the method mainly comprises the following steps:
step S4: the single sign-on device receives the filled double-factor values, then assembles data, takes out a first value in a first token, fills a user name field of the VNC client as token, username|token, twofactor token [0], fills a Password field of the VNC client as password|Twofactor value, and then transmits the data to the VNC client;
step S5: the VNC client initiates VNC authentication, and after receiving the authentication request, the VNC protocol agent applies a 16-byte key to the key module; the key module generates a key and returns the key to the VNC protocol proxy module; the VNC protocol agent temporarily stores the secret key and returns the secret key to the VNC client program;
after receiving the 16-byte key, the VNC client program performs checksum calculation by using the password and the key field according to a VNC standard algorithm, and finally obtains a 16-byte checksum; then sending the message to the VNC protocol agent module;
after the VNC protocol agent module receives the request, the user name field is divided according to the 'I', the real user name and TwoFactorTokens [0] are resolved, and then an authentication request is initiated to the user authentication module;
the user authentication module obtains the user password according to the user name, and then uses TwoFactorToken [0] to inquire the TwoFactorValue and the 16-byte original key from the Token generation module;
step S6: the Token authentication module queries TwoFactorValue and a 16-byte original key according to TwoFactorTokens [0], and returns the original key to the user authentication module;
the user authentication module uses a user password I TwoFactorValue and then obtains a final 16-byte checksum with a 16-byte original key according to a standard VNC algorithm;
step S7: then, performing equivalence comparison on the obtained 16-byte checksum and the Password given by the VNC agent; then returning the authentication result to the VNC protocol proxy module; and the VNC protocol proxy module returns an authentication result to the VNC client program, and the subsequent VNC data transmission is performed after the authentication is successful.
In order to better realize the invention, the method further comprises the following steps:
step S1: the browser initiates an operation and maintenance application, generates Token according to the target asset,
step S2: judging whether double factors are needed, if not, entering a step S4, otherwise, entering a step S3;
step S3: the two factor value is input and then proceeds to step S4.
In order to better realize the invention, the method further comprises the following steps:
step S1: the browser sends out an application to the Token generation module and sends out an operation and maintenance application; the Token generation module determines the access rights,
step S2: it is determined whether a two-factor is required,
step S3: generating a double-factor value if needed, then sending the double-factor value to a user, generating a corresponding number of double-factor authentication Token according to service layer configuration, and returning Token information;
the browser displays a page for filling in the password, after the user fills in the password, the browser requests the local single-point logger through http, requests to complete one C/S operation and maintenance, and transmits Token to the single-point logger;
the single sign-on device analyzes the Token to judge whether the double factors need to be filled or not, and the single sign-on device returns that the double factors need to be filled;
the browser displays and fills in the double-factor page, the user submits the double-factor page after filling in the double-factor page, and then the browser sends a C/S operation and maintenance request to the single sign-on device again.
In order to better implement the present invention, in step S7, if the authentication fails, the single sign-on device loops through the operations of steps 3-7 again until the authentication is successful or the value in the tokenfactor token is used up.
In order to better realize the invention, further, if the authentication fails, judging whether the number of times of authentication failure reaches a set error number threshold, if not, ending, otherwise, circularly executing the steps 3-7.
The invention has the beneficial effects that:
the invention supports the double-factor authentication through the protocol agent in the VNC protocol flow, the double-factor authentication failure can be repeatedly input into the authentication, and the authentication is completed by generating a plurality of double-factor authentication token at one time, thereby effectively reducing the interaction times with the server.
Drawings
Fig. 1 is a schematic diagram of a VNC authentication flow;
FIG. 2 is a flow chart of two-factor authentication;
fig. 3 is a flow chart of the present invention.
Detailed Description
Example 1:
an authentication method supporting VNC double factors, as shown in figures 1-3, mainly comprises the following steps:
1. the browser sends out an application to the Token generation module and sends out an operation and maintenance application.
And 2, after the token generation module judges the access authority, judging whether a double factor is needed, generating a double factor value if the double factor is needed, and then sending the double factor value to a user. For example, the short message verification code sends a short message to the user through the mobile phone number. And generating a corresponding number of double-factor authentication token according to the service layer configuration.
3. And returning Token information. Token is a set of data structure information and then a string encoded by base64, and the content contained after decoding is shown in table 1. Wherein TwoFactorTokens is an array, and n two-factor authentication token are contained therein.
4. The browser displays a page for filling in the password, after the user fills in the password, the browser requests the local single-point logger through http, requests to complete one C/S operation and maintenance, and transmits Token to the single-point logger. The data structure is as in table 2.
5. The single sign-on device analyzes Token to determine whether the double factors need to be filled in. The single sign-on returns the need to fill in the double factor.
The data structure is shown in Table 3.
6. The browser displays the double-factor filling page, and the user submits the double-factor filling page after filling in the double-factor. The browser then issues a C/S operation and maintenance request to the single sign-on again. The data structure is shown in Table 4.
7. The single sign-on receives the filled-in two-factor value. The data is then assembled. And taking out a first value in the first token.TwoFactorToken, filling in a user name field of the VNC client as token.Username|token.TwoFactorToken [0], and filling in a Password field of the VNC client as password|TwoFactorValue. The data is then transferred to the VNC client.
And the VNC client initiates VNC authentication.
After receiving the authentication request, the vnc protocol agent applies for a 16 byte key to the key module.
10. The key module generates a key and returns the key to the VNC protocol proxy module.
The VNC protocol agent temporarily stores the key and returns the key to the VNC client program.
After receiving the 16-byte key, the VNC client program performs checksum calculation with the password (changed to the password+the double-factor value by the single sign-on device) and the key field according to the VNC standard algorithm, and finally obtains the 16-byte checksum. And then sent to the VNC protocol proxy module.
And after the VNC protocol proxy module receives the message. The user name field is partitioned according to "|", and the real user name and TwoFactoTokens [0] are resolved. An authentication request is then initiated to the user authentication module. The data structure is shown in Table 5.
14. The user authentication module obtains the password of the user according to the user name. The Token generation module is then queried for the TwoFactorValue and the 16-byte original key using TwoFactortoken [0].
The token authentication module queries the TwoFactorValue and the 16-byte original key according to TwoFactorTokens [0], and returns the original key to the user authentication module.
16. The user authentication module uses the user password |twofactor value and then uses the 16-byte original key to obtain the final 16-byte checksum according to the standard VNC algorithm. And then performing equivalence comparison with the Password given by the VNC agent. And then returning the authentication result to the VNC protocol proxy module.
And the VNC protocol proxy module returns the authentication result to the VNC client program. And (5) performing subsequent vnc data transmission after authentication is successful. If the authentication fails, the single sign-on again proceeds from steps 5-17. Until authentication is successful or the value inside the tokenfactor token is exhausted. As shown in fig. 3, the method further comprises a judgment logic of the two-factor authentication failure times.
TABLE 1
| Fields | Meaning of |
| instanceIP | Example IP |
| instanceName | Instance names |
| Protocol | Protocol(s) |
| Port | Port (port) |
| Username | User name |
| TwoFactorType | Two-factor type |
| TwoFactorPrompt | Prompting user to input double-factor prompting language |
| TwoFactorTokens | Double-factor token array |
TwoFactoTokes is a array structure. And supporting the two-factor authentication token required by two-factor error refill two-factor re-authentication.
TABLE 2
| Fields | Meaning of |
| Token | Token in step S1 |
| Password | User password |
TABLE 3 Table 3
| Fields | Meaning of |
| TwoFactorPrompt | Prompt message |
| NeedTwoFactor | Must two factor authentication |
TABLE 4 Table 4
| Fields | Meaning of |
| Token | Token in step S1 |
| TwoFactorValue | Value of double factor |
TABLE 5
| Fields | Meaning of |
| Username | User name |
| TwoFactorToken | Double factor Token |
| Password | 16-byte checksum sent by VNC client |
The foregoing description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any simple modification, equivalent variation, etc. of the above embodiment according to the technical matter of the present invention fall within the scope of the present invention.
Claims (5)
1. An authentication method supporting two factors of VNC is characterized by mainly comprising the following steps:
step S1: the browser initiates an operation and maintenance application, generates Token according to the target asset,
step S2: judging whether double factors are needed, if not, entering a step S4, otherwise, entering a step S3;
step S3: inputting a double factor value, and then entering into step S4;
step S4: analyzing Token data, and assembling a username|TwoFactor Token into a user name field and a password|TwoFactor value into a password field; then transferred to the client program;
step S5: acquiring a 16-byte key of the VNC protocol agent, and performing checksum calculation on the assembled password and the 16-byte key to obtain a 16-field checksum; then analyzing the user name field to obtain a real user name and a Two Factor Token; acquiring a real password of a user according to the user name;
step S6: inquiring the double-Factor information according to the Two Factor Token; assembling the double factor value of the user password I TwoFactorValue query, and then performing checksum calculation by using the 16-byte key of the TwoFactorToken query to obtain a 16-byte checksum;
step S7: and judging whether the calculated 16-byte checksum is equal to the checksum transmitted by the VNC client, and if so, successful authentication.
2. The authentication method supporting VNC dual factors according to claim 1, mainly comprising the steps of:
step S4: the single sign-on device receives the filled double-factor values, then assembles data, takes out a first value in a first token, fills a user name field of the VNC client as token, username|token, twofactor token [0], fills a Password field of the VNC client as password|Twofactor value, and then transmits the data to the VNC client;
step S5: the VNC client initiates VNC authentication, and after receiving the authentication request, the VNC protocol agent applies a 16-byte key to the key module; the key module generates a key and returns the key to the VNC protocol proxy module; the VNC protocol agent temporarily stores the secret key and returns the secret key to the VNC client program;
after receiving the 16-byte key, the VNC client program performs checksum calculation by using the password and the key field according to a VNC standard algorithm, and finally obtains a 16-byte checksum; then sending the message to the VNC protocol agent module;
after the VNC protocol agent module receives the request, the user name field is divided according to the 'I', the real user name and TwoFactorTokens [0] are resolved, and then an authentication request is initiated to the user authentication module;
the user authentication module obtains the user password according to the user name, and then uses TwoFactorToken [0] to inquire the TwoFactorValue and the 16-byte original key from the Token generation module;
step S6: the Token authentication module queries TwoFactorValue and a 16-byte original key according to TwoFactorTokens [0], and returns the original key to the user authentication module;
the user authentication module uses a user password I TwoFactorValue and then obtains a final 16-byte checksum with a 16-byte original key according to a standard VNC algorithm;
step S7: then, performing equivalence comparison on the obtained 16-byte checksum and the Password given by the VNC agent; then returning the authentication result to the VNC protocol proxy module; and the VNC protocol proxy module returns an authentication result to the VNC client program, and the subsequent VNC data transmission is performed after the authentication is successful.
3. An authentication method supporting VNC dual factors according to claim 1 or 2, further comprising the steps of:
step S1: the browser sends out an application to the Token generation module and sends out an operation and maintenance application; the Token generation module determines the access rights,
step S2: it is determined whether a two-factor is required,
step S3: generating a double-factor value if needed, then sending the double-factor value to a user, generating a corresponding number of double-factor authentication Token according to service layer configuration, and returning Token information;
the browser displays a page for filling in the password, after the user fills in the password, the browser requests the local single-point logger through http, requests to complete one C/S operation and maintenance, and transmits Token to the single-point logger;
the single sign-on device analyzes the Token to judge whether the double factors need to be filled or not, and the single sign-on device returns that the double factors need to be filled;
the browser displays and fills in the double-factor page, the user submits the double-factor page after filling in the double-factor page, and then the browser sends a C/S operation and maintenance request to the single sign-on device again.
4. The authentication method supporting VNC dual factors according to claim 1 or 2, wherein in step S7, if the authentication fails, the single sign-on device loops through the operations of steps 3-7 again until the authentication is successful or the value in the tokenf actor is exhausted.
5. The authentication method supporting two VNC factors according to claim 4, wherein if authentication fails, it is determined whether the number of authentication failures reaches a set error number threshold, and if not, it is ended, otherwise, it loops through steps 3 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010785426.8A CN111984958B (en) | 2020-08-06 | 2020-08-06 | Authentication method supporting VNC double factors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010785426.8A CN111984958B (en) | 2020-08-06 | 2020-08-06 | Authentication method supporting VNC double factors |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111984958A CN111984958A (en) | 2020-11-24 |
| CN111984958B true CN111984958B (en) | 2024-02-02 |
Family
ID=73444520
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010785426.8A Active CN111984958B (en) | 2020-08-06 | 2020-08-06 | Authentication method supporting VNC double factors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111984958B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113364729B (en) * | 2021-04-07 | 2023-11-21 | 苏州瑞立思科技有限公司 | User authentication method based on UDP proxy protocol |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007059169A2 (en) * | 2005-11-15 | 2007-05-24 | Clairmail Inc | Media transfer protocol |
| CN101729545A (en) * | 2008-10-24 | 2010-06-09 | 新思科技有限公司 | Secure consultation system |
| CN101753303A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信科技有限公司 | Double-factor authentication method |
| WO2015004598A1 (en) * | 2013-07-09 | 2015-01-15 | Biocatch Ltd. | Device, system, and method of differentiating among users of a computerized service |
| CN104486343A (en) * | 2014-12-18 | 2015-04-01 | 广东粤铁科技有限公司 | Method and system for double-factor bidirectional authentication |
| CN107113319A (en) * | 2016-07-14 | 2017-08-29 | 华为技术有限公司 | Method, device, system and the proxy server of response in a kind of Virtual Networking Computing certification |
| CN107612736A (en) * | 2017-09-21 | 2018-01-19 | 成都安恒信息技术有限公司 | A kind of web browser operation audit method based on container |
| CN107690791A (en) * | 2015-07-07 | 2018-02-13 | 阿读随得有限公司 | Method for making the certification safety in electronic communication |
| CN109286627A (en) * | 2018-10-10 | 2019-01-29 | 四川长虹电器股份有限公司 | Identity identifying method based on double factor authentication |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9450971B2 (en) * | 2010-11-29 | 2016-09-20 | Biocatch Ltd. | Device, system, and method of visual login and stochastic cryptography |
-
2020
- 2020-08-06 CN CN202010785426.8A patent/CN111984958B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007059169A2 (en) * | 2005-11-15 | 2007-05-24 | Clairmail Inc | Media transfer protocol |
| CN101729545A (en) * | 2008-10-24 | 2010-06-09 | 新思科技有限公司 | Secure consultation system |
| CN101753303A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信科技有限公司 | Double-factor authentication method |
| WO2015004598A1 (en) * | 2013-07-09 | 2015-01-15 | Biocatch Ltd. | Device, system, and method of differentiating among users of a computerized service |
| CN104486343A (en) * | 2014-12-18 | 2015-04-01 | 广东粤铁科技有限公司 | Method and system for double-factor bidirectional authentication |
| CN107690791A (en) * | 2015-07-07 | 2018-02-13 | 阿读随得有限公司 | Method for making the certification safety in electronic communication |
| CN107113319A (en) * | 2016-07-14 | 2017-08-29 | 华为技术有限公司 | Method, device, system and the proxy server of response in a kind of Virtual Networking Computing certification |
| CN107612736A (en) * | 2017-09-21 | 2018-01-19 | 成都安恒信息技术有限公司 | A kind of web browser operation audit method based on container |
| CN109286627A (en) * | 2018-10-10 | 2019-01-29 | 四川长虹电器股份有限公司 | Identity identifying method based on double factor authentication |
Non-Patent Citations (1)
| Title |
|---|
| 基于密钥管理技术的在线身份认证系统;许棣华 等;;计算机工程(15);第124-126页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111984958A (en) | 2020-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2506637C2 (en) | Method and device for verifying dynamic password | |
| US9407627B2 (en) | Establishing and maintaining an improved single Sign-on (SSO) facility | |
| CN101075875B (en) | Method and system for realizing monopoint login between gate and system | |
| CN101938473B (en) | Single-point login system and single-point login method | |
| CN108600203A (en) | Secure Single Sign-on method based on Cookie and its unified certification service system | |
| US8869254B2 (en) | User verification using voice based password | |
| CN101335626B (en) | Multi-stage authentication method and multi-stage authentication system | |
| TW201812630A (en) | Block chain identity system | |
| US20100100950A1 (en) | Context-based adaptive authentication for data and services access in a network | |
| US20110296038A1 (en) | System and method for continuation of a web session | |
| WO2012095854A1 (en) | System and method for accessing integrated applications in a single sign-on enabled enterprise solution | |
| CN103139200A (en) | Single sign-on method of web service | |
| CN111062023B (en) | Method and device for realizing single sign-on of multi-application system | |
| WO2019140790A1 (en) | Service tracking method and apparatus, terminal device, and storage medium | |
| CN113542300B (en) | Node access authentication method and system supporting multi-protocol identification analysis | |
| CN103841117A (en) | JAAS login method and server based on Cookie mechanism | |
| CN109962892A (en) | A kind of authentication method and client, server logging in application | |
| CN106790138A (en) | A kind of method of government affairs cloud application User logs in double factor checking | |
| CN111984958B (en) | Authentication method supporting VNC double factors | |
| CN116527341A (en) | Client-side calling rear-end interface authentication authorization security method | |
| CN103634111A (en) | Single sign-on method and system as well as single sign-on client-side | |
| CN113783867B (en) | Authentication request method and terminal | |
| CN112929388B (en) | Network identity cross-device application rapid authentication method and system, and user agent device | |
| WO2016180089A1 (en) | Method and apparatus for configuring switch, mobile terminal, and switch | |
| CN111431935B (en) | Method for identifying data transmission security of website login password |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |