CN112437088B - Internet terminal login double-factor security authentication system - Google Patents
Internet terminal login double-factor security authentication system Download PDFInfo
- Publication number
- CN112437088B CN112437088B CN202011338379.9A CN202011338379A CN112437088B CN 112437088 B CN112437088 B CN 112437088B CN 202011338379 A CN202011338379 A CN 202011338379A CN 112437088 B CN112437088 B CN 112437088B
- Authority
- CN
- China
- Prior art keywords
- login
- data
- module
- local server
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
Abstract
The invention relates to a security authentication system, in particular to an internet terminal login double-factor security authentication system, which comprises a local server, a cloud server and a login data acquisition module, wherein the local server and the login data acquisition module are communicated with each other, the login data acquisition module is used for acquiring login data, the local server is connected with the login request acquisition module used for receiving a login request, the cloud server is connected with a data storage module used for storing relevant login data, the cloud server calls corresponding relevant login data according to a login password in the login data and sends the relevant login data to the local server, the local server is connected with a data decryption module used for decrypting the relevant login data according to the login password in the login data, and the local server is connected with an information generation module used for generating authentication information according to the decrypted relevant login data; the technical scheme provided by the invention can effectively overcome the defects of single authentication mode, low safety coefficient and complex authentication process when the authentication is combined with third party authentication in the prior art.
Description
Technical Field
The invention relates to a security authentication system, in particular to an internet terminal login double-factor security authentication system.
Background
Before accessing the security system, a user firstly needs to identify the identity through the identity authentication system, then accesses the monitoring module, and the system determines whether the user can access a certain resource of the system according to the identity and the authorization condition of the user. Therefore, the system security login and the identity authentication are the first level of security in the security system, are also the basis for implementing access control, and have very important functions in the field of system security.
The 'double-factor' identity authentication is an identity authentication system which can only play a role through the combination of a first level of gate and a second authentication element. For example, a bank card drawing from an ATM is an example of a "two-factor" authentication mechanism, which requires a combination of two authentication elements, namely, knowing the drawing password and using the corresponding bank card. The third party authentication is a third party authentication mechanism except the own party, and is used for verifying the real identity of the communication applicant, so that false information is avoided to the greatest extent, and the communication benefit is ensured.
However, the existing terminal login security authentication system usually adopts a single authentication mode, the security coefficient is low, and when the authentication is combined with third party authentication, the authentication process is complex, and the wide use is not facilitated.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects in the prior art, the invention provides the internet terminal login double-factor security authentication system which can effectively overcome the defects of single authentication mode, low security coefficient and complex authentication process when third-party authentication is combined in the prior art.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme:
a login double-factor security authentication system for an Internet terminal comprises a local server, a cloud server and a login data acquisition module, wherein the local server and the cloud server are communicated with each other, the login data acquisition module is used for acquiring login data, the local server is connected with the login request acquisition module used for receiving a login request, and the cloud server is connected with a data storage module used for storing relevant login data;
the cloud server calls corresponding relevant login data according to a login password in the login data and sends the login data to the local server, the local server is connected with a data decryption module used for decrypting the relevant login data according to the login password in the login data, the local server is connected with an information generation module used for generating authentication information according to the decrypted relevant login data, the cloud server is connected with a data calling module used for calling confirmation information according to the login password in the login data, and the cloud server is connected with a comparison authentication module used for comparing and authenticating the authentication information and the confirmation information;
the system comprises a local server, a data storage module, a verification mode selection module, a biological characteristic acquisition module, a data matching module and a strategy execution module, wherein the local server is connected with the data judgment module used for judging whether login data contain biological characteristics or not, the local server is connected with the acquisition request transmission module used for transmitting a biological characteristic acquisition request according to a judgment result, the local server is connected with the verification mode selection module used for selecting a biological characteristic acquisition mode, the local server is connected with the biological information acquisition module used for acquiring the biological characteristics, the cloud server is connected with the data matching module used for matching the acquired biological characteristics in the data storage module, and the local server is connected with the strategy execution module used for executing a strategy according to detection results of the comparison authentication module and the data matching module.
Preferably, the cloud server calls the encrypted verification random number and the encrypted calibration random number according to a login password in the login data and sends the verification random number and the calibration random number to the local server, and the verification random number and the calibration random number are generated by different encryption methods according to the login password.
Preferably, the data decryption module decrypts the verification random number and the calibration random number sent by the cloud server according to a login password in the login data.
Preferably, the information generating module generates authentication information including:
generating a calibration length and a calibration initial position according to the decrypted calibration random number;
deleting data corresponding to the calibration initial position and the calibration length in the decrypted verification random number;
moving the previous bit of data which deletes one bit of data at first to the front of the data of the length calibration bit;
and combining the decrypted verification random numbers of the two parts according to the sequence.
Preferably, the data retrieving module retrieves corresponding confirmation information from the data storage module according to a login password in the login data, and the comparison and authentication module sends a comparison and authentication result to the local server.
Preferably, when the data judgment module judges that the login data contains the biological characteristics, the local server sends the biological characteristics to the cloud server, and the cloud server performs matching through the data matching module and sends a matching result to the local server.
Preferably, when the data judgment module judges that the login data does not contain the biometric feature, the acquisition request sending module sends a biometric feature acquisition request to the user, and the local server starts the verification mode selection module and the prompt tone.
Preferably, the local server starts the corresponding biological information acquisition module according to the biological characteristic acquisition mode selected by the user.
Preferably, when the comparison authentication result of the comparison authentication module is consistent and the matching result of the data matching module is successful, the policy execution module executes the login permission policy;
when the comparison authentication result of the comparison authentication module is inconsistent, the cloud server is disconnected with the local server;
and when the comparison authentication result of the comparison authentication module is consistent and the matching result of the data matching module is unsuccessful, the strategy execution module executes the login impermissible strategy.
(III) advantageous effects
Compared with the prior art, the internet terminal login double-factor security authentication system provided by the invention can effectively improve the security coefficient of login authentication by combining a password and a biological characteristic double-factor authentication mode, and meanwhile, the third party authentication is added in the password authentication process, so that the real identity of a local communication applicant can be effectively verified, communication with a local communication person with unknown identity is prevented from being established, and the security level of communication in a region is effectively improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
FIG. 1 is a schematic diagram of the system of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
A login double-factor security authentication system for an Internet terminal is shown in figure 1 and comprises a local server, a cloud server and a login data acquisition module, wherein the local server and the cloud server are communicated with each other, the login data acquisition module is used for acquiring login data, the local server is connected with the login request acquisition module used for receiving login requests, and the cloud server is connected with a data storage module used for storing relevant login data.
The cloud server calls corresponding relevant login data according to a login password in the login data and sends the login data to the local server, the local server is connected with a data decryption module used for decrypting the relevant login data according to the login password in the login data, the local server is connected with an information generation module used for generating authentication information according to the decrypted relevant login data, the cloud server is connected with a data calling module used for calling confirmation information according to the login password in the login data, and the cloud server is connected with a comparison authentication module used for comparing and authenticating the authentication information and the confirmation information.
The cloud server calls the encrypted verification random number and the encrypted calibration random number according to the login password in the login data and sends the verification random number and the calibration random number to the local server, and the verification random number and the calibration random number are generated through different encryption methods according to the login password.
And the data decryption module decrypts the verification random number and the calibration random number sent by the cloud server according to the login password in the login data.
The information generation module generates authentication information, including:
generating a calibration length and a calibration initial position according to the decrypted calibration random number;
deleting data corresponding to the calibration initial position and the calibration length in the decrypted verification random number;
moving the previous bit data of the first deleted bit data forward to the position before the data of the length-calibrated bit;
and combining the decrypted verification random numbers of the two parts according to the sequence.
The data calling module calls corresponding confirmation information from the data storage module according to the login password in the login data, the comparison authentication module compares and authenticates the authentication information and the confirmation information, and sends a comparison authentication result to the local server.
In the technical scheme of the application, the encryption method for verifying the random number and calibrating the random number and the algorithm for generating the authentication information by the information generation module are broadcast in a local area which is safely connected with the cloud server. Therefore, the encryption method and algorithm can be used by the local server only by establishing a secure connection with the cloud server.
The local server is connected with a data judgment module used for judging whether the login data contains biological characteristics, the local server is connected with an acquisition request sending module used for sending a biological characteristic acquisition request according to a judgment result, the local server is connected with a verification mode selection module used for selecting a biological characteristic acquisition mode, the local server is connected with a biological information acquisition module used for acquiring the biological characteristics, the cloud server is connected with a data matching module used for matching the acquired biological characteristics in the data storage module, and the local server is connected with a strategy execution module used for executing a strategy according to a detection result of the comparison authentication module and the data matching module.
When the data judgment module judges that the login data contain the biological characteristics, the local server sends the biological characteristics to the cloud server, and the cloud server performs matching through the data matching module and sends a matching result to the local server.
When the data judgment module judges that the login data does not contain the biological characteristics, the acquisition request sending module sends a biological characteristic acquisition request to the user, and the local server starts the verification mode selection module and the prompt tone. The biological characteristic collection mode comprises iris, fingerprint, finger vein, palm print and palm vein.
And the local server starts the corresponding biological information acquisition module according to the biological characteristic acquisition mode selected by the user. The biological information acquisition module can be biological characteristic acquisition equipment carried by a local server, and can also be a mobile terminal which is carried by a user and can acquire biological characteristics, and the user can remotely acquire the biological characteristics through the mobile terminal and transmit data to the local server.
When the comparison authentication result of the comparison authentication module is consistent and the matching result of the data matching module is successful, the strategy execution module executes the login permission strategy;
when the comparison authentication result of the comparison authentication module is inconsistent, the cloud server is disconnected from the local server;
and when the comparison authentication result of the comparison authentication module is consistent and the matching result of the data matching module is unsuccessful, the strategy execution module executes the login-impermissible strategy.
In the technical scheme of the application, when the comparison authentication result of the comparison authentication module is inconsistent, two possible reasons exist: firstly, a user inputs an error password, and secondly, the local server does not establish a secure connection with the cloud server, and a threat of attacking the cloud server may exist. At this time, the cloud server performs the most secure action, i.e., disconnects from the local server, regardless of the situation.
And when the user inputs a correct password on the local server and the comparison and authentication results of the comparison and authentication module are consistent, the cloud server reestablishes the secure connection with the local server. The third party authentication is added in the password authentication process, so that the real identity of a local communication applicant can be effectively verified, communication with a local communication applicant with unknown identity is prevented from being established, and the safety level of communication in an area is effectively improved.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (8)
1. A dual-factor security authentication system for logging in an Internet terminal is characterized in that: the system comprises a local server, a cloud server and a login data acquisition module, wherein the local server and the cloud server are communicated with each other, the login data acquisition module is used for acquiring login data, the local server is connected with a login request acquisition module used for receiving a login request, and the cloud server is connected with a data storage module used for storing relevant login data;
the cloud server calls corresponding relevant login data according to a login password in the login data and sends the login data to the local server, the local server is connected with a data decryption module used for decrypting the relevant login data according to the login password in the login data, the local server is connected with an information generation module used for generating authentication information according to the decrypted relevant login data, the cloud server is connected with a data calling module used for calling confirmation information according to the login password in the login data, and the cloud server is connected with a comparison authentication module used for comparing and authenticating the authentication information and the confirmation information;
the system comprises a local server, a data storage module, a verification mode selection module, a biological characteristic acquisition module, a data matching module, a strategy execution module and a comparison authentication module, wherein the local server is connected with the data judgment module for judging whether login data contain biological characteristics or not, the local server is connected with the acquisition request transmission module for transmitting a biological characteristic acquisition request according to a judgment result, the local server is connected with the verification mode selection module for selecting a biological characteristic acquisition mode, the local server is connected with the biological information acquisition module for acquiring the biological characteristics, the cloud server is connected with the data matching module for matching the acquired biological characteristics in the data storage module, and the local server is connected with the strategy execution module for executing a strategy according to detection results of the comparison authentication module and the data matching module;
when the comparison authentication result of the comparison authentication module is consistent and the matching result of the data matching module is successful, the strategy execution module executes the login permission strategy;
when the comparison authentication result of the comparison authentication module is inconsistent, the cloud server is disconnected with the local server;
and when the comparison authentication result of the comparison authentication module is consistent and the matching result of the data matching module is unsuccessful, the strategy execution module executes the login impermissible strategy.
2. The internet terminal login two-factor security authentication system according to claim 1, wherein: the cloud server calls the encrypted verification random number and the encrypted calibration random number according to the login password in the login data and sends the verification random number and the encrypted calibration random number to the local server, and the verification random number and the calibration random number are generated by different encryption methods according to the login password.
3. The internet terminal login two-factor security authentication system of claim 2, wherein: and the data decryption module decrypts the verification random number and the calibration random number sent by the cloud server according to the login password in the login data.
4. The internet terminal login two-factor security authentication system according to claim 3, wherein: the information generation module generates authentication information, including:
generating a calibration length and a calibration initial position according to the decrypted calibration random number;
deleting data corresponding to the calibration initial position and the calibration length in the decrypted verification random number;
moving the previous bit of data which deletes one bit of data at first to the front of the data of the length calibration bit;
and combining the decrypted verification random numbers of the two parts according to the sequence.
5. The internet terminal login two-factor security authentication system according to claim 4, wherein: the data calling module calls corresponding confirmation information from the data storage module according to the login password in the login data, and the comparison authentication module sends a comparison authentication result to the local server.
6. The internet terminal login two-factor security authentication system according to claim 1, wherein: when the data judgment module judges that the login data contains the biological characteristics, the local server sends the biological characteristics to the cloud server, and the cloud server performs matching through the data matching module and sends a matching result to the local server.
7. The internet terminal login two-factor security authentication system of claim 6, wherein: when the data judgment module judges that the login data does not contain the biological characteristics, the acquisition request sending module sends a biological characteristic acquisition request to the user, and the local server starts the verification mode selection module and a prompt tone.
8. The internet terminal login two-factor security authentication system of claim 7, wherein: and the local server starts the corresponding biological information acquisition module according to the biological characteristic acquisition mode selected by the user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011338379.9A CN112437088B (en) | 2020-11-25 | 2020-11-25 | Internet terminal login double-factor security authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011338379.9A CN112437088B (en) | 2020-11-25 | 2020-11-25 | Internet terminal login double-factor security authentication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112437088A CN112437088A (en) | 2021-03-02 |
| CN112437088B true CN112437088B (en) | 2022-07-12 |
Family
ID=74698940
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011338379.9A Active CN112437088B (en) | 2020-11-25 | 2020-11-25 | Internet terminal login double-factor security authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112437088B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107026818A (en) * | 2016-01-29 | 2017-08-08 | 中兴通讯股份有限公司 | A kind of method of cipher authentication, equipment and application server |
| CN109587123A (en) * | 2018-11-21 | 2019-04-05 | 许继集团有限公司 | Double factor verification method and certificate server, biometric authentication service device |
| CN110012018A (en) * | 2019-04-11 | 2019-07-12 | 国网山东省电力公司 | A kind of industrial network security system |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1811813A (en) * | 2006-03-02 | 2006-08-02 | 韩林 | Two-factor dynamic cipher verification method and system |
| US20070300077A1 (en) * | 2006-06-26 | 2007-12-27 | Seshadri Mani | Method and apparatus for biometric verification of secondary authentications |
| CN102223233A (en) * | 2011-06-15 | 2011-10-19 | 刘洪利 | Biological code authentication system and biological code authentication method |
| CN109961291A (en) * | 2017-12-14 | 2019-07-02 | 红石生物特征科技有限公司 | A kind of biological characteristic authentication system and method |
| CN108809983A (en) * | 2018-06-12 | 2018-11-13 | 北京智明星通科技股份有限公司 | A kind of method, apparatus and system for ensureing account safety and logging in |
-
2020
- 2020-11-25 CN CN202011338379.9A patent/CN112437088B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107026818A (en) * | 2016-01-29 | 2017-08-08 | 中兴通讯股份有限公司 | A kind of method of cipher authentication, equipment and application server |
| CN109587123A (en) * | 2018-11-21 | 2019-04-05 | 许继集团有限公司 | Double factor verification method and certificate server, biometric authentication service device |
| CN110012018A (en) * | 2019-04-11 | 2019-07-12 | 国网山东省电力公司 | A kind of industrial network security system |
Non-Patent Citations (1)
| Title |
|---|
| 新型双因子认证系统;王振铎等;《计算机系统应用》;20160115(第01期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112437088A (en) | 2021-03-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109005155B (en) | Identity authentication method and device | |
| US7409543B1 (en) | Method and apparatus for using a third party authentication server | |
| US8683562B2 (en) | Secure authentication using one-time passwords | |
| US20080313707A1 (en) | Token-based system and method for secure authentication to a service provider | |
| CN106559408B (en) | SDN authentication method based on trust management | |
| US20070113090A1 (en) | Access control system based on a hardware and software signature of a requesting device | |
| US9860248B2 (en) | Computer implemented method, communications system and computer programs products for securing operations in authentication and authorization systems using biometric information | |
| KR101451359B1 (en) | User account recovery | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| US20130061310A1 (en) | Security server for cloud computing | |
| CN107948204A (en) | One key login method and system, relevant device and computer-readable recording medium | |
| US20160182491A1 (en) | Methods, systems and apparatus to manage an authentication sequence | |
| CN104426659B (en) | Dynamic password formation method, authentication method and system, relevant device | |
| CN109347887B (en) | Identity authentication method and device | |
| CN107733636A (en) | Authentication method and Verification System | |
| CN112613020A (en) | Identity verification method and device | |
| US9154958B2 (en) | Security system for cloud computing | |
| CN113572773A (en) | Access equipment and terminal access control method | |
| EP2082518A2 (en) | Access control system based on a hardware and software signature of a requesting device | |
| CN113872989A (en) | Authentication method and device based on SSL protocol, computer equipment and storage medium | |
| US9413533B1 (en) | System and method for authorizing a new authenticator | |
| CN111131140B (en) | Method and system for enhancing login security of Windows operating system based on message pushing | |
| CN112437088B (en) | Internet terminal login double-factor security authentication system | |
| Alemu et al. | Fingerprint based authentication architecture for accessing multiple cloud computing services using single user credential in IOT environments | |
| US8584201B2 (en) | Method and apparatus for session validation to access from uncontrolled devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |