CN112437436A - Identity authentication method and device - Google Patents
Identity authentication method and device Download PDFInfo
- Publication number
- CN112437436A CN112437436A CN202011427928.XA CN202011427928A CN112437436A CN 112437436 A CN112437436 A CN 112437436A CN 202011427928 A CN202011427928 A CN 202011427928A CN 112437436 A CN112437436 A CN 112437436A
- Authority
- CN
- China
- Prior art keywords
- authentication
- information
- terminal
- hash value
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Abstract
The application discloses an identity authentication method and device, and belongs to the technical field of communication. The identity authentication method comprises the following steps: the method comprises the steps of receiving an identity authentication request sent by a terminal, sending authentication initialization information to the terminal, receiving a first authentication hash value returned by the terminal, calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information, and determining whether the terminal passes identity authentication or not according to the first authentication hash value and the second authentication hash value so as to prevent terminal equipment with potential safety hazards from accessing an edge network and improve the safety of the edge network.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an identity authentication method and apparatus.
Background
In edge computing in a 5G (5th-Generation, fifth Generation communication technology) environment, an edge computing node or an edge computing server provides services to large-scale end users. However, the rapid development of edge computing has made its security issue increasingly prominent. When the terminal device accesses the edge network, the identity authentication of the terminal device is a security problem which is considered primarily. If the terminal equipment with potential safety hazard is accessed to the edge network, the edge network is threatened. Therefore, how to authenticate the identity of the terminal device accessing the edge network becomes a problem to be solved in the field.
Disclosure of Invention
Therefore, the application provides an identity authentication method and an identity authentication device to solve the problem of how to authenticate the identity of the terminal equipment accessing the edge network so as to avoid the security threat of the terminal equipment with potential safety hazard to the edge network.
In order to achieve the above object, a first aspect of the present application provides an identity authentication method, including:
receiving an identity authentication request sent by a terminal;
sending authentication initialization information to a terminal;
receiving a first authentication hash value returned by the terminal; the first authentication hash value is a hash value obtained by the terminal according to the authentication initialization information and the first pre-stored authentication information;
calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information;
and determining whether the terminal passes the identity authentication according to the first authentication hash value and the second authentication hash value.
Further, after receiving the identity authentication request sent by the terminal, before sending the authentication initialization information to the terminal, the method further includes:
and authentication key information corresponding to the terminal appointed identity authentication request.
Further, the authentication key information corresponding to the terminal agreed identity authentication request includes:
obtaining authentication key information;
encrypting the authentication key information by using a public key of the terminal to obtain encrypted authentication key information;
and sending the encrypted authentication key information to the terminal.
Further, the authentication key information includes an authentication key and an authentication encryption algorithm;
sending authentication initialization information to a terminal, including:
encrypting the authentication initialization information according to the authentication key and the authentication encryption algorithm to obtain encryption authentication initialization information;
and sending the encryption authentication initialization information to the terminal.
Further, calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information, including:
acquiring a password and a first authentication function of the terminal according to second pre-stored authentication information;
and obtaining a second authentication hash value based on the authentication initialization information, the password of the terminal and the first authentication function.
Further, the identity authentication method further comprises the following steps:
sending an identity authentication request to an authentication server;
receiving authentication initialization information returned by an authentication server;
obtaining a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information;
sending the first authentication hash value to an authentication server so that the authentication server can determine whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value; and the second authentication hash value is a hash value obtained by the authentication server according to the authentication initialization information and the second pre-stored authentication information.
Further, after sending the identity authentication request to the authentication server and before receiving the authentication initialization information returned by the authentication server, the method further includes:
and the authentication server appoints authentication key information corresponding to the identity authentication request.
Further, the authentication key information corresponding to the identity authentication request agreed by the authentication server includes:
receiving encrypted authentication key information sent by an authentication server; the encryption authentication key information is information generated by encrypting the authentication key information by using a public key of the terminal by the authentication server;
and decrypting the encrypted authentication key information by using a private key of the terminal to obtain the authentication key information.
Further, the authentication key information includes an authentication key and an authentication encryption algorithm;
sending the first authentication hash value to an authentication server, comprising:
encrypting the first authentication hash value according to the authentication key and the authentication encryption algorithm to obtain an encrypted first authentication hash value;
the encrypted first authentication hash value is sent to an authentication server.
Further, obtaining a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information includes:
obtaining a password and a second authentication function of the authentication server according to the first pre-stored authentication information;
and obtaining a first authentication hash value based on the authentication initialization information, the password of the authentication server and the second authentication function.
In order to achieve the above object, a second aspect of the present application provides an identity authentication apparatus, comprising:
the first receiving module is used for receiving an identity authentication request sent by a terminal; receiving a first authentication hash value returned by the terminal; the first authentication hash value is a hash value obtained by the terminal according to the authentication initialization information and the first pre-stored authentication information;
the first sending module is used for sending authentication initialization information to the terminal;
the first calculation module is used for calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information;
and the authentication module is used for determining whether the terminal passes the identity authentication according to the first authentication hash value and the second authentication hash value.
Further, the identity authentication device further comprises:
the second sending module is used for sending an identity authentication request to the authentication server; the first authentication hash value is sent to an authentication server, so that the authentication server can determine whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value; the second authentication hash value is a hash value obtained by the authentication server according to the authentication initialization information and second pre-stored authentication information;
the second receiving module is used for receiving authentication initialization information returned by the authentication server;
and the second calculation module is used for obtaining a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information.
This application has following advantage:
according to the identity authentication method, an identity authentication request sent by a terminal is received, authentication initialization information is sent to the terminal, a first authentication hash value returned by the terminal is received, a second authentication hash value is calculated according to the authentication initialization information and second pre-stored authentication information, and whether the terminal passes identity authentication or not is determined according to the first authentication hash value and the second authentication hash value, so that terminal equipment with potential safety hazards is prevented from being accessed into an edge network, and the safety of the edge network is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application and not to limit the application.
Fig. 1 is a flowchart of an identity authentication method according to a first embodiment of the present application;
fig. 2 is a flowchart of an identity authentication method according to a second embodiment of the present application;
fig. 3 is a flowchart of an identity authentication method according to a third embodiment of the present application;
fig. 4 is a flowchart of an identity authentication method according to a fourth embodiment of the present application;
fig. 5 is a flowchart illustrating an operation of an identity authentication system according to a fifth embodiment of the present application;
fig. 6 is a schematic block diagram of an identity authentication apparatus according to a sixth embodiment of the present application;
fig. 7 is a schematic block diagram of an identity authentication apparatus according to a seventh embodiment of the present application.
In the drawings:
500: the terminal 510: authentication server
601: the first receiving module 602: first sending module
603: the first calculation module 604: authentication module
701: the second sending module 702: second receiving module
703: second computing module
Detailed Description
The following detailed description of embodiments of the present application will be made with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present application, are given by way of illustration and explanation only, and are not intended to limit the present application.
Identity authentication is crucial to the security of edge computing applications and data. In order to avoid accessing terminal equipment with potential safety hazards to an edge network, identity authentication needs to be performed on equipment to be accessed.
In view of this, the first aspect of the present application provides an identity authentication method, in which an authentication server issues authentication initialization information to a terminal, receives a first authentication hash value returned by the terminal, compares the first authentication hash value with a second authentication hash value calculated by the terminal, and determines whether the terminal passes identity authentication according to a comparison result, so as to avoid accessing a terminal with potential safety hazards to an edge network, and ensure the security of the edge network.
Fig. 1 is a flowchart of an identity authentication method provided in a first embodiment of the present application, where the identity authentication method is applied to an authentication server. As shown in fig. 1, the identity authentication method includes the following steps:
step S101, receiving an identity authentication request sent by a terminal.
When the terminal has the requirement of accessing the edge network, the terminal sends an identity authentication request to the authentication server so as to receive the identity authentication of the authentication server to the terminal, and the terminal accesses the edge network after passing the identity authentication.
It can be understood that the identity authentication request includes the identity information of the terminal, so that the authentication server uniquely locks the terminal according to the identity information of the terminal to authenticate the terminal.
In some implementations, the identity information of the terminal includes a device name of the terminal and/or a device identification of the terminal. The above identity information of the terminal is only an example, and the identity information of other terminals not described is also within the protection scope of the present application, and can be specifically set according to specific situations, and is not described herein again.
Step S102, sending authentication initialization information to the terminal.
In some specific implementations, the authentication initialization information can be randomly generated for each authentication process, so that the problem that the authentication initialization information in a fixed form or generated according to a fixed mode is easy to crack is solved, and the safety and the effectiveness of identity authentication are effectively improved.
In one embodiment, after receiving an identity authentication request of a terminal, an authentication server generates an authentication initialization vector based on a random function, generates authentication initialization information according to the authentication initialization vector and a host name of the authentication server, and then sends the authentication initialization information to the terminal. And the terminal receives the authentication initialization information sent by the authentication server.
It should be noted that the authentication initialization information including the authentication initialization vector is only an example, and other unexplained authentication initialization information is also within the protection scope of the present application, and may be specifically set according to specific situations, and is not described herein again.
And step S103, receiving the first authentication hash value returned by the terminal.
The first authentication hash value is a hash value obtained by the terminal according to the authentication initialization information and the first pre-stored authentication information. The first pre-stored authentication information is information which is pre-stored by the terminal and is used for identity authentication. In some embodiments, the first pre-stored authentication information comprises a hostname of the authentication server and a corresponding password or digital certificate.
In one embodiment, a terminal receives authentication initialization information including an authentication initialization vector and a host name of an authentication server. The terminal inquires the password of the authentication server and a second authentication function (the second authentication function can be a function which is specified in advance and used for identity authentication with the current authentication server) from the first pre-stored authentication information according to the host name of the authentication server, and then calculates through the second authentication function according to the authentication initialization vector and the password of the authentication server to obtain a calculation result, wherein the calculation result is the first authentication hash value. The terminal sends the first authentication hash value to the authentication server, and the authentication server receives the first authentication hash value sent by the terminal.
And step S104, calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information.
And in order to verify whether the first authentication hash value sent by the terminal is correct or not, the authentication server calculates a second authentication hash value, and judges whether the terminal passes the identity authentication or not by comparing the first authentication hash value with the second authentication hash value.
The second pre-stored authentication information is information pre-stored by the authentication server and used for performing identity authentication on the terminal. In some embodiments, the second pre-stored authentication information comprises identity information of the terminal and a corresponding password or digital certificate.
In one embodiment, the authentication server obtains the identity information of the terminal from an identity authentication request sent by the terminal, queries a password and a first authentication function of the terminal from second pre-stored authentication information according to the identity information of the terminal (the first authentication function may be a function that is pre-specified and used for performing identity authentication with the current terminal), and performs calculation through the first authentication function according to the authentication initialization vector and the password of the terminal to obtain a calculation result, where the calculation result is the second authentication hash value.
And step S105, determining whether the terminal passes the identity authentication according to the first authentication hash value and the second authentication hash value.
The authentication server compares the first authentication hash value with the second authentication hash value to obtain a comparison result, and determines whether the terminal passes the identity authentication according to the comparison result.
Specifically, the authentication server determines that the terminal passes the identity authentication under the condition that the first authentication hash value and the second authentication hash value are the same; and under the condition that the first authentication hash value is different from the second authentication hash value, the authentication server determines that the terminal does not pass the identity authentication.
In this embodiment, the authentication server determines whether the terminal passes the identity authentication or not by comparing whether the first authentication hash value sent by the terminal is consistent with the second authentication hash value calculated by the authentication server or not, and determines whether the terminal passes the identity authentication or not according to the comparison result, so that the identity authentication of the terminal to be accessed can be effectively performed, an illegal terminal is prevented from being accessed to the edge network, and the security of the whole edge network is ensured.
Fig. 2 is a flowchart of an identity authentication method according to a second embodiment of the present application, where the identity authentication method is applied to an authentication server. The second embodiment is substantially the same as the first embodiment of the present application, except that: after receiving an identity authentication request sent by a terminal, agreeing authentication key information of the authentication process with the terminal so as to encrypt subsequent authentication interaction information in the authentication process. As shown in fig. 2, the identity authentication method includes the following steps:
step S201, receiving an identity authentication request sent by a terminal.
Step S201 in this embodiment is the same as step S101 in the first embodiment of the present application, and is not described herein again.
Step S202, authentication key information corresponding to the terminal agreed identity authentication request.
The authentication key information includes an authentication key and an authentication encryption algorithm. In some specific implementations, the authentication key is a one-time symmetric key, that is, the authentication key is only valid for the authentication process, and the authentication server side and the terminal side use the same key for encryption; the authentication encryption algorithm is an encryption algorithm based on an authentication key, that is, the authentication server and the terminal need to agree not only on a key used for encryption but also on an encryption algorithm based on the key.
Further, when the authentication server transmits the authentication key information to the terminal, in order to prevent the authentication key information from being decrypted, the authentication server and the terminal need to agree on a key and an encryption algorithm used when the authentication key information is transmitted. In some implementations, the terminal can send its public key to the authentication server in an identity authentication request. When transmitting the authentication key information to the terminal, the authentication server may encrypt the authentication key information using a public key of the terminal, generate encrypted authentication key information, and transmit the encrypted authentication key information to the terminal. Accordingly, after receiving the encrypted authentication key information, the terminal may perform decryption using a private key of the terminal to obtain the authentication key.
In one embodiment, the authentication key information corresponding to the terminal agreed identity authentication request by the authentication server includes:
the authentication server generates an authentication key, determines an authentication encryption algorithm, generates authentication key information based on the authentication key and the authentication encryption algorithm, encrypts the authentication key information by using a public key of the terminal to obtain encrypted authentication key information, and sends the encrypted authentication key information to the terminal.
The terminal receives the encrypted authentication key information, decrypts the encrypted authentication key information by using a private key of the terminal, and acquires the authentication key information, thereby completing the agreement of the terminal and the authentication server for the authentication key information in the authentication process.
It should be noted that the method for the authentication server to encrypt the authentication key information using the terminal public key may be an encryption method agreed in advance with the terminal, or may be transmitted to the terminal as additional information together with the encrypted authentication key information. Aiming at the former situation, the terminal directly decrypts the authentication encryption authentication key information according to a predetermined decryption method; in the second case, the terminal first obtains the additional information from the encrypted authentication key information, and obtains the decryption method according to the additional information, thereby decrypting the encrypted authentication key information according to the decryption method.
Step S203, sending the encryption authentication initialization information to the terminal.
After the authentication server and the terminal agree the authentication key information of the authentication process, when the authentication server sends information to the terminal, the authentication server encrypts the information to be sent based on the authentication key information to obtain encrypted information, and sends the encrypted information to the terminal, so that information leakage is avoided, and information safety is guaranteed.
In this embodiment, the encrypted authentication initialization information is information generated by the authentication server encrypting the authentication initialization information based on the authentication key information.
And step S204, receiving the encrypted first authentication hash value returned by the terminal, and decrypting the encrypted first authentication hash value to obtain the first authentication hash value.
Similarly, when sending information to the authentication server, the terminal encrypts the information to be sent based on the authentication key information, and sends the encrypted information to the authentication server. After receiving the encrypted information sent by the terminal, the authentication server needs to decrypt the encrypted information based on the authentication key information, thereby obtaining decrypted information.
In one embodiment, the authentication server receives an encrypted first authentication hash value sent by the terminal, and decrypts the encrypted first authentication hash value based on the authentication key information to obtain the first authentication hash value.
In step S205, a second authentication hash value is calculated according to the authentication initialization information and the second pre-stored authentication information.
And step S206, determining whether the terminal passes the identity authentication according to the first authentication hash value and the second authentication hash value.
Steps S205 to S206 in this embodiment are the same as steps S104 to S105 in the first embodiment of the present application, and are not described herein again.
In this embodiment, the terminal and the authentication server agree authentication key information for the authentication process, and encrypt authentication interaction information by using the authentication key information in the authentication process, so as to avoid information leakage, thereby improving the security and validity of identity authentication. Moreover, the authentication key information is information agreed for the authentication process, and has a limited application range, so that the safety and the effectiveness of identity authentication are ensured. The authentication interaction information comprises information generated by communication interaction between the terminal and the authentication server in the identity authentication process.
Fig. 3 is a flowchart of an identity authentication method according to a third embodiment of the present application, where the identity authentication method is applied to a terminal. As shown in fig. 3, the identity authentication method includes the following steps:
step S301, an identity authentication request is sent to the authentication server.
The authentication server is a server used for authenticating the identity of the terminal in the edge network.
In one embodiment, when the terminal has a need to access the edge network, the terminal sends an identity authentication request to the authentication server. The identity authentication request comprises identity information of the terminal.
Step S302, receiving authentication initialization information returned by the authentication server.
In some specific implementations, the authentication initialization information can be randomly generated for each authentication process, so that the problem that the authentication initialization information in a fixed form or generated according to a fixed mode is easy to crack is solved, and the safety and the effectiveness of identity authentication are effectively improved.
In one embodiment, the authentication server generates an authentication initialization vector based on a random function, and generates authentication initialization information based on the authentication initialization vector and a host name of the authentication server, and then transmits the authentication initialization information to the terminal. And the terminal receives the authentication initialization information returned by the authentication server.
Step S303, a first authentication hash value is obtained according to the authentication initialization information and the first pre-stored authentication information.
In one embodiment, the authentication initialization information includes an authentication initialization vector and a host name of the authentication server. The terminal obtains the host name of the authentication server according to the authentication initialization information, the password of the authentication server and the second authentication function are obtained by inquiring the first pre-stored authentication information through the host name of the authentication server, the authentication initialization vector and the password of the authentication server are used as the input of the second authentication function for calculation, and the obtained calculation result is the first authentication hash value.
Step S304, the first authentication hash value is sent to an authentication server, so that the authentication server can determine whether the terminal passes the identity authentication according to the first authentication hash value and the second authentication hash value.
And the second authentication hash value is a hash value obtained by the authentication server according to the authentication initialization information and the second pre-stored authentication information.
In one embodiment, the terminal sends the first authentication hash value to the authentication server. The authentication server receives the first authentication hash value, calculates and obtains a second authentication hash value according to the authentication initialization information and second pre-stored authentication information, then compares whether the first authentication hash value and the second authentication hash value are the same, and determines whether the terminal passes the identity authentication according to the comparison result.
In this embodiment, the terminal calculates a first authentication hash value according to the authentication initialization information provided by the authentication server and the first pre-stored authentication information, so that the authentication server compares the first authentication hash value with a second authentication hash value calculated by the authentication server, and determines whether the terminal passes the identity authentication according to the comparison result, thereby being capable of safely accessing the edge network. Moreover, the authentication initialization information in this embodiment is information generated for each authentication process, and is unpredictable, so that the first authentication hash value calculated by the terminal is not easy to crack, and the security and the effectiveness of the identity authentication are further ensured.
Fig. 4 is a flowchart of an identity authentication method according to a fourth embodiment of the present application, where the identity authentication method is applied to an authentication server. The fourth embodiment is substantially the same as the second embodiment of the present application, except that: after the terminal sends an identity authentication request to the authentication server, the terminal and the authentication server agree authentication key information of the authentication process so as to encrypt subsequent authentication interaction information in the authentication process. As shown in fig. 4, the identity authentication method includes the following steps:
step S401, sending an identity authentication request to an authentication server.
Step S401 in this embodiment is the same as step S301 in the third embodiment of the present application, and is not described herein again.
Step S402, the authentication server appoints the authentication key information corresponding to the identity authentication request.
The authentication key information includes an authentication key and an authentication encryption algorithm.
In one embodiment, the authentication server generates an authentication key, determines an authentication encryption algorithm, generates authentication key information based on the authentication key and the authentication encryption algorithm, encrypts the authentication key information using a public key of the terminal to obtain encrypted authentication key information, and transmits the encrypted authentication key information to the terminal.
The terminal receives the encrypted authentication key information, decrypts the encrypted authentication key information by using a private key of the terminal, and acquires the authentication key information, thereby completing the agreement of the terminal and the authentication server for the authentication key information in the authentication process.
Step S403, receiving the encrypted authentication initialization information returned by the authentication server, and decrypting the encrypted authentication initialization information to obtain the authentication initialization information.
After the terminal and the authentication server agree the authentication key information of the authentication process, the terminal and the authentication server use the agreed authentication key information to encrypt the interactive information during information interaction, so that information leakage is avoided.
In one embodiment, the terminal receives the encrypted authentication initialization information returned by the authentication server, and decrypts the encrypted authentication initialization information according to the authentication key information to obtain the authentication initialization information.
Step S404, a first authentication hash value is obtained according to the authentication initialization information and the first pre-stored authentication information.
Step S404 in this embodiment is the same as step S303 in the third embodiment of the present application, and is not described herein again.
Step S405, encrypts the first authentication hash value based on the authentication key information, to obtain an encrypted first authentication hash value.
After the terminal and the authentication server agree the authentication key information of the authentication process, the terminal encrypts the information to be sent based on the authentication key information before sending the information to the authentication server, thereby avoiding the information leakage.
Step S406, sending the encrypted first authentication hash value to an authentication server, so that the authentication server determines whether the terminal passes the identity authentication according to the first authentication hash value and the second authentication hash value.
After receiving the encrypted first authentication hash value, the authentication server decrypts the encrypted first authentication hash value based on the authentication key information to obtain a first authentication hash value, compares the first authentication hash value with a second authentication hash value calculated by the authentication server, and determines whether the terminal passes the identity authentication according to the comparison result.
In this embodiment, the terminal and the authentication server agree authentication key information for the authentication process, and encrypt the authentication interaction information by using the authentication key information in the authentication process, so that the authentication interaction information can be prevented from being leaked, and the security and the effectiveness of identity authentication can be improved. Moreover, the authentication key information is information agreed for the authentication process, and has a limited application range, so that the safety and the effectiveness of identity authentication are ensured.
Fig. 5 is a flowchart of an identity authentication system according to a fifth embodiment of the present application. As shown in fig. 5, the identity authentication system includes: a terminal 500 and an authentication server 510.
The work flow of the identity authentication system comprises the following steps:
in step S501, the terminal 500 sends an identity authentication request to the authentication server 510.
In step S502, the authentication server 510 generates an authentication key, determines an authentication encryption algorithm, and generates authentication key information according to the authentication key and the authentication encryption algorithm.
In step S503, the authentication server 510 transmits the authentication key information to the terminal 500.
In step S504, the authentication server 510 transmits the encrypted authentication initialization information to the terminal 500.
The encrypted authentication initialization information is a result obtained by the authentication server 510 encrypting the authentication initialization information based on the authentication key and the authentication encryption algorithm. In some implementations, the authentication initialization information includes an authentication initialization vector and a host name of authentication server 510.
In step S505, the terminal 500 receives the encrypted authentication initialization information, and decrypts the encrypted authentication initialization information based on the authentication key information to obtain the authentication initialization information.
In step S506, the terminal 500 obtains a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information.
In step S507, the terminal 500 encrypts the first authentication hash value based on the authentication key information to obtain an encrypted first authentication hash value.
In step S508, the terminal 500 transmits the encrypted first authentication hash value to the authentication server 510.
In step S509, the authentication server 510 receives the encrypted first authentication hash value, and decrypts the encrypted first authentication hash value according to the authentication key information to obtain the first authentication hash value.
In step S510, the authentication server 510 calculates a second authentication hash value according to the authentication initialization information and the second pre-stored authentication information.
In step S511, the authentication server 510 compares whether the first hash value is the same as the second hash value, obtains a comparison result, and generates an identity authentication feedback message according to the comparison result.
In step S512, the authentication server 510 sends an identity authentication feedback message to the terminal 500.
The terminal 500 receives the authentication feedback message and performs subsequent operations according to the authentication feedback message. Specifically, when the identity authentication feedback message indicates that the terminal passes the identity authentication, the terminal 500 may access the edge network and use the related service; when the identity authentication feedback message indicates that the terminal fails to pass the identity authentication, the terminal 500 cannot access the edge network.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
A second aspect of the present application provides an identity authentication apparatus. Fig. 6 is a schematic block diagram of an identity authentication apparatus according to a sixth embodiment of the present application, where the identity authentication apparatus is applied to an authentication server. As shown in fig. 6, the identity authentication apparatus includes: a first receiving module 601, a first sending module 602, a first calculating module 603 and an authenticating module 604.
A first receiving module 601, configured to receive an identity authentication request sent by a terminal; and receiving the first authentication hash value returned by the terminal.
The identity authentication request is information sent to the authentication server when the terminal has a requirement of accessing the edge network, and the identity authentication request includes the identity information of the terminal, so that the authentication server uniquely locks the terminal according to the identity information of the terminal to perform identity authentication on the terminal. The authentication server receives the identity authentication request through the first receiving module 601.
The first authentication hash value is a hash value obtained by the terminal according to the authentication initialization information and the first pre-stored authentication information. Specifically, the authentication server sends the authentication initialization information to the terminal in response to an identity authentication request of the terminal. The terminal receives the authentication initialization information, acquires a first authentication hash value by combining with the first pre-stored authentication information, and sends the first authentication hash value to the authentication server. The authentication server receives the first authentication hash value sent by the terminal through the first receiving module 601.
A first sending module 602, configured to send authentication initialization information to the terminal.
In one embodiment, after receiving the identity authentication request of the terminal, the authentication server generates an authentication initialization vector based on a random function, generates authentication initialization information according to the authentication initialization vector and a host name of the authentication server, and then transmits the authentication initialization information to the terminal through the first transmitting module 602.
The first calculating module 603 is configured to calculate a second authentication hash value according to the authentication initialization information and the second pre-stored authentication information.
In one embodiment, the authentication server obtains the identity information of the terminal from the identity authentication request sent by the terminal, queries the second pre-stored authentication information according to the identity information of the terminal to obtain the password and the first authentication function of the terminal, and performs calculation through the first calculation module 603 according to the authentication initialization vector, the password of the terminal and the first authentication function, so as to obtain the second authentication hash value.
And the authentication module 604 is configured to determine whether the terminal passes the identity authentication according to the first authentication hash value and the second authentication hash value.
In one embodiment, the authentication server compares the first authentication hash value and the second authentication hash value to obtain a comparison result, and determines whether the terminal passes the identity authentication according to the comparison result. Specifically, in the case that the first authentication hash value and the second authentication hash value are the same, the authentication server determines that the terminal passes the identity authentication through the authentication module 604; in the case that the first authentication hash value and the second authentication hash value are not the same, the authentication server determines that the terminal does not pass the identity authentication through the authentication module 604.
In this embodiment, the authentication server obtains the second authentication hash value through the first calculation module, compares whether the first authentication hash value sent by the terminal is consistent with the second authentication hash value through the authentication module, and determines whether the terminal passes the identity authentication according to a comparison result, so that the identity authentication can be effectively performed on the terminal to be accessed, an illegal terminal is prevented from being accessed to the edge network, and the security of the whole edge network is ensured.
Fig. 7 is a schematic block diagram of an identity authentication apparatus according to a seventh embodiment of the present application, where the identity authentication apparatus is applied to a terminal. As shown in fig. 7, the identity authentication apparatus includes: a second sending module 701, a second receiving module 702, and a second calculating module 703.
A second sending module 701, configured to send an identity authentication request to an authentication server; and sending the first authentication hash value to an authentication server so that the authentication server can determine whether the terminal passes the identity authentication according to the first authentication hash value and the second authentication hash value.
The identity authentication request is information sent to an authentication server when the terminal has a requirement of accessing the edge network. The first authentication hash value is a hash value obtained by the terminal according to the authentication initialization information and the first pre-stored authentication information sent by the authentication server.
A second receiving module 702, configured to receive the authentication initialization information returned by the authentication server.
The authentication server responds to the identity authentication request of the terminal and sends authentication initialization information to the terminal. The terminal receives the authentication initialization information sent by the authentication server through the second receiving module 702.
The second calculating module 703 is configured to obtain a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information.
In one embodiment, a terminal receives authentication initialization information including an authentication initialization vector and a host name of an authentication server. The terminal queries the password and the second authentication function of the authentication server from the first pre-stored authentication information according to the host name of the authentication server, and then performs calculation through the second calculation module 703 according to the authentication initialization vector, the password and the second authentication function of the authentication server to obtain the first authentication hash value.
In this embodiment, the terminal calculates a first authentication hash value through the second calculation module 703 according to the authentication initialization information provided by the authentication server and the first pre-stored authentication information, so that the authentication server compares the first authentication hash value with a second authentication hash value calculated by the authentication server, and determines whether the terminal passes the identity authentication according to the comparison result, thereby being capable of safely accessing the edge network. Moreover, the authentication initialization information in this embodiment is information generated for each authentication process, and is unpredictable, so that the first authentication hash value calculated by the terminal is not easy to crack, and the security and the effectiveness of the identity authentication are further ensured.
It should be noted that each module referred to in this embodiment is a logical module, and in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, and may be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present application, a unit that is not so closely related to solving the technical problem proposed by the present application is not introduced in the present embodiment, but it does not indicate that no other unit exists in the present embodiment.
It is to be understood that the above embodiments are merely exemplary embodiments that are employed to illustrate the principles of the present application, and that the present application is not limited thereto. It will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the application, and these changes and modifications are to be considered as the scope of the application.
Claims (12)
1. An identity authentication method, comprising:
receiving an identity authentication request sent by a terminal;
sending authentication initialization information to the terminal;
receiving a first authentication hash value returned by the terminal; the first authentication hash value is a hash value obtained by the terminal according to the authentication initialization information and first pre-stored authentication information;
calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information;
and determining whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value.
2. The identity authentication method according to claim 1, wherein after receiving the identity authentication request sent by the terminal and before sending the authentication initialization information to the terminal, further comprising:
and the authentication key information corresponding to the identity authentication request agreed by the terminal.
3. The identity authentication method of claim 2, wherein the authentication key information corresponding to the identity authentication request agreed by the terminal comprises:
obtaining the authentication key information;
encrypting the authentication key information by using the public key of the terminal to obtain encrypted authentication key information;
and sending the encrypted authentication key information to the terminal.
4. The identity authentication method of claim 2, wherein the authentication key information comprises an authentication key and an authentication encryption algorithm;
the sending authentication initialization information to the terminal includes:
encrypting the authentication initialization information according to the authentication key and the authentication encryption algorithm to obtain encryption authentication initialization information;
and sending the encryption authentication initialization information to the terminal.
5. The identity authentication method of claim 1, wherein the calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information comprises:
acquiring a password and a first authentication function of the terminal according to the second pre-stored authentication information;
and obtaining the second authentication hash value based on the authentication initialization information, the password of the terminal and the first authentication function.
6. An identity authentication method, comprising:
sending an identity authentication request to an authentication server;
receiving authentication initialization information returned by the authentication server;
obtaining a first authentication hash value according to the authentication initialization information and first pre-stored authentication information;
sending the first authentication hash value to the authentication server so that the authentication server can determine whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value; and the second authentication hash value is a hash value obtained by the authentication server according to the authentication initialization information and second pre-stored authentication information.
7. The identity authentication method according to claim 6, wherein after sending the identity authentication request to the authentication server and before receiving the authentication initialization information returned by the authentication server, further comprising:
and the authentication server agrees authentication key information corresponding to the identity authentication request.
8. The identity authentication method of claim 7, wherein the authentication key information corresponding to the identity authentication request agreed by the authentication server comprises:
receiving encrypted authentication key information sent by the authentication server; the encryption authentication key information is information generated by the authentication server encrypting the authentication key information by using a public key of the terminal;
and decrypting the encrypted authentication key information by using a private key of the terminal to obtain the authentication key information.
9. The identity authentication method of claim 7, wherein the authentication key information comprises an authentication key and an authentication encryption algorithm;
the sending the first authentication hash value to the authentication server includes:
encrypting the first authentication hash value according to the authentication key and the authentication encryption algorithm to obtain an encrypted first authentication hash value;
sending the encrypted first authentication hash value to the authentication server.
10. The identity authentication method of claim 6, wherein obtaining the first authentication hash value according to the authentication initialization information and the first pre-stored authentication information comprises:
obtaining a password and a second authentication function of the authentication server according to the first pre-stored authentication information;
obtaining the first authentication hash value based on the authentication initialization information, the password of the authentication server, and the second authentication function.
11. An identity authentication apparatus, comprising:
the first receiving module is used for receiving an identity authentication request sent by a terminal; receiving a first authentication hash value returned by the terminal; the first authentication hash value is a hash value obtained by the terminal according to authentication initialization information and first pre-stored authentication information;
the first sending module is used for sending the authentication initialization information to the terminal;
the first calculation module is used for calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information;
and the authentication module is used for determining whether the terminal passes the identity authentication according to the first authentication hash value and the second authentication hash value.
12. An identity authentication apparatus, comprising:
the second sending module is used for sending an identity authentication request to the authentication server; sending the first authentication hash value to the authentication server so that the authentication server can determine whether the terminal passes the identity authentication according to the first authentication hash value and the second authentication hash value; the second authentication hash value is a hash value obtained by the authentication server according to authentication initialization information and second pre-stored authentication information;
the second receiving module is used for receiving the authentication initialization information returned by the authentication server;
and the second calculation module is used for obtaining the first authentication hash value according to the authentication initialization information and the first pre-stored authentication information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011427928.XA CN112437436B (en) | 2020-12-07 | 2020-12-07 | Identity authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011427928.XA CN112437436B (en) | 2020-12-07 | 2020-12-07 | Identity authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112437436A true CN112437436A (en) | 2021-03-02 |
| CN112437436B CN112437436B (en) | 2023-05-02 |
Family
ID=74692503
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011427928.XA Active CN112437436B (en) | 2020-12-07 | 2020-12-07 | Identity authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112437436B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113037742A (en) * | 2021-03-04 | 2021-06-25 | 上海华申智能卡应用系统有限公司 | Fingerprint authentication method and system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453269A (en) * | 2016-09-21 | 2017-02-22 | 东软集团股份有限公司 | Internet of Vehicles safety communication method, vehicle-mounted terminal, server and system |
| CN106790075A (en) * | 2016-12-21 | 2017-05-31 | 上海云熵网络科技有限公司 | For the Verification System and authentication method of UDP transmission |
| CN107295011A (en) * | 2017-08-04 | 2017-10-24 | 杭州安恒信息技术有限公司 | The safety certifying method and device of webpage |
| WO2017190616A1 (en) * | 2016-05-05 | 2017-11-09 | 腾讯科技(深圳)有限公司 | Wireless network connection method, wireless access point, server, and system |
| CN108847938A (en) * | 2018-09-29 | 2018-11-20 | 郑州云海信息技术有限公司 | A kind of connection method for building up and device |
| CN108881287A (en) * | 2018-07-18 | 2018-11-23 | 电子科技大学 | A kind of Internet of things node identity identifying method based on block chain |
| CN109446788A (en) * | 2018-10-12 | 2019-03-08 | 广州杰赛科技股份有限公司 | A kind of identity identifying method and device, computer storage medium of equipment |
| CN110659467A (en) * | 2019-09-29 | 2020-01-07 | 浪潮(北京)电子信息产业有限公司 | Remote user identity authentication method, device, system, terminal and server |
-
2020
- 2020-12-07 CN CN202011427928.XA patent/CN112437436B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017190616A1 (en) * | 2016-05-05 | 2017-11-09 | 腾讯科技(深圳)有限公司 | Wireless network connection method, wireless access point, server, and system |
| CN106453269A (en) * | 2016-09-21 | 2017-02-22 | 东软集团股份有限公司 | Internet of Vehicles safety communication method, vehicle-mounted terminal, server and system |
| CN106790075A (en) * | 2016-12-21 | 2017-05-31 | 上海云熵网络科技有限公司 | For the Verification System and authentication method of UDP transmission |
| CN107295011A (en) * | 2017-08-04 | 2017-10-24 | 杭州安恒信息技术有限公司 | The safety certifying method and device of webpage |
| CN108881287A (en) * | 2018-07-18 | 2018-11-23 | 电子科技大学 | A kind of Internet of things node identity identifying method based on block chain |
| CN108847938A (en) * | 2018-09-29 | 2018-11-20 | 郑州云海信息技术有限公司 | A kind of connection method for building up and device |
| CN109446788A (en) * | 2018-10-12 | 2019-03-08 | 广州杰赛科技股份有限公司 | A kind of identity identifying method and device, computer storage medium of equipment |
| CN110659467A (en) * | 2019-09-29 | 2020-01-07 | 浪潮(北京)电子信息产业有限公司 | Remote user identity authentication method, device, system, terminal and server |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113037742A (en) * | 2021-03-04 | 2021-06-25 | 上海华申智能卡应用系统有限公司 | Fingerprint authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112437436B (en) | 2023-05-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111556025B (en) | Data transmission method, system and computer equipment based on encryption and decryption operations | |
| WO2018050081A1 (en) | Device identity authentication method and apparatus, electric device, and storage medium | |
| US9641344B1 (en) | Multiple factor authentication in an identity certificate service | |
| CN110971415A (en) | Space-ground integrated space information network anonymous access authentication method and system | |
| JP7292263B2 (en) | Method and apparatus for managing digital certificates | |
| US11240671B1 (en) | Bluetooth device connection methods and bluetooth devices | |
| CN107820239B (en) | Information processing method and device | |
| KR20190099066A (en) | Digital certificate management method and device | |
| CN108809633B (en) | Identity authentication method, device and system | |
| KR101531662B1 (en) | Method and system for mutual authentication between client and server | |
| CN104243452B (en) | A kind of cloud computing access control method and system | |
| Noh et al. | Secure authentication and four-way handshake scheme for protected individual communication in public wi-fi networks | |
| WO2022135391A1 (en) | Identity authentication method and apparatus, and storage medium, program and program product | |
| CN115348023A (en) | Data security processing method and device | |
| CN112437436B (en) | Identity authentication method and device | |
| CN112261103A (en) | Node access method and related equipment | |
| US20240064011A1 (en) | Identity authentication method and apparatus, device, chip, storage medium, and program | |
| WO2022135379A1 (en) | Identity authentication method and apparatus | |
| WO2022135394A1 (en) | Identity authentication method and apparatus, storage medium, program, and program product | |
| CN112995140B (en) | Safety management system and method | |
| CN115022850A (en) | Authentication method, device, system, electronic equipment and medium for D2D communication | |
| CN111800791B (en) | Authentication method, core network equipment and terminal | |
| CN112242976B (en) | Identity authentication method and device | |
| CN113727059A (en) | Multimedia conference terminal network access authentication method, device, equipment and storage medium | |
| CN113364756B (en) | Intelligent electronic equipment data transmission method, device, system and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |