CN112437436B - Identity authentication method and device - Google Patents
Identity authentication method and device Download PDFInfo
- Publication number
- CN112437436B CN112437436B CN202011427928.XA CN202011427928A CN112437436B CN 112437436 B CN112437436 B CN 112437436B CN 202011427928 A CN202011427928 A CN 202011427928A CN 112437436 B CN112437436 B CN 112437436B
- Authority
- CN
- China
- Prior art keywords
- authentication
- terminal
- information
- hash value
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application discloses an identity authentication method and device, and belongs to the technical field of communication. The identity authentication method comprises the following steps: the method comprises the steps of receiving an identity authentication request sent by a terminal, sending authentication initialization information to the terminal, receiving a first authentication hash value returned by the terminal, calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information, and determining whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value so as to avoid that terminal equipment with potential safety hazards is accessed to an edge network, and improving the safety of the edge network.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an identity authentication method and apparatus.
Background
In edge computing in a 5G (5 th-Generation, fifth Generation communication technology) environment, an edge computing node or edge computing server provides services to large-scale end users. However, the rapid development of edge computing has made its security problems increasingly prominent. When the terminal equipment accesses the edge network, the identity authentication of the terminal equipment is the security problem of primary consideration. If the terminal equipment with potential safety hazard is accessed to the edge network, the edge network is liable to be threatened. Therefore, how to perform identity authentication on the terminal device accessing the edge network is a problem to be solved in the art.
Disclosure of Invention
Therefore, the application provides an identity authentication method and an identity authentication device, so as to solve the problem of how to perform identity authentication on terminal equipment accessing to an edge network, and to avoid the problem that the terminal equipment with potential safety hazard causes safety threat to the edge network.
In order to achieve the above object, a first aspect of the present application provides an identity authentication method, including:
receiving an identity authentication request sent by a terminal;
sending authentication initialization information to a terminal;
receiving a first authentication hash value returned by the terminal; the first authentication hash value is obtained by the terminal according to the authentication initialization information and the first pre-stored authentication information;
calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information;
and determining whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value.
Further, after receiving the identity authentication request sent by the terminal, before sending authentication initialization information to the terminal, the method further comprises:
authentication key information corresponding to the terminal-agreed identity authentication request.
Further, the authentication key information corresponding to the terminal agreed identity authentication request includes:
obtaining authentication key information;
Encrypting the authentication key information by using a public key of the terminal to obtain encrypted authentication key information;
and sending the encryption authentication key information to the terminal.
Further, the authentication key information includes an authentication key and an authentication encryption algorithm;
sending authentication initialization information to a terminal, including:
encrypting the authentication initialization information according to the authentication key and the authentication encryption algorithm to obtain encrypted authentication initialization information;
and sending the encryption authentication initialization information to the terminal.
Further, calculating a second authentication hash value according to the authentication initialization information and the second pre-stored authentication information includes:
acquiring a password and a first authentication function of the terminal according to the second pre-stored authentication information;
and obtaining a second authentication hash value based on the authentication initialization information, the password of the terminal and the first authentication function.
Further, the identity authentication method further comprises the following steps:
sending an identity authentication request to an authentication server;
receiving authentication initialization information returned by an authentication server;
obtaining a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information;
the first authentication hash value is sent to an authentication server, so that the authentication server can determine whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value; the second authentication hash value is a hash value obtained by the authentication server according to the authentication initialization information and the second pre-stored authentication information.
Further, after sending the identity authentication request to the authentication server, before receiving the authentication initialization information returned by the authentication server, the method further comprises:
authentication key information corresponding to the authentication server agreed identity authentication request.
Further, the authentication key information corresponding to the authentication server agreed identity authentication request includes:
receiving encryption authentication key information sent by an authentication server; the encryption authentication key information is generated by encrypting the authentication key information by using a public key of the terminal by the authentication server;
and decrypting the encrypted authentication key information by using the private key of the terminal to obtain the authentication key information.
Further, the authentication key information includes an authentication key and an authentication encryption algorithm;
transmitting the first authentication hash value to an authentication server, comprising:
encrypting the first authentication hash value according to the authentication key and the authentication encryption algorithm to obtain an encrypted first authentication hash value;
the encrypted first authentication hash value is sent to an authentication server.
Further, obtaining a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information includes:
obtaining a password and a second authentication function of the authentication server according to the first pre-stored authentication information;
The first authentication hash value is obtained based on the authentication initialization information, the password of the authentication server, and the second authentication function.
In order to achieve the above object, a second aspect of the present application provides an identity authentication device, including:
the first receiving module is used for receiving an identity authentication request sent by the terminal; and receiving a first authentication hash value returned by the terminal; the first authentication hash value is obtained by the terminal according to the authentication initialization information and the first pre-stored authentication information;
the first sending module is used for sending authentication initialization information to the terminal;
the first calculation module is used for calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information;
and the authentication module is used for determining whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value.
Further, the identity authentication device further comprises:
the second sending module is used for sending an identity authentication request to the authentication server; the authentication server determines whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value; the second authentication hash value is a hash value obtained by the authentication server according to the authentication initialization information and the second pre-stored authentication information;
The second receiving module is used for receiving authentication initialization information returned by the authentication server;
and the second calculation module is used for obtaining a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information.
The application has the following advantages:
according to the identity authentication method, the identity authentication request sent by the terminal is received, authentication initialization information is sent to the terminal, the first authentication hash value returned by the terminal is received, the second authentication hash value is calculated according to the authentication initialization information and the second pre-stored authentication information, whether the terminal passes identity authentication or not is determined according to the first authentication hash value and the second authentication hash value, so that terminal equipment with potential safety hazards is prevented from accessing an edge network, and the safety of the edge network is improved.
Drawings
The accompanying drawings are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate the application and, together with the description, do not limit the application.
Fig. 1 is a flowchart of an identity authentication method according to a first embodiment of the present application;
fig. 2 is a flowchart of an identity authentication method according to a second embodiment of the present application;
Fig. 3 is a flowchart of an identity authentication method according to a third embodiment of the present application;
fig. 4 is a flowchart of an identity authentication method according to a fourth embodiment of the present application;
FIG. 5 is a flowchart illustrating an authentication system according to a fifth embodiment of the present application;
fig. 6 is a schematic block diagram of an identity authentication device according to a sixth embodiment of the present application;
fig. 7 is a schematic block diagram of an identity authentication device according to a seventh embodiment of the present application.
In the drawings:
500: terminal 510: authentication server
601: the first receiving module 602: first transmitting module
603: the first calculation module 604: authentication module
701: the second transmitting module 702: second receiving module
703: second calculation module
Detailed Description
The following detailed description of specific embodiments of the present application refers to the accompanying drawings. It should be understood that the detailed description is presented herein for purposes of illustration and explanation only and is not intended to limit the present application.
Identity authentication is critical to the security of edge computing applications and data. In order to avoid accessing the terminal equipment with potential safety hazard to the edge network, identity authentication needs to be carried out on the equipment to be accessed.
In view of this, the first aspect of the present application provides an identity authentication method, in which an authentication server issues authentication initialization information to a terminal, receives a first authentication hash value returned by the terminal, compares the first authentication hash value with a second authentication hash value obtained by calculation of the terminal, and determines whether the terminal passes identity authentication according to a comparison result, thereby avoiding access of the terminal with potential safety hazards to an edge network and ensuring security of the edge network.
Fig. 1 is a flowchart of an identity authentication method according to a first embodiment of the present application, where the identity authentication method is applied to an authentication server. As shown in fig. 1, the identity authentication method includes the following steps:
step S101, receiving an identity authentication request sent by a terminal.
When the terminal has the requirement of accessing the edge network, the terminal sends an identity authentication request to the authentication server to accept the identity authentication of the authentication server to the terminal, and the terminal accesses the edge network after passing the identity authentication.
It can be understood that the identity authentication request should include the identity information of the terminal, so that the authentication server can uniquely lock the terminal according to the identity information of the terminal to perform identity authentication on the terminal.
In some implementations, the identity information of the terminal includes a device name of the terminal and/or a device identification of the terminal. The above description is merely illustrative of the identity information of the terminal, and other identity information of the terminal that is not illustrated is also within the protection scope of the present application, and may be specifically set according to specific situations, which is not described herein again.
Step S102, authentication initialization information is sent to the terminal.
In some specific implementations, the authentication initialization information can be randomly generated for each authentication process, so that the problem that the authentication initialization information in a fixed form or generated according to a fixed mode is easy to crack is avoided, and the safety and the effectiveness of identity authentication are effectively improved.
In one embodiment, after receiving an identity authentication request of a terminal, an authentication server generates an authentication initialization vector based on a random function, generates authentication initialization information according to the authentication initialization vector and a host name of the authentication server, and then transmits the authentication initialization information to the terminal. The terminal receives the authentication initialization information sent by the authentication server.
It should be noted that, the authentication initialization information includes an authentication initialization vector only for illustration, and other non-illustrated authentication initialization information is also within the protection scope of the present application, and may be specifically set according to specific situations, which is not described herein again.
Step S103, receiving a first authentication hash value returned by the terminal.
The first authentication hash value is a hash value obtained by the terminal according to the authentication initialization information and the first pre-stored authentication information. The first pre-stored authentication information is information pre-stored by the terminal and used for identity authentication. In some embodiments, the first pre-stored authentication information includes a host name of the authentication server and a corresponding password or digital certificate.
In one embodiment, a terminal receives authentication initialization information including an authentication initialization vector and a hostname of an authentication server. The terminal inquires the password of the authentication server and a second authentication function (the second authentication function can be a function which is pre-designated and used for carrying out identity authentication with the current authentication server) from the first pre-stored authentication information according to the host name of the authentication server, and then calculates through the second authentication function according to the authentication initialization vector and the password of the authentication server to obtain a calculation result, wherein the calculation result is the first authentication hash value. The terminal sends the first authentication hash value to an authentication server, and the authentication server receives the first authentication hash value sent by the terminal.
Step S104, a second authentication hash value is calculated according to the authentication initialization information and the second pre-stored authentication information.
To verify whether the first authentication hash value sent by the terminal is correct, the authentication server calculates a second authentication hash value, and judges whether the terminal passes identity authentication by comparing the first authentication hash value with the second authentication hash value.
The second pre-stored authentication information is information pre-stored by the authentication server and used for authenticating the identity of the terminal. In some embodiments, the second pre-stored authentication information includes identity information of the terminal and a corresponding password or digital certificate.
In one embodiment, the authentication server obtains the identity information of the terminal from the identity authentication request sent by the terminal, queries and obtains the password of the terminal and the first authentication function (the first authentication function may be a function pre-designated for use in authenticating with the current terminal) from the second pre-stored authentication information according to the identity information of the terminal, and calculates through the first authentication function according to the authentication initialization vector and the password of the terminal, so as to obtain a calculation result, where the calculation result is the second authentication hash value.
Step S105, determining whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value.
The authentication server compares the first authentication hash value with the second authentication hash value to obtain a comparison result, and determines whether the terminal passes identity authentication according to the comparison result.
Specifically, under the condition that the first authentication hash value and the second authentication hash value are the same, the authentication server determines that the terminal passes identity authentication; and under the condition that the first authentication hash value and the second authentication hash value are different, the authentication server determines that the terminal fails identity authentication.
In this embodiment, the authentication server compares whether the first authentication hash value sent by the terminal is consistent with the second authentication hash value obtained by calculation of the authentication server, and determines whether the terminal passes identity authentication according to the comparison result, so that identity authentication can be effectively performed on the terminal to be accessed, an illegal terminal is prevented from being accessed to the edge network, and the security of the whole edge network is ensured.
Fig. 2 is a flowchart of an identity authentication method according to a second embodiment of the present application, where the identity authentication method is applied to an authentication server. The second embodiment is substantially identical to the first embodiment of the present application, except that: after receiving an identity authentication request sent by a terminal, the terminal agrees with authentication key information of the authentication process so as to encrypt subsequent authentication interaction information in the authentication process. As shown in fig. 2, the identity authentication method includes the steps of:
step S201, receiving an identity authentication request sent by a terminal.
Step S201 in the present embodiment is the same as the content of step S101 in the first embodiment of the present application, and will not be described here again.
Step S202, authentication key information corresponding to the terminal agreement identity authentication request.
The authentication key information includes an authentication key and an authentication encryption algorithm. In some specific implementations, the authentication key is a one-time symmetric key, i.e. the authentication key is only valid for the current authentication process, and the authentication server side and the terminal side encrypt with the same key; the authentication encryption algorithm is an encryption algorithm based on an authentication key, namely, the authentication server and the terminal need to agree on a key used in encryption and also agree on an encryption algorithm based on the key.
Further, when the authentication server transmits the authentication key information to the terminal, in order to prevent the authentication key information from being cracked, the authentication server and the terminal also need to agree on a key and an encryption algorithm used when transmitting the authentication key information. In some implementations, the terminal may send its public key to the authentication server in the authentication request. When transmitting the authentication key information to the terminal, the authentication server may encrypt the authentication key information using the public key of the terminal, generate encrypted authentication key information, and transmit the encrypted authentication key information to the terminal. Accordingly, after receiving the encrypted authentication key information, the terminal may decrypt using the private key of the terminal to obtain the authentication key.
In one embodiment, the authentication key information corresponding to the terminal agreed identity authentication request by the authentication server includes:
the authentication server generates an authentication key, determines an authentication encryption algorithm, generates authentication key information based on the authentication key and the authentication encryption algorithm, encrypts the authentication key information by using a public key of the terminal, obtains encrypted authentication key information, and transmits the encrypted authentication key information to the terminal.
The terminal receives the encrypted authentication key information, decrypts the encrypted authentication key information by using the private key of the terminal to obtain the authentication key information, thereby completing agreement of the terminal and the authentication server on the authentication key information in the authentication process.
The method for encrypting the authentication key information by the authentication server using the terminal public key may be an encryption method agreed in advance with the terminal, or may be transmitted to the terminal as additional information together with the encrypted authentication key information. Aiming at the former case, the terminal directly decrypts the authentication encryption authentication key information according to a pre-agreed decryption method; for the second case, the terminal first obtains the additional information from the encrypted authentication key information, and obtains a decryption method according to the additional information, thereby decrypting the encrypted authentication key information according to the decryption method.
Step S203, transmitting encryption authentication initialization information to the terminal.
After the authentication server and the terminal agree on the authentication key information in the authentication process, when the authentication server sends information to the terminal, the information to be sent is encrypted based on the authentication key information to obtain encrypted information, and the encrypted information is sent to the terminal, so that information leakage is avoided, and information safety is guaranteed.
In this embodiment, the encrypted authentication initialization information is information generated by the authentication server encrypting the authentication initialization information based on the authentication key information.
Step S204, the encrypted first authentication hash value returned by the terminal is received, and the encrypted first authentication hash value is decrypted to obtain the first authentication hash value.
Similarly, when the terminal transmits information to the authentication server, the terminal encrypts the information to be transmitted based on the authentication key information as well, and transmits the encrypted information to the authentication server. After receiving the encrypted information sent by the terminal, the authentication server needs to decrypt the encrypted information based on the authentication key information, thereby obtaining decrypted information.
In one embodiment, the authentication server receives an encrypted first authentication hash value sent by the terminal, decrypts the encrypted first authentication hash value based on the authentication key information, and obtains the first authentication hash value.
Step S205, a second authentication hash value is calculated according to the authentication initialization information and the second pre-stored authentication information.
Step S206, determining whether the terminal passes the identity authentication according to the first authentication hash value and the second authentication hash value.
The contents of step S205 to step S206 in the present embodiment are the same as those of step S104 to step S105 in the first embodiment of the present application, and are not described here again.
In this embodiment, the terminal and the authentication server agree on authentication key information for the present authentication process, and encrypt authentication interaction information by using the authentication key information in the authentication process, so as to avoid information leakage, thereby improving security and effectiveness of identity authentication. In addition, the authentication key information is information agreed for the authentication process, and has a limited application range, so that the safety and the effectiveness of identity authentication are further ensured. The authentication interaction information comprises information generated by communication interaction between the terminal and the authentication server in the identity authentication process.
Fig. 3 is a flowchart of an identity authentication method according to a third embodiment of the present application, where the identity authentication method is applied to a terminal. As shown in fig. 3, the identity authentication method includes the steps of:
step S301, an identity authentication request is sent to an authentication server.
The authentication server is a server used for authenticating the identity of the terminal in the edge network.
In one embodiment, the terminal sends an identity authentication request to an authentication server when the terminal has a need to access an edge network. Wherein the authentication request includes identity information of the terminal.
Step S302, receiving authentication initialization information returned by the authentication server.
In some specific implementations, the authentication initialization information can be randomly generated for each authentication process, so that the problem that the authentication initialization information in a fixed form or generated according to a fixed mode is easy to crack is avoided, and the safety and the effectiveness of identity authentication are effectively improved.
In one embodiment, the authentication server generates an authentication initialization vector based on a random function, generates authentication initialization information based on the authentication initialization vector and a host name of the authentication server, and then transmits the authentication initialization information to the terminal. And the terminal receives authentication initialization information returned by the authentication server.
Step S303, obtaining a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information.
In one embodiment, the authentication initialization information includes an authentication initialization vector and a hostname of an authentication server. The terminal obtains the host name of the authentication server according to the authentication initialization information, queries and obtains the password of the authentication server and the second authentication function from the first pre-stored authentication information through the host name of the authentication server, calculates the authentication initialization vector and the password of the authentication server as the input of the second authentication function, and the obtained calculation result is the first authentication hash value.
Step S304, the first authentication hash value is sent to the authentication server, so that the authentication server can determine whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value.
The second authentication hash value is a hash value obtained by the authentication server according to the authentication initialization information and the second pre-stored authentication information.
In one embodiment, the terminal transmits the first authentication hash value to the authentication server. The authentication server receives the first authentication hash value, calculates and obtains a second authentication hash value according to the authentication initialization information and the second pre-stored authentication information, compares whether the first authentication hash value is identical to the second authentication hash value, and determines whether the terminal passes identity authentication according to a comparison result.
In this embodiment, the terminal calculates a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information provided by the authentication server, so that the authentication server compares the first authentication hash value with a second authentication hash value calculated by the authentication server, and determines whether the terminal passes identity authentication according to a comparison result, thereby enabling the terminal to safely access the edge network. In addition, the authentication initialization information in the embodiment is information generated for each authentication process, and has unpredictability, so that the first authentication hash value calculated by the terminal is not easy to crack, and the safety and the effectiveness of identity authentication are further ensured.
Fig. 4 is a flowchart of an identity authentication method according to a fourth embodiment of the present application, where the identity authentication method is applied to an authentication server. The fourth embodiment is substantially identical to the second embodiment of the present application, except that: after the terminal sends an identity authentication request to the authentication server, the terminal agrees with the authentication server on authentication key information in the authentication process so as to encrypt subsequent authentication interaction information in the authentication process. As shown in fig. 4, the identity authentication method includes the steps of:
Step S401, an identity authentication request is sent to an authentication server.
The content of step S401 in this embodiment is the same as that of step S301 in the third embodiment of the present application, and will not be described here again.
Step S402, the authentication key information corresponding to the authentication server agrees with the identity authentication request.
The authentication key information includes an authentication key and an authentication encryption algorithm.
In one embodiment, an authentication server generates an authentication key, determines an authentication encryption algorithm, generates authentication key information based on the authentication key and the authentication encryption algorithm, encrypts the authentication key information using a public key of a terminal, obtains encrypted authentication key information, and transmits the encrypted authentication key information to the terminal.
The terminal receives the encrypted authentication key information, decrypts the encrypted authentication key information by using the private key of the terminal to obtain the authentication key information, thereby completing agreement of the terminal and the authentication server on the authentication key information in the authentication process.
Step S403, receiving the encryption authentication initialization information returned by the authentication server, and decrypting the encryption authentication initialization information to obtain the authentication initialization information.
After the terminal and the authentication server agree on the authentication key information in the authentication process, the agreed authentication key information is used for encrypting the interaction information when the terminal and the authentication server interact information, so that information leakage is avoided.
In one embodiment, the terminal receives the encrypted authentication initialization information returned by the authentication server, and decrypts the encrypted authentication initialization information according to the authentication key information to obtain the authentication initialization information.
Step S404, obtaining a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information.
Step S404 in this embodiment is the same as step S303 in the third embodiment of the present application, and will not be described here again.
Step S405 encrypts the first authentication hash value based on the authentication key information, obtaining an encrypted first authentication hash value.
After the terminal and the authentication server agree on the authentication key information in the authentication process, the terminal encrypts the information to be sent based on the authentication key information before sending the information to the authentication server, so that information leakage is avoided.
Step S406, the encrypted first authentication hash value is sent to the authentication server, so that the authentication server can determine whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value.
After receiving the encrypted first authentication hash value, the authentication server firstly decrypts the encrypted first authentication hash value based on the authentication key information to obtain the first authentication hash value, then compares the first authentication hash value with a second authentication hash value obtained by the authentication server in a calculating mode, and further determines whether the terminal passes identity authentication according to a comparison result.
In this embodiment, the terminal and the authentication server agree on the authentication key information for the present authentication process, and encrypt the authentication interaction information by using the authentication key information in the authentication process, so that leakage of the authentication interaction information can be avoided, and thus security and effectiveness of identity authentication are improved. In addition, the authentication key information is information agreed for the authentication process, and has a limited application range, so that the safety and the effectiveness of identity authentication are further ensured.
Fig. 5 is a flowchart of an authentication system according to a fifth embodiment of the present application. As shown in fig. 5, the identity authentication system includes: a terminal 500 and an authentication server 510.
The workflow of the identity authentication system comprises:
in step S501, the terminal 500 transmits an authentication request to the authentication server 510.
In step S502, the authentication server 510 generates an authentication key, determines an authentication encryption algorithm, and generates authentication key information according to the authentication key and the authentication encryption algorithm.
In step S503, the authentication server 510 transmits authentication key information to the terminal 500.
In step S504, the authentication server 510 transmits encryption authentication initialization information to the terminal 500.
The encrypted authentication initialization information is a result obtained by the authentication server 510 encrypting the authentication initialization information based on the authentication key and the authentication encryption algorithm. In some implementations, the authentication initialization information includes an authentication initialization vector and a hostname of the authentication server 510.
In step S505, the terminal 500 receives the encrypted authentication initialization information, and decrypts the encrypted authentication initialization information based on the authentication key information to obtain the authentication initialization information.
In step S506, the terminal 500 obtains a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information.
In step S507, the terminal 500 encrypts the first authentication hash value based on the authentication key information, to obtain an encrypted first authentication hash value.
In step S508, the terminal 500 transmits the encrypted first authentication hash value to the authentication server 510.
In step S509, the authentication server 510 receives the encrypted first authentication hash value, decrypts the encrypted first authentication hash value according to the authentication key information, and obtains the first authentication hash value.
In step S510, the authentication server 510 calculates a second authentication hash value according to the authentication initialization information and the second pre-stored authentication information.
In step S511, the authentication server 510 compares whether the first hash value is the same as the second hash value, obtains a comparison result, and generates an identity authentication feedback message according to the comparison result.
In step S512, the authentication server 510 transmits an authentication feedback message to the terminal 500.
The terminal 500 receives the authentication feedback message and performs a subsequent operation according to the authentication feedback message. Specifically, when the authentication feedback message is that the terminal passes the authentication, the terminal 500 may access the edge network and use the related service; when the authentication feedback message is that the terminal fails the authentication, the terminal 500 cannot access the edge network.
The above steps of the methods are divided, for clarity of description, and may be combined into one step or split into multiple steps when implemented, so long as they include the same logic relationship, and they are all within the protection scope of this patent; it is within the scope of this patent to add insignificant modifications to the algorithm or flow or introduce insignificant designs, but not to alter the core design of its algorithm and flow.
A second aspect of the present application provides an identity authentication device. Fig. 6 is a schematic block diagram of an identity authentication device according to a sixth embodiment of the present application, where the identity authentication device is applied to an authentication server. As shown in fig. 6, the identity authentication device includes: a first receiving module 601, a first transmitting module 602, a first calculating module 603 and an authenticating module 604.
A first receiving module 601, configured to receive an identity authentication request sent by a terminal; and receiving a first authentication hash value returned by the terminal.
The identity authentication request is information sent to the authentication server when the terminal has the requirement of accessing the edge network, and the identity authentication request comprises the identity information of the terminal so that the authentication server can uniquely lock the terminal according to the identity information of the terminal to perform identity authentication on the terminal. The authentication server receives an authentication request through the first receiving module 601.
The first authentication hash value is a hash value obtained by the terminal according to the authentication initialization information and the first pre-stored authentication information. Specifically, the authentication server transmits authentication initialization information to the terminal in response to an identity authentication request of the terminal. The terminal receives the authentication initialization information, combines the first pre-stored authentication information, obtains a first authentication hash value, and sends the first authentication hash value to the authentication server. The authentication server receives a first authentication hash value transmitted from the terminal through the first receiving module 601.
A first sending module 602, configured to send authentication initialization information to a terminal.
In one embodiment, after the authentication server receives the identity authentication request of the terminal, an authentication initialization vector is generated based on a random function, and authentication initialization information is generated according to the authentication initialization vector and a host name of the authentication server, and then the authentication initialization information is transmitted to the terminal through the first transmission module 602.
The first calculating module 603 is configured to calculate a second authentication hash value according to the authentication initialization information and the second pre-stored authentication information.
In one embodiment, the authentication server obtains the identity information of the terminal from the identity authentication request sent by the terminal, queries and obtains the password and the first authentication function of the terminal from the second pre-stored authentication information according to the identity information of the terminal, and calculates by the first calculation module 603 according to the authentication initialization vector, the password and the first authentication function of the terminal, thereby obtaining the second authentication hash value.
And the authentication module 604 is configured to determine whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value.
In one embodiment, the authentication server compares the first authentication hash value with the second authentication hash value, obtains a comparison result, and determines whether the terminal passes identity authentication according to the comparison result. Specifically, in the case that the first authentication hash value and the second authentication hash value are the same, the authentication server determines that the terminal passes identity authentication through the authentication module 604; in the case that the first authentication hash value and the second authentication hash value are different, the authentication server determines, through the authentication module 604, that the terminal fails the identity authentication.
In this embodiment, the authentication server obtains the second authentication hash value through the first calculation module, compares whether the first authentication hash value sent by the terminal is consistent with the second authentication hash value through the authentication module, and determines whether the terminal passes identity authentication according to the comparison result, so that identity authentication can be effectively performed on the terminal to be accessed, an illegal terminal is prevented from accessing an edge network, and the security of the whole edge network is ensured.
Fig. 7 is a schematic block diagram of an identity authentication device according to a seventh embodiment of the present application, where the identity authentication device is applied to a terminal. As shown in fig. 7, the identity authentication device includes: a second transmitting module 701, a second receiving module 702 and a second calculating module 703.
A second sending module 701, configured to send an identity authentication request to an authentication server; and sending the first authentication hash value to an authentication server so that the authentication server can determine whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value.
The identity authentication request is information sent to the authentication server when the terminal has a need of accessing the edge network. The first authentication hash value is a hash value obtained by the terminal according to the authentication initialization information and the first pre-stored authentication information sent by the authentication server.
And the second receiving module 702 is configured to receive authentication initialization information returned by the authentication server.
The authentication server transmits authentication initialization information to the terminal in response to an identity authentication request of the terminal. The terminal receives authentication initialization information transmitted from the authentication server through the second receiving module 702.
The second calculation module 703 is configured to obtain a first authentication hash value according to the authentication initialization information and the first pre-stored authentication information.
In one embodiment, a terminal receives authentication initialization information including an authentication initialization vector and a hostname of an authentication server. The terminal queries the password and the second authentication function of the authentication server from the first pre-stored authentication information according to the host name of the authentication server, and then calculates through the second calculation module 703 according to the authentication initialization vector, the password and the second authentication function of the authentication server, thereby obtaining a first authentication hash value.
In this embodiment, the terminal calculates a first authentication hash value through the second calculation module 703 according to the authentication initialization information and the first pre-stored authentication information provided by the authentication server, so that the authentication server compares the first authentication hash value with the second authentication hash value calculated by the authentication server, and determines whether the terminal passes identity authentication according to the comparison result, thereby enabling to safely access the edge network. In addition, the authentication initialization information in the embodiment is information generated for each authentication process, and has unpredictability, so that the first authentication hash value calculated by the terminal is not easy to crack, and the safety and the effectiveness of identity authentication are further ensured.
It should be noted that each module in this embodiment is a logic module, and in practical application, one logic unit may be one physical unit, or may be a part of one physical unit, or may be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present application, elements that are not so close to solving the technical problem presented in the present application are not introduced in the present embodiment, but it does not indicate that other elements are not present in the present embodiment.
It is to be understood that the above embodiments are merely illustrative of the exemplary embodiments employed to illustrate the principles of the present application, however, the present application is not limited thereto. Various modifications and improvements may be made by those skilled in the art without departing from the spirit and substance of the application, and are also considered to be within the scope of the application.
Claims (10)
1. An identity authentication method applied to an authentication server, comprising the following steps:
receiving an identity authentication request sent by a terminal;
generating an authentication initialization vector based on a random function, and generating authentication initialization information according to the authentication initialization vector and a host name of an authentication server;
sending the authentication initialization information to the terminal;
receiving a first authentication hash value returned by the terminal; the first authentication hash value is obtained by the terminal through calculation through a second authentication function according to the authentication initialization vector contained in the authentication initialization information and the password of an authentication server in the first pre-stored authentication information; the password of the authentication server and the second authentication function are inquired by the terminal from first pre-stored authentication information according to the host name of the authentication server; wherein the second authentication function is a function which is pre-designated and used for carrying out identity authentication with the current authentication server;
Calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information; the calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information includes:
acquiring the identity information of the terminal from the identity authentication request, and inquiring and acquiring the password and the first authentication function of the terminal from the second pre-stored authentication information according to the identity information of the terminal; the first authentication function is a function which is pre-designated and used for carrying out identity authentication with the current terminal;
calculating through the first authentication function according to the authentication initialization vector and the password of the terminal to obtain a second authentication hash value;
and determining whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value.
2. The method according to claim 1, wherein after receiving the authentication request sent by the terminal, before sending the authentication initialization information to the terminal, the method further comprises:
authentication key information corresponding to the identity authentication request is agreed with the terminal.
3. The authentication method according to claim 2, wherein the authentication key information corresponding to the terminal agreeing to the authentication request includes:
Obtaining the authentication key information;
encrypting the authentication key information by using the public key of the terminal to obtain encrypted authentication key information;
and sending the encryption authentication key information to the terminal.
4. The identity authentication method according to claim 2, wherein the authentication key information includes an authentication key and an authentication encryption algorithm;
the sending authentication initialization information to the terminal includes:
encrypting the authentication initialization information according to the authentication key and the authentication encryption algorithm to obtain encryption authentication initialization information;
and sending the encryption authentication initialization information to the terminal.
5. An identity authentication method applied to a terminal is characterized by comprising the following steps:
sending an identity authentication request to an authentication server;
receiving authentication initialization information returned by the authentication server, wherein the authentication initialization information is generated by the authentication server according to the authentication initialization vector and a host name of the authentication server, and the authentication initialization vector is generated based on a random function;
obtaining a first authentication hash value according to the authentication initialization vector and first pre-stored authentication information contained in the authentication initialization information; the obtaining a first authentication hash value according to the authentication initialization vector and first pre-stored authentication information included in the authentication initialization information includes:
Inquiring a password and a second authentication function of the authentication server from the first pre-stored authentication information according to the host name of the authentication server; wherein the second authentication function is a function which is pre-designated and used for carrying out identity authentication with the current authentication server;
according to the authentication initialization vector and the password of the authentication server, calculating through the second authentication function to obtain a first authentication hash value;
the first authentication hash value is sent to the authentication server, so that the authentication server can determine whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value; the second authentication hash value is obtained by the authentication server through calculation through a first authentication function according to the authentication initialization information and the terminal password in the second pre-stored authentication information; the terminal password and the first authentication function are inquired from second pre-stored authentication information by the authentication server according to the identity information of the terminal; the first authentication function is a function which is pre-designated and used for carrying out identity authentication with the current terminal.
6. The method according to claim 5, further comprising, after the sending of the authentication request to the authentication server, before the receiving of the authentication initialization information returned by the authentication server:
and agreeing with the authentication server to obtain authentication key information corresponding to the identity authentication request.
7. The authentication method according to claim 6, wherein the authentication key information corresponding to the authentication server agreeing to the authentication request includes:
receiving encryption authentication key information sent by the authentication server; the encryption authentication key information is generated by encrypting the authentication key information by the authentication server by using a public key of the terminal;
and decrypting the encrypted authentication key information by using the private key of the terminal to obtain the authentication key information.
8. The identity authentication method of claim 6, wherein the authentication key information includes an authentication key and an authentication encryption algorithm;
the sending the first authentication hash value to the authentication server includes:
encrypting the first authentication hash value according to the authentication key and the authentication encryption algorithm to obtain an encrypted first authentication hash value;
And sending the encrypted first authentication hash value to the authentication server.
9. An identity authentication device applied to an authentication server, comprising:
the first receiving module is used for receiving an identity authentication request sent by the terminal;
the first generation module is used for generating an authentication initialization vector based on a random function and generating authentication initialization information according to the authentication initialization vector and a host name of an authentication server;
the first sending module is used for sending the authentication initialization information to the terminal;
the first receiving module is further configured to receive a first authentication hash value returned by the terminal; the first authentication hash value is obtained by the terminal through calculation through a second authentication function according to the authentication initialization vector contained in the authentication initialization information and the password of an authentication server in the first pre-stored authentication information; the password of the authentication server and the second authentication function are inquired by the terminal from first pre-stored authentication information according to the host name of the authentication server; wherein the second authentication function is a function which is pre-designated and used for carrying out identity authentication with the current authentication server;
The first calculation module is used for calculating a second authentication hash value according to the authentication initialization information and second pre-stored authentication information; the terminal is also used for obtaining the identity information of the terminal from the identity authentication request, and inquiring and obtaining the password and the first authentication function of the terminal from the second pre-stored authentication information according to the identity information of the terminal; the first authentication function is a function which is pre-designated and used for carrying out identity authentication with the current terminal; calculating through the first authentication function according to the authentication initialization vector and the password of the terminal to obtain a second authentication hash value;
and the authentication module is used for determining whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value.
10. An identity authentication device applied to a terminal, comprising:
the second sending module is used for sending an identity authentication request to the authentication server; the authentication server is used for receiving the first authentication hash value from the terminal and sending the first authentication hash value to the authentication server so that the authentication server can determine whether the terminal passes identity authentication according to the first authentication hash value and the second authentication hash value; the second authentication hash value is obtained by the authentication server through calculation of a first authentication function according to the authentication initialization information and the terminal password in the second pre-stored authentication information; the terminal password and the first authentication function are inquired from second pre-stored authentication information by the authentication server according to the identity information of the terminal; the first authentication function is a function which is pre-designated and used for carrying out identity authentication with the current terminal;
The second receiving module is used for receiving the authentication initialization information returned by the authentication server, wherein the authentication initialization information is generated by the authentication server according to the authentication initialization vector and the host name of the authentication server, and the authentication initialization vector is generated based on a random function;
the second calculation module is used for obtaining the first authentication hash value according to the authentication initialization vector and first pre-stored authentication information contained in the authentication initialization information; the authentication server is also used for inquiring the password and the second authentication function of the authentication server from the first pre-stored authentication information according to the host name of the authentication server; wherein the second authentication function is a function which is pre-designated and used for carrying out identity authentication with the current authentication server; and calculating through the second authentication function according to the authentication initialization vector and the password of the authentication server to obtain a first authentication hash value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011427928.XA CN112437436B (en) | 2020-12-07 | 2020-12-07 | Identity authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011427928.XA CN112437436B (en) | 2020-12-07 | 2020-12-07 | Identity authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112437436A CN112437436A (en) | 2021-03-02 |
| CN112437436B true CN112437436B (en) | 2023-05-02 |
Family
ID=74692503
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011427928.XA Active CN112437436B (en) | 2020-12-07 | 2020-12-07 | Identity authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112437436B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113037742A (en) * | 2021-03-04 | 2021-06-25 | 上海华申智能卡应用系统有限公司 | Fingerprint authentication method and system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453269A (en) * | 2016-09-21 | 2017-02-22 | 东软集团股份有限公司 | Internet of Vehicles safety communication method, vehicle-mounted terminal, server and system |
| CN106790075A (en) * | 2016-12-21 | 2017-05-31 | 上海云熵网络科技有限公司 | For the Verification System and authentication method of UDP transmission |
| CN107295011A (en) * | 2017-08-04 | 2017-10-24 | 杭州安恒信息技术有限公司 | The safety certifying method and device of webpage |
| WO2017190616A1 (en) * | 2016-05-05 | 2017-11-09 | 腾讯科技(深圳)有限公司 | Wireless network connection method, wireless access point, server, and system |
| CN108847938A (en) * | 2018-09-29 | 2018-11-20 | 郑州云海信息技术有限公司 | A kind of connection method for building up and device |
| CN108881287A (en) * | 2018-07-18 | 2018-11-23 | 电子科技大学 | A kind of Internet of things node identity identifying method based on block chain |
| CN109446788A (en) * | 2018-10-12 | 2019-03-08 | 广州杰赛科技股份有限公司 | A kind of identity identifying method and device, computer storage medium of equipment |
| CN110659467A (en) * | 2019-09-29 | 2020-01-07 | 浪潮(北京)电子信息产业有限公司 | Remote user identity authentication method, device, system, terminal and server |
-
2020
- 2020-12-07 CN CN202011427928.XA patent/CN112437436B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017190616A1 (en) * | 2016-05-05 | 2017-11-09 | 腾讯科技(深圳)有限公司 | Wireless network connection method, wireless access point, server, and system |
| CN106453269A (en) * | 2016-09-21 | 2017-02-22 | 东软集团股份有限公司 | Internet of Vehicles safety communication method, vehicle-mounted terminal, server and system |
| CN106790075A (en) * | 2016-12-21 | 2017-05-31 | 上海云熵网络科技有限公司 | For the Verification System and authentication method of UDP transmission |
| CN107295011A (en) * | 2017-08-04 | 2017-10-24 | 杭州安恒信息技术有限公司 | The safety certifying method and device of webpage |
| CN108881287A (en) * | 2018-07-18 | 2018-11-23 | 电子科技大学 | A kind of Internet of things node identity identifying method based on block chain |
| CN108847938A (en) * | 2018-09-29 | 2018-11-20 | 郑州云海信息技术有限公司 | A kind of connection method for building up and device |
| CN109446788A (en) * | 2018-10-12 | 2019-03-08 | 广州杰赛科技股份有限公司 | A kind of identity identifying method and device, computer storage medium of equipment |
| CN110659467A (en) * | 2019-09-29 | 2020-01-07 | 浪潮(北京)电子信息产业有限公司 | Remote user identity authentication method, device, system, terminal and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112437436A (en) | 2021-03-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111556025B (en) | Data transmission method, system and computer equipment based on encryption and decryption operations | |
| CN110971415B (en) | Space-ground integrated space information network anonymous access authentication method and system | |
| US9847882B2 (en) | Multiple factor authentication in an identity certificate service | |
| KR102290342B1 (en) | Digital certificate management method and device | |
| US8639928B2 (en) | System and method for mounting encrypted data based on availability of a key on a network | |
| US11134069B2 (en) | Method for authorizing access and apparatus using the method | |
| JP7292263B2 (en) | Method and apparatus for managing digital certificates | |
| CN108809633B (en) | Identity authentication method, device and system | |
| US20200320178A1 (en) | Digital rights management authorization token pairing | |
| CN110087240B (en) | Wireless network security data transmission method and system based on WPA2-PSK mode | |
| KR20180101870A (en) | Method and system for data sharing using attribute-based encryption in cloud computing | |
| KR101531662B1 (en) | Method and system for mutual authentication between client and server | |
| CN104243452B (en) | A kind of cloud computing access control method and system | |
| WO2022135391A1 (en) | Identity authentication method and apparatus, and storage medium, program and program product | |
| CN115022850A (en) | Authentication method, device, system, electronic equipment and medium for D2D communication | |
| CN112437436B (en) | Identity authentication method and device | |
| EP3820186A1 (en) | Method and apparatus for transmitting router security information | |
| CN111934888A (en) | Safety communication system of improved software defined network | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| KR101880999B1 (en) | End to end data encrypting system in internet of things network and method of encrypting data using the same | |
| CN112995140B (en) | Safety management system and method | |
| KR20190115489A (en) | IOT equipment certification system utilizing security technology | |
| CN116318637A (en) | Method and system for secure network access communication of equipment | |
| CN115086951A (en) | Message transmission system, method and device | |
| CN111800791B (en) | Authentication method, core network equipment and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |