CN112836206B - Login method, login device, storage medium and computer equipment - Google Patents

Login method, login device, storage medium and computer equipment Download PDF

Info

Publication number
CN112836206B
CN112836206B CN201911156566.2A CN201911156566A CN112836206B CN 112836206 B CN112836206 B CN 112836206B CN 201911156566 A CN201911156566 A CN 201911156566A CN 112836206 B CN112836206 B CN 112836206B
Authority
CN
China
Prior art keywords
login
login information
information
management server
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911156566.2A
Other languages
Chinese (zh)
Other versions
CN112836206A (en
Inventor
周培富
林初仁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201911156566.2A priority Critical patent/CN112836206B/en
Publication of CN112836206A publication Critical patent/CN112836206A/en
Application granted granted Critical
Publication of CN112836206B publication Critical patent/CN112836206B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The application relates to a login method, a login device, a storage medium and computer equipment, wherein the login method comprises the following steps: receiving a verification request sent by a login management server corresponding to an account to be logged in after responding to a login trigger operation, extracting a time stamp and encrypted login information carried by the verification request, verifying timeliness of the time stamp, decrypting the encrypted login information to obtain decrypted login information, traversing data information in an AD domain to which the account to be logged in belongs, verifying validity of the login information, determining a verification result according to a validity verification result of the login information and an timeliness verification result of the time stamp, and feeding back the verification result to the login management server, so that the login management server executes a login processing flow corresponding to the verification result, and safety of a login process is improved.

Description

Login method, login device, storage medium and computer equipment
Technical Field
The present application relates to the field of internet technologies, and in particular, to a login method, a login device, a computer readable storage medium, and a computer device.
Background
With the development of internet technology, there are many application systems in the current enterprise application environment, such as office automation system, financial management system, archive management system, and information query system.
In the traditional mode, the application of services to various application systems in the same enterprise is independent, a user needs to input an account number and a password each time when using the application systems, identity verification is carried out, different application systems need different account numbers and passwords, and the user needs to remember multiple sets of account numbers and passwords at the same time. In order to solve the problem, an Active Directory (AD) service is adopted, and an enterprise using the AD domain can use the original unified AD domain account password authentication to send the account password to an authentication server for unified authentication, so as to avoid maintaining multiple sets of account passwords. However, the application management mode based on the AD domain has the potential safety hazard of account password leakage.
Disclosure of Invention
In view of the above, it is necessary to provide a login method, a login device, a computer-readable storage medium, and a computer device that improve security, in order to solve the technical problem of low security.
A login method, the method comprising:
Receiving a verification request sent by a login management server corresponding to an account to be logged in after responding to a login trigger operation, and extracting a time stamp and encrypted login information carried by the verification request;
Verifying timeliness of the time stamp, and decrypting the encrypted login information to obtain decrypted login information;
Traversing data information in an AD domain to which an account to be logged belongs, and checking validity of login information;
And determining a verification result according to the validity verification result of the login information and the timeliness verification result of the timestamp, and feeding back the verification result to the login management server so that the login management server executes a login processing flow corresponding to the verification result.
A login method, the method comprising:
responding to the login trigger operation, and acquiring login information corresponding to the login trigger operation;
When the account corresponding to the login information is determined to be the AD domain account according to the domain name in the login information, a time stamp corresponding to the login information is obtained, and the login information is encrypted to obtain encrypted login information;
generating a verification request containing a time stamp and encrypted login information, and sending the verification request to an authentication server;
Receiving a verification result fed back after the verification of the time stamp and the encrypted login information in the verification request by the authentication server;
and executing a login processing flow corresponding to the verification result.
A login device, the device comprising:
The verification request receiving module is used for receiving a verification request sent by the login management server corresponding to the account to be logged in after responding to the login triggering operation, and extracting a time stamp and encrypted login information carried by the verification request;
the decryption module is used for verifying the timeliness of the time stamp and decrypting the encrypted login information to obtain decrypted login information;
The verification module is used for traversing the data information of the AD domain to which the account to be logged belongs and verifying the validity of the login information;
And the result feedback module is used for determining the verification result according to the validity verification result of the login information and the timeliness verification result of the timestamp and feeding back the verification result to the login management server so that the login management server executes a login processing flow corresponding to the verification result.
A login device, the device comprising:
The response module is used for responding to the login trigger operation and obtaining login information corresponding to the login trigger operation;
The encryption module is used for acquiring a time stamp corresponding to the login information when the account corresponding to the login information is determined to be the AD domain account according to the domain name in the login information, and carrying out encryption processing on the login information to obtain encrypted login information;
The verification request sending module is used for generating a verification request containing a time stamp and encrypted login information and sending the verification request to the authentication server;
the result receiving module is used for receiving a verification result fed back after the verification of the time stamp and the encrypted login information in the verification request by the authentication server;
and the login processing module is used for executing a login processing flow corresponding to the verification result.
A computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of:
Receiving a verification request sent by a login management server corresponding to an account to be logged in after responding to a login trigger operation, and extracting a time stamp and encrypted login information carried by the verification request;
Verifying timeliness of the time stamp, and decrypting the encrypted login information to obtain decrypted login information;
Traversing data information in an AD domain to which an account to be logged belongs, and checking validity of login information;
And determining a verification result according to the validity verification result of the login information and the timeliness verification result of the timestamp, and feeding back the verification result to the login management server so that the login management server executes a login processing flow corresponding to the verification result.
A computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of:
responding to the login trigger operation, and acquiring login information corresponding to the login trigger operation;
When the account corresponding to the login information is determined to be the AD domain account according to the domain name in the login information, a time stamp corresponding to the login information is obtained, and the login information is encrypted to obtain encrypted login information;
generating a verification request containing a time stamp and encrypted login information, and sending the verification request to an authentication server;
Receiving a verification result fed back after the verification of the time stamp and the encrypted login information in the verification request by the authentication server;
and executing a login processing flow corresponding to the verification result.
A computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of:
Receiving a verification request sent by a login management server corresponding to an account to be logged in after responding to a login trigger operation, and extracting a time stamp and encrypted login information carried by the verification request;
Verifying timeliness of the time stamp, and decrypting the encrypted login information to obtain decrypted login information;
Traversing data information in an AD domain to which an account to be logged belongs, and checking validity of login information;
And determining a verification result according to the validity verification result of the login information and the timeliness verification result of the timestamp, and feeding back the verification result to the login management server so that the login management server executes a login processing flow corresponding to the verification result.
A computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of:
responding to the login trigger operation, and acquiring login information corresponding to the login trigger operation;
When the account corresponding to the login information is determined to be the AD domain account according to the domain name in the login information, a time stamp corresponding to the login information is obtained, and the login information is encrypted to obtain encrypted login information;
generating a verification request containing a time stamp and encrypted login information, and sending the verification request to an authentication server;
Receiving a verification result fed back after the verification of the time stamp and the encrypted login information in the verification request by the authentication server;
and executing a login processing flow corresponding to the verification result.
According to the login method, the device, the computer readable storage medium and the computer equipment, the login information to be logged in is encrypted through the login management server, the time stamp is added, a verification request is generated and sent to the authentication server, the login information is encrypted at the data transmission starting point, information leakage caused by external data interception in the data transmission process is avoided, timeliness of the time stamp is verified through the authentication server, validity of the login information is verified, security threat and request replay caused by external data tampering in the data transmission process are avoided, and malicious attacks on the authentication server by using the login information after malicious users intercept the login information are avoided, and security in the login process is improved through security authentication of the login information.
Drawings
FIG. 1 is an application environment diagram of a login method in one embodiment;
FIG. 2 is a flow chart of a login method applied to an authentication server according to one embodiment;
FIG. 3 is a flow chart illustrating an application of a login method to a login management server according to an embodiment;
FIG. 4 is a flow chart of a login method according to another embodiment;
FIG. 5 is a flow chart of a login method according to another embodiment;
FIG. 6 is a timing diagram of a login method according to yet another embodiment;
FIG. 7 is a block diagram of a login device in one embodiment;
FIG. 8 is a block diagram of a login device according to another embodiment;
FIG. 9 is a block diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
FIG. 1 is a diagram of an application environment for a login method in one embodiment. The login method is applied to a login management system. The mailbox login management system comprises a terminal, a login management server and an authentication server. The terminal and the login management server are connected through a network. The login management server is connected with the authentication server through a network. Referring to fig. 1, in an embodiment, taking a login management server as a mailbox server 120 as an example, a user inputs a mailbox account password through a terminal 110 to perform login triggering operation, the mailbox server 120 determines whether the account is an AD account according to a domain name suffix of the account, if the account is the AD account, DES symmetric encryption is performed on the account and the password respectively to obtain an encrypted account and an encrypted password, a POST request including the encrypted account, the encrypted password and a timestamp is generated and sent to an authentication server 130, the authentication server 130 may be a server on the user side, such as an intranet server, etc., the authentication server 130 obtains the POST request captured through a fixed port, then analyzes the POST request, performs timeliness verification on the timestamp in the POST request, then performs effective verification on the decrypted account and password through DES decryption through the encrypted account and the password, performs effective verification on the account data in the query AD domain according to the timeliness verification result and the effective verification result, when the verification result is verification is passed, the mailbox server 120 performs processing, and feeds back information to the terminal 110 when the verification result is verification, and the login verification result fails to the terminal 110.
The terminal 110 may be a desktop terminal or a mobile terminal, and the mobile terminal may be at least one of a mobile phone, a tablet computer, a notebook computer, and the like. The login management server and the authentication server may be implemented as separate servers or as a server cluster composed of a plurality of servers. It will be appreciated that in other embodiments the login management server may also be a server for other application services in the AD domain. Such as business process management systems, approval systems, etc., are not limited herein.
As shown in fig. 2, in one embodiment, a login method is provided. The present embodiment is mainly exemplified by the application of the method to the authentication server 130 in fig. 1. Referring to fig. 2, the login method specifically includes the following steps S210 to S240.
S210, receiving a verification request sent by the login management server corresponding to the account to be logged in after responding to the login trigger operation, and extracting a time stamp and encrypted login information carried by the verification request.
The login management server refers to a server for managing account login, such as mailbox login, service management system login, and the like. In the embodiment, the mailbox server is taken as a login management server as an example, and the scheme of the application is described. The mailbox server is a device responsible for email receiving and sending management, and a user can log in a mailbox by inputting mailbox information such as an account password and the like through a terminal. In general, the mailbox logging process is that after receiving a mailbox logging trigger operation, a mailbox server validates an account password input during the mailbox logging trigger operation, and when the validation passes, logs in the mailbox and feeds back successful login information to the terminal. However, in this way, the user's account password is independent and can only be used in the mailbox system. To simplify user management of account passwords, an Active Directory (AD) service is employed for processing. The active directory stores information about network objects and allows administrators and users to easily find and use the information, and the directory is stored on an authentication server of the domain controller and is accessible by network applications or services. When the mailbox server judges that the mailbox to be logged in is an AD account according to the domain name of the mailbox to be logged in, a verification request of the account to be logged in is sent to the authentication server. A timestamp is complete verifiable data that can represent that a piece of data already exists at a particular point in time. For example, a timestamp carried in the check request can characterize that mailbox information already exists at the current time point of the system, and the timestamp can be converted into time data. When encrypting the mailbox information, the mailbox server encrypts the mailbox information through a secret key and an encryption algorithm to obtain the mailbox information.
In one embodiment, before receiving the verification request sent by the login management server corresponding to the account to be logged in after responding to the login trigger operation, the method further includes: a fixed port monitoring request is obtained. And determining the fixed monitoring port according to the monitoring port configuration data carried in the fixed port monitoring request. The step of receiving the verification request sent by the login management server corresponding to the account to be logged in after responding to the login trigger operation comprises the following steps: and receiving a verification request which is transmitted after the login management server captured from the fixed monitoring port responds to the login triggering operation.
The fixed port monitoring request may be a fixed port monitoring request generated by an administrator by inputting monitoring port configuration data, so that the authentication server captures a request of a specified port in the monitoring port configuration data. The monitoring port configuration data includes fixed ports such as 12100 ports, 11200 ports, etc. that are set. The mailbox server can send the authentication request through a preset IP section, and by setting a fixed monitoring port, the authentication server only needs to process the authentication request captured from the fixed monitoring port, so that the entrance IP of the authentication server side restriction request is realized, the authentication server is prevented from processing any received request, and the interception of a large part of external malicious requests is realized from the port restriction through targeted processing, so that the receiving reliability of the authentication request is ensured, and the mailbox information and the security of the authentication server are ensured.
In one embodiment, taking an enterprise mailbox as an example, by inputting any one of an AD domain name or an extranet IP (Internet Protocol ) of the authentication server, and a proprietary CropID of the enterprise, if the authentication server has no AD domain name accessible by the extranet, the extranet IP of the authentication server is input. A protocol type is then selected, such as Http (Hyper Text Transfer Protocol ) or Https (Hyper Text Transfer Protocol over SecureSocket Layer hypertext transfer security protocol). If the external network IP is input, only Http is selected, or the AD domain name is input, either Http or Https may be selected. Wherein Https needs to be matched with Https certificate (cer file). The login monitoring is started by setting different monitoring configuration parameters, so that parameter configuration under different application scenes is realized, the application range is enlarged, and meanwhile, safety verification can be realized based on Https certificates, so that the safety of the login process is improved.
S220, checking timeliness of the time stamp, and decrypting the encrypted login information to obtain decrypted login information.
In one embodiment, verifying the timeliness of the timestamp includes: and acquiring the time corresponding to the time stamp, comparing the time corresponding to the time stamp with the current time, and returning a verification failure result to the mailbox server when the time difference is larger than the set effective duration. The effective duration may be set to 3 minutes or other durations, and may be adjusted according to actual needs, which is not limited herein.
In one embodiment, the login information is encrypted in a symmetric encryption mode, and both parties adopting the symmetric encryption method use the same key to encrypt and decrypt. A key is an instruction that controls the encryption and decryption process, and is a set of rules that define how encryption and decryption is performed by an algorithm. In a specific embodiment, the symmetric encryption algorithm may be any one of DES, 3DES, TDEA, blowfish, RC2, RC4, RC5, IDEA, SKIPJACK. In one embodiment, the login management server encrypts the login information using a DES symmetric encryption algorithm.
In one embodiment, the encryption key for encrypting the login information is generated based on the time stamp, the encryption mode of the encrypted login information is symmetric encryption, the encrypted login information is decrypted, and the decrypted login information comprises: obtaining a decryption key identical to the encryption key according to the time stamp in the verification request; and decrypting the encrypted login information according to the decryption key to obtain decrypted login information.
The encryption key may be composed of a timestamp and a preset ID, and the preset ID may be CropID specific to the enterprise, or other IDs agreed by other mailbox servers and authentication servers. In one embodiment, the encryption key is generated by an enterprise-specific CropID and a timestamp. In the encryption process, the mailbox server generates an encryption key according to the timestamp and the enterprise exclusive CropID, and then performs DES symmetric encryption according to the encryption key and a preset encryption algorithm to obtain encrypted mailbox information. In the decryption process, the authentication server firstly analyzes the timestamp in the authentication request, generates a decryption key identical to the encryption key according to the timestamp and the enterprise exclusive CropID, and then decrypts the encrypted mailbox information according to the decryption key, thereby obtaining the decrypted mailbox information. Compared with asymmetric encryption, the encryption method can remarkably improve encryption and decryption processing speed of mailbox information, generates an encryption key in real time based on a time stamp, avoids potential safety hazards of encrypting by using a single key, and improves safety of the encrypted mailbox information.
In one embodiment, the login management server performs encryption processing for the development language in a first programming language, such as C++, or C language, and the authentication server decrypts in a second programming language, such as C#, python, or the like, different from the first programming language. Before the login management server and the authentication server are in communication connection, firstly, based on different programming languages between the login management server and the authentication server, determining decryption rules in a DES decryption package corresponding to a first programming language, and then, configuring corresponding decryption rules in the authentication server to realize cross-language encryption and decryption processing.
S230, traversing data information in the AD domain to which the account to be logged belongs, and checking validity of the login information.
The authentication server stores preset mailbox information in the AD domain, wherein the mailbox information comprises account passwords and the like. The account number and the initial password can be set by an administrator and stored in the authentication server, and the user can update the initial password and send the updated password to the authentication server for storage. The authentication server may verify the decrypted mailbox information in the authentication request based on the account password in the storage AD domain.
In the authentication server, the stored data information includes individual mailbox information in the AD domain. Each item of data information in the AD domain is a legal mailbox allowing login. By traversing the data information in the AD domain to which the account to be logged belongs, if the traversing result is that the data information which is the same as the mailbox information exists, the mailbox information is an effective legal mailbox, and if the traversing result is that the data information which is the same as the mailbox information does not exist, the mailbox is an invalid illegal mailbox.
S240, determining a verification result according to the validity verification result of the login information and the timeliness verification result of the timestamp, and feeding back the verification result to the login management server so that the login management server executes a login processing flow corresponding to the verification result.
When the validity check result of the login information is invalid or the validity check result of the timestamp is invalid, generating a check result of check failure and feeding back to the mailbox server, wherein the login processing flow corresponding to the check result of check failure is ending processing, and feeding back login failure information to the terminal.
When the validity check result of the login information is valid and the validity check result of the timestamp is valid, generating a check result which passes the check and feeding back to the mailbox server, wherein the login processing flow corresponding to the check result which passes the check is a login mailbox, and feeding back login success information to the terminal.
According to the login method, on one hand, the authentication server encrypts login information to be logged in through receiving the login management server and adding the time stamp, then generates and sends the verification request, the login information is encrypted at the data transmission starting point, namely, the login management server, so that information leakage caused by external data interception in the data transmission process is avoided, on the other hand, timeliness of the time stamp is verified through the authentication server, validity of the login information is verified, security threat and request replay caused by external data tampering in the data transmission process are avoided, and if a malicious user intercepts the login information, malicious attack on the authentication server by using the login information is avoided, and security in the login process is improved through security authentication of the login information.
In one embodiment, the authentication server includes four large function modules, namely a page MainForm module, a HTTPSERVER module, a request parsing module, and a log module, wherein the page MainForm module provides an operation entry for opening login monitoring, and carries an operation space and data variables on the page. The HTTPSERVER module contains uhttpsharp package responsible for monitoring Http or Https requests from specific ports on the server and returning the results of processing the requests. The request analysis module is responsible for analyzing the request, including parameter non-null verification, timeliness verification of the time stamp, decrypting the login information and verification of the login information. The log module is responsible for storing the running line data to the file, and is convenient for debugging and tracing errors. A complete system is not provided with a log module, and logs are inserted into the modules.
In one embodiment, the number of verification requests is at least 2, receiving the verification request sent by the login management server corresponding to the account to be logged in after responding to the login trigger operation, and extracting the timestamp and the encrypted login information carried by the verification request includes: receiving each verification request sent by a login management server after responding to login triggering operation; writing each verification request into a log file respectively to generate a log file queue; and sequentially carrying out multi-process asynchronous processing on each check request according to the queue sequence of the log files in the log file queue, and extracting the time stamp and the encrypted login information carried by each check request.
In a specific embodiment, log4net is combined with easy to realize asynchronous processing of multiple processes, so that the problem of occupation of log files in the multiple processes is effectively solved by improving parallelism of log operation, and the success rate of processing login requests is greatly improved.
The present embodiment is mainly exemplified by the application of the method to the login management server 120 in fig. 1. Referring to fig. 3, the login method specifically includes the following steps S310 to S350.
S310, responding to the login trigger operation and acquiring login information corresponding to the login trigger operation.
And S320, when the account corresponding to the login information is determined to be the AD domain account according to the domain name in the login information, acquiring a time stamp corresponding to the login information, and carrying out encryption processing on the login information to obtain encrypted login information.
S330, generating a verification request containing the time stamp and the encrypted login information, and sending the verification request to the authentication server.
S340, receiving a verification result fed back by the verification server after verifying the time stamp and the encrypted login information in the verification request.
S350, executing a login processing flow corresponding to the verification result.
Taking a login management server as an example of a mailbox server, the mailbox server responds to a mailbox login triggering operation of a terminal, acquires mailbox information input during the mailbox login triggering operation, wherein the mailbox information comprises a mailbox account and a mailbox password, and takes a mailbox account 123456789@test.com as an example according to a domain name in the mailbox account, and the domain name is @ test.com. In the AD domain of the enterprise, a fixed domain name is preset, and the domain names of all mailbox accounts in the AD domain of the same enterprise are the same.
In one embodiment, when the mailbox server determines that the account corresponding to the login information is an AD domain account according to the domain name in the login information, that is, when the domain name in the mailbox account is the same as the domain name required by the AD domain, the login information is encrypted to obtain encrypted login information. The method specifically comprises the following steps: generating an encryption key according to the time stamp; and carrying out symmetric encryption processing on the login information according to the encryption key to obtain encrypted login information.
According to the time of acquiring mailbox login triggering operation, determining the time as a timestamp corresponding to mailbox information, and encrypting the mailbox information by using the timestamp and a preset ID as keys through a DES symmetric encryption algorithm, wherein the preset ID is configured in a mailbox server and an authentication server, and can be specifically CropID exclusive to an enterprise or other IDs agreed by the mailbox server and the authentication server, so that each authentication request is encrypted through different keys, the difficulty of encrypting login information is increased, and the leakage of login information is avoided. And then the login management server sends a verification request containing the time stamp and the encrypted login information to the authentication server, wherein the time stamp can be used for verifying the timeliness of the verification request, and on the other hand, the authentication server can obtain the decryption key for decryption in real time based on the time stamp because the decryption key is identical to the encryption key by adopting a symmetrical encryption mode. The security level of the secret key is improved, and the aging requirement of the processing process is guaranteed, so that the security of the login process is provided.
In one embodiment, after responding to the login trigger operation and acquiring the login information corresponding to the login trigger operation, the method further includes: when the account corresponding to the login information is determined not to be an AD domain account according to the domain name in the login information, an account registration information database and a blacklist are obtained; when traversing the account registration information database, checking that the account password in the login information is the registration information, traversing the blacklist, and checking that the login information is not in the blacklist, generating a checking result passing the checking; otherwise, generating a verification result of verification failure.
Taking a mailbox server as an example, when the mailbox server judges that the account corresponding to the mailbox information is not an AD domain account according to the mailbox domain name, the mailbox server judges whether the mailbox information is legal or not at this time, and specifically comprises verifying whether the account password in the mailbox information is registered or not, determining whether the account is a set blacklist or not, and checking whether the mailbox information is logged off or not, and the like. And when all the verification conditions are passed, generating a verification result which passes the verification, executing login operation and feeding back login success information to the terminal, otherwise, generating a verification result which fails the verification, and not executing the login operation and feeding back login failure information to the terminal.
According to the login method, on one hand, the login management server encrypts login information to be logged in, and after adding the time stamp, a verification request is generated and sent to the authentication server, the login information is encrypted at the data transmission starting point, namely, the login management server, information leakage caused by external data interception in the data transmission process is avoided, on the other hand, the login management server verifies timeliness of the time stamp by receiving the authentication server, and verifies and feeds back verification results of validity of the login information, security threat and request replay caused by external data tampering in the data transmission process are avoided, and malicious attack on the authentication server by using the login information after the login information is intercepted by a malicious user, and security in the login process is improved through security authentication of the login information.
In one embodiment, as shown in fig. 4, a flowchart of a login method is shown in fig. 4, a user inputs an account number and a password of a mailbox to be logged in through a terminal, performs login triggering operation, a mailbox server responds to the login triggering operation, judges whether the mailbox is an AD account number according to a domain name suffix of the account number of the mailbox to be logged in, if the mailbox is the AD account number, obtains a timestamp corresponding to mailbox information according to current time, generates an encryption key according to the timestamp, performs DES symmetric encryption on the account number and the password based on the encryption key to obtain encrypted mailbox information, comprises an encrypted account number and an encrypted password, then generates an authentication request comprising the encrypted account number, the encrypted password and the timestamp, wherein the authentication request can be a POST request, the mailbox server sends the POST request to an authentication server, the authentication server can be a server of a user side such as an intranet server, and the like, the authentication server obtains the POST request captured through a fixed port, analyzes the POST request, verifies timeliness of the timestamp in the POST request, obtains a decryption password according to the timestamp, performs timeliness verification based on the timestamp, performs DES timeliness of the decryption password and decryption algorithm, performs a verification on the timeliness of the decryption and the decryption result after the data in a query domain is verified that the mailbox information is not successful, the mailbox information is verified, and the result is successfully verified when the login information is successfully verified, the mailbox information is passed, and the mailbox information is successfully verified, and the result is successfully verified to be passed by the mailbox information is passed.
In one embodiment, the login method is applied to the authentication server, and the flowchart is shown in fig. 5, and includes the following steps S502 to S516.
S502, acquiring a fixed port monitoring request.
S504, according to the monitoring port configuration data carried in the fixed port monitoring request, the fixed monitoring port is determined.
S506, receiving a verification request which is sent after the login management server captured from the fixed monitoring port responds to the login trigger operation.
S508, extracting a time stamp and encrypted login information carried by the verification request, wherein an encryption key for encrypting the login information is generated based on the time stamp, and the encryption mode for encrypting the login information is symmetric encryption.
S510, checking the timeliness of the time stamp, and obtaining the decryption key identical to the encryption key according to the time stamp.
S512, the encrypted login information is decrypted according to the decryption key, and the decrypted login information is obtained.
S514, traversing data information in the AD domain to which the account to be logged belongs, and checking validity of the login information.
S516, determining a verification result according to the validity verification result of the login information and the timeliness verification result of the timestamp, and feeding back the verification result to the login management server so that the login management server executes a login processing flow corresponding to the verification result.
In one embodiment, the login method is applied to the mailbox server, and the flowchart is shown in fig. 6, and includes the following steps S602 to S624.
S602, responding to the login trigger operation, and acquiring mailbox information corresponding to the login trigger operation.
S604, judging whether the account corresponding to the mailbox information is an AD domain account or not according to the domain name in the mailbox information, if so, jumping to the step S606, and if not, jumping to the step S614.
S606, a time stamp corresponding to the mailbox information is obtained, and an encryption key is generated according to the time stamp.
S608, carrying out symmetrical encryption processing on the mailbox information according to the encryption key to obtain encrypted mailbox information.
And S610, generating a verification request containing the time stamp and the encrypted mailbox information, and sending the verification request to the authentication server.
S612, receiving the verification result fed back by the verification server after verifying the time stamp and the encrypted mailbox information in the verification request, and jumping to step S624.
S614, a mailbox registration information database and a mailbox blacklist are acquired.
S616, traversing the mailbox registration information database, checking whether the account password in the mailbox information is registration information, if so, jumping to step S618, otherwise, jumping to step S622.
S618, traversing the mailbox blacklist, checking whether the mailbox information is in the mailbox blacklist, if not, jumping to the step S620, and if so, jumping to the step S622.
S620, generating a verification result of verification passing.
S622, generating a verification result of verification failure.
S624, executing a login processing flow corresponding to the verification result.
It should be understood that, although the steps in the flowcharts of fig. 5 and 6 are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in fig. 5 and 6 may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor does the order in which the sub-steps or stages are performed necessarily occur in sequence, but may be performed alternately or alternately with at least a portion of the other steps or sub-steps of other steps.
In one embodiment, as shown in fig. 7, a login device 700 is provided, which includes a verification request receiving module 710, a decrypting module 720, a verifying module 730, and a result feedback module 740. Wherein:
the verification request receiving module 710 is configured to receive a verification request sent by the login management server corresponding to the account to be logged in after responding to the login trigger operation, and extract a timestamp and encrypted login information carried by the verification request.
And the decryption module 720 is configured to check the timeliness of the timestamp, and decrypt the encrypted login information to obtain decrypted login information.
And the verification module 730 is configured to traverse the data information in the AD domain to which the account to be logged belongs, and verify the validity of the login information.
The result feedback module 740 is configured to determine a verification result according to the validity verification result of the login information and the validity verification result of the timestamp, and feed back the verification result to the login management server, so that the login management server executes a login processing procedure corresponding to the verification result.
In one embodiment, the encryption key for encrypting the login information is generated based on a time stamp, and the encryption mode for encrypting the login information is symmetric encryption; the decryption module is also used for obtaining a decryption key which is the same as the encryption key according to the time stamp in the verification request; and decrypting the encrypted login information according to the decryption key to obtain decrypted login information.
In one embodiment, the login device further includes a monitoring port configuration module, where the monitoring port configuration module is configured to obtain a fixed port monitoring request; determining a fixed monitoring port according to monitoring port configuration data carried in the fixed port monitoring request; the check request receiving module is also used for receiving a check request sent by the login management server captured from the fixed monitoring port after responding to the login trigger operation.
In one embodiment, the check request receiving module is further configured to receive each check request sent by the login management server after responding to the login trigger operation; writing each verification request into a log file respectively to generate a log file queue; and sequentially carrying out multi-process asynchronous processing on each check request according to the queue sequence of the log files in the log file queue, and extracting the time stamp and the encrypted login information carried by each check request.
According to the login device, on one hand, the authentication server encrypts login information to be logged in through receiving the login management server and adding the time stamp, then generates and sends the verification request, the login information is encrypted at the data transmission starting point, namely, the login management server, so that information leakage caused by external data interception in the data transmission process is avoided, on the other hand, timeliness of the time stamp is verified through the authentication server, validity of the login information is verified, security threat and request replay caused by external data tampering in the data transmission process are avoided, and if a malicious user intercepts the login information, malicious attack on the authentication server by using the login information is avoided, and security in the login process is improved through security authentication of the login information.
In one embodiment, as shown in fig. 8, a login device 800 is provided, which includes a response module 810, an encryption module 820, a verification request sending module 830, a result receiving module 840, and a login processing module 850. Wherein:
the response module 810 is configured to respond to the login trigger operation and obtain login information corresponding to the login trigger operation.
And the encryption module 820 is configured to obtain a timestamp corresponding to the login information when the account corresponding to the login information is determined to be the AD domain account according to the domain name in the login information, and encrypt the login information to obtain encrypted login information.
The check request sending module 830 is configured to generate a check request including a timestamp and encrypted login information, and send the check request to the authentication server.
The result receiving module 840 is configured to receive a verification result fed back after the authentication server verifies the timestamp and the encrypted login information in the verification request.
The login processing module 850 is configured to execute a login processing procedure corresponding to the verification result.
In one embodiment, the encryption module is further configured to generate an encryption key based on the timestamp; and carrying out symmetric encryption processing on the login information according to the encryption key to obtain encrypted login information.
According to the login device, on one hand, the login management server encrypts login information to be logged in, and after adding the time stamp, a generated and sent verification request is sent to the authentication server, the login management server encrypts the login information at the data transmission starting point, so that information leakage caused by external data interception in the data transmission process is avoided, on the other hand, the login management server verifies timeliness of the time stamp by receiving the authentication server, and verifies and feeds back verification results of validity of the login information, security threat and request replay caused by external data tampering in the data transmission process are avoided, and malicious attack on the authentication server by using the login information after the login information is intercepted by a malicious user, and security in the login process is improved through security authentication of the login information.
FIG. 9 illustrates an internal block diagram of a computer device in one embodiment. The computer device may be specifically the login management server 120 or the authentication server 130 in fig. 1. As shown in fig. 9, the computer device includes a processor, a memory, a network interface, an input device, and a display screen connected by a system bus. The memory includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium of the computer device stores an operating system, and may also store a computer program that, when executed by a processor, causes the processor to implement a login method. The internal memory may also store a computer program that, when executed by the processor, causes the processor to perform the login method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in FIG. 7 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, the login device provided by the present application may be implemented in the form of a computer program, which may be run on a computer device as shown in fig. 9.
In one embodiment, the memory of the computer device may store various program modules that make up the login device, such as the check request receiving module 710, the decrypting module 720, the checking module 730, and the result feedback module 740 shown in fig. 7. The computer program of each program module causes the processor to carry out the steps in the login method of each embodiment of the present application described in the present specification.
For example, the computer device shown in fig. 9 may extract the timestamp and the encrypted login information carried by the verification request through the verification request receiving module 710 in the login device shown in fig. 7, where the verification request is sent after receiving the login request sent by the login management server corresponding to the account to be logged in response to the login trigger operation. The computer device may perform the verifying the timeliness of the timestamp through the decryption module 720, and perform the decryption processing on the encrypted login information, to obtain the decrypted login information. The computer device may perform traversing the data information in the AD domain to which the account to be logged belongs through the verification module 730, and verifying the validity of the login information. The computer device can execute the validity check result according to the login information and the time stamp by the result feedback module 740, determine the check result and feed back to the login management server to enable the login management server to execute the login processing flow corresponding to the check result
In another embodiment, the memory of the computer device may store various program modules that make up the login device, such as the response module 810, the encryption module 820, the verification request sending module 830, the result receiving module 840, and the login processing module 850 shown in fig. 8. The computer program of each program module causes the processor to carry out the steps in the login method of each embodiment of the present application described in the present specification.
For example, the computer device shown in fig. 9 may perform a response login trigger operation through the response module 810 in the login device shown in fig. 8 to obtain login information corresponding to the login trigger operation;
The encryption module 820 obtains a timestamp corresponding to the login information when determining that the account corresponding to the login information is an AD domain account according to the domain name in the login information, and encrypts the login information to obtain encrypted login information. The computer device may perform generating a verification request including a time stamp and encrypted login information through the verification request transmitting module 830 and transmitting the verification request to the authentication server. The computer device may execute the verification result that is fed back after the verification of the timestamp and the encrypted login information in the verification request by the authentication server through the result receiving module 840. The computer device may execute a login process flow corresponding to the verification result through the login process module 850.
In one embodiment, a computer device is provided that includes a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the steps of the login method described above. The steps of the login method here may be the steps in the login method of each of the above embodiments.
In one embodiment, a computer readable storage medium is provided, storing a computer program which, when executed by a processor, causes the processor to perform the steps of the login method described above. The steps of the login method here may be the steps in the login method of each of the above embodiments.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored in a non-transitory computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link (SYNCHLINK) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.

Claims (12)

1. A login method applied to an authentication server, the method comprising:
acquiring a fixed port monitoring request, and determining a fixed monitoring port according to monitoring port configuration data carried in the fixed port monitoring request;
Receiving a verification request which is captured from the fixed monitoring port and sent by a login management server after responding to a login triggering operation, and extracting a time stamp and encrypted login information carried by the verification request; the encrypted login information is obtained by the login management server through encryption processing when determining that the account corresponding to the login information is an AD domain account according to the domain name in the login information corresponding to the login trigger operation;
Verifying timeliness of the timestamp, and decrypting the encrypted login information to obtain decrypted login information;
Traversing data information in an AD domain to which an account to be logged belongs, and checking the validity of the login information by detecting whether an account corresponding to the login information is an AD domain account;
Determining a verification result according to the validity verification result of the login information and the timeliness verification result of the timestamp, and feeding back the verification result to the login management server so that the login management server executes a login processing flow corresponding to the verification result;
the login management server encrypts through a first programming language; the authentication server decrypts through a second programming language, the first programming language being different from the second programming language;
Before the login management server is in communication connection with the authentication server, the login management server determines a decryption rule in a DES decryption package corresponding to the first programming language, and cross-language encryption and decryption processing is achieved by configuring the decryption rule in the authentication server.
2. The method according to claim 1, wherein an encryption key for encrypting the login information is generated based on the time stamp, and wherein the encryption manner of the encrypted login information is symmetric encryption;
the step of decrypting the encrypted login information to obtain decrypted login information comprises the following steps:
obtaining a decryption key identical to the encryption key according to the timestamp in the verification request;
And decrypting the encrypted login information according to the decryption key to obtain decrypted login information.
3. The method according to any one of claims 1-2, wherein the number of check requests is at least 2, and the extracting the timestamp and the encrypted login information carried by the check request includes:
Writing each verification request into a log file respectively to generate a log file queue;
And sequentially carrying out multi-process asynchronous processing on each check request according to the queue sequence of the log files in the log file queue, and extracting the time stamp and the encrypted login information carried by each check request.
4. A login method applied to a login management server, the method comprising:
Responding to a login trigger operation, and acquiring login information corresponding to the login trigger operation;
When the account corresponding to the login information is determined to be the AD domain account according to the domain name in the login information, a time stamp corresponding to the login information is obtained, and encryption processing is carried out on the login information to obtain encrypted login information;
Generating a verification request containing the timestamp and the encrypted login information, and sending the verification request to a fixed monitoring port of an authentication server;
After receiving the verification request captured by the authentication server through the fixed monitoring port, verifying the time stamp and the encrypted login information in the verification request and feeding back a verification result;
executing a login processing flow corresponding to the verification result;
the login management server encrypts through a first programming language; the authentication server decrypts through a second programming language, the first programming language being different from the second programming language;
Before the login management server is in communication connection with the authentication server, the login management server determines a decryption rule in a DES decryption package corresponding to the first programming language, and cross-language encryption and decryption processing is achieved by configuring the decryption rule in the authentication server.
5. The method of claim 4, wherein encrypting the login information to obtain encrypted login information comprises:
generating an encryption key according to the timestamp;
and carrying out symmetric encryption processing on the login information according to the encryption key to obtain encrypted login information.
6. A login device for use with an authentication server, the device comprising:
The monitoring port configuration module is used for acquiring a fixed port monitoring request; determining a fixed monitoring port according to the monitoring port configuration data carried in the fixed port monitoring request;
The verification request receiving module is used for receiving a verification request which is sent by the login management server captured from the fixed monitoring port after responding to login triggering operation, and extracting a time stamp and encrypted login information carried by the verification request; the encrypted login information is obtained by the login management server through encryption processing when determining that the account corresponding to the login information is an AD domain account according to the domain name in the login information corresponding to the login trigger operation;
The decryption module is used for verifying the timeliness of the time stamp and decrypting the encrypted login information to obtain decrypted login information;
The verification module is used for traversing the data information in the AD domain to which the account to be logged belongs and verifying the validity of the login information by detecting whether the account corresponding to the login information is an AD domain account or not;
the result feedback module is used for determining a verification result according to the validity verification result of the login information and the timeliness verification result of the timestamp and feeding back the verification result to the login management server so that the login management server executes a login processing flow corresponding to the verification result;
the login management server encrypts through a first programming language; the authentication server decrypts through a second programming language, the first programming language being different from the second programming language;
Before the login management server is in communication connection with the authentication server, the login management server determines a decryption rule in a DES decryption package corresponding to the first programming language, and cross-language encryption and decryption processing is achieved by configuring the decryption rule in the authentication server.
7. The apparatus of claim 6, wherein an encryption key for encrypting the login information is generated based on the timestamp, and wherein the encryption of the login information is performed in a symmetric manner;
The decryption module is further configured to obtain a decryption key identical to the encryption key according to the timestamp in the verification request; and decrypting the encrypted login information according to the decryption key to obtain decrypted login information.
8. The apparatus according to any one of claims 6 to 7, wherein the number of the check requests is at least 2, and the check request receiving module is further configured to write each of the check requests into a log file respectively, and generate a log file queue; and sequentially carrying out multi-process asynchronous processing on each check request according to the queue sequence of the log files in the log file queue, and extracting the time stamp and the encrypted login information carried by each check request.
9. A login device for use with a login management server, said device comprising:
the response module is used for responding to the login trigger operation and obtaining login information corresponding to the login trigger operation;
the encryption module is used for acquiring a time stamp corresponding to the login information when the account corresponding to the login information is determined to be the AD domain account according to the domain name in the login information, and carrying out encryption processing on the login information to obtain encrypted login information;
the verification request sending module is used for generating a verification request containing the time stamp and the encrypted login information and sending the verification request to a fixed monitoring port of an authentication server;
the result receiving module is used for receiving a verification result fed back after the verification request is captured by the authentication server through the fixed monitoring port and the time stamp and the encrypted login information in the verification request are verified;
the login processing module is used for executing a login processing flow corresponding to the verification result;
the login management server encrypts through a first programming language; the authentication server decrypts through a second programming language, the first programming language being different from the second programming language;
Before the login management server is in communication connection with the authentication server, the login management server determines a decryption rule in a DES decryption package corresponding to the first programming language, and cross-language encryption and decryption processing is achieved by configuring the decryption rule in the authentication server.
10. The apparatus of claim 9, wherein the encryption module is further configured to generate an encryption key based on the timestamp; and carrying out symmetric encryption processing on the login information according to the encryption key to obtain encrypted login information.
11. A computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of the method of any one of claims 1 to 5.
12. A computer device comprising a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the steps of the method of any of claims 1 to 5.
CN201911156566.2A 2019-11-22 Login method, login device, storage medium and computer equipment Active CN112836206B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911156566.2A CN112836206B (en) 2019-11-22 Login method, login device, storage medium and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911156566.2A CN112836206B (en) 2019-11-22 Login method, login device, storage medium and computer equipment

Publications (2)

Publication Number Publication Date
CN112836206A CN112836206A (en) 2021-05-25
CN112836206B true CN112836206B (en) 2024-07-09

Family

ID=

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108023874A (en) * 2017-11-15 2018-05-11 平安科技(深圳)有限公司 Calibration equipment, method and the computer-readable recording medium of single-sign-on

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108023874A (en) * 2017-11-15 2018-05-11 平安科技(深圳)有限公司 Calibration equipment, method and the computer-readable recording medium of single-sign-on

Similar Documents

Publication Publication Date Title
CN107079034B (en) Identity authentication method, terminal equipment, authentication server and electronic equipment
US10305902B2 (en) Two-channel authentication proxy system capable of detecting application tampering and method therefor
CN109325342B (en) Identity information management method, device, computer equipment and storage medium
US20170244676A1 (en) Method and system for authentication
US9852300B2 (en) Secure audit logging
US10637650B2 (en) Active authentication session transfer
CN109067813B (en) Network vulnerability detection method and device, storage medium and computer equipment
US8953805B2 (en) Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method
CN111241555B (en) Access method and device for simulating user login, computer equipment and storage medium
CN112597481A (en) Sensitive data access method and device, computer equipment and storage medium
US10250589B2 (en) System and method for protecting access to authentication systems
US9332011B2 (en) Secure authentication system with automatic cancellation of fraudulent operations
CN112632581A (en) User data processing method and device, computer equipment and storage medium
CN111538977A (en) Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server
Al Rousan et al. A comparative analysis of biometrics types: literature review
CN112948857A (en) Document processing method and device
CN112836206B (en) Login method, login device, storage medium and computer equipment
CN112260997B (en) Data access method, device, computer equipment and storage medium
CN112836206A (en) Login method, device, storage medium and computer equipment
KR101708880B1 (en) Integrated lon-in apparatus and integrated log-in method
KR102648908B1 (en) User authentication system and method
CN114553570B (en) Method, device, electronic equipment and storage medium for generating token
CN116318899B (en) Data encryption and decryption processing method, system, equipment and medium
CN115514584B (en) Server and credible security authentication method of financial related server
KR102682578B1 (en) TMTO cryptocurrency decryption system and method using smart contract

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant