CN113312674B - Access security method and system based on multi-factor environment perception digital certificate - Google Patents
Access security method and system based on multi-factor environment perception digital certificate Download PDFInfo
- Publication number
- CN113312674B CN113312674B CN202110680494.2A CN202110680494A CN113312674B CN 113312674 B CN113312674 B CN 113312674B CN 202110680494 A CN202110680494 A CN 202110680494A CN 113312674 B CN113312674 B CN 113312674B
- Authority
- CN
- China
- Prior art keywords
- accessed
- equipment
- identity
- environment
- electronic certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Abstract
The invention relates to a secure access method and a system based on a multi-factor environment perception digital certificate, which comprises the steps of collecting first environment identity information of equipment to be accessed, and obtaining a first identity electronic certificate of the equipment to be accessed according to the first environment identity information; when the equipment to be accessed is accessed, acquiring second environment identity information of the equipment to be accessed, comparing the second environment identity information with the first identity electronic certificate, and determining whether the equipment to be accessed is allowed to be accessed according to a comparison result; and when the equipment to be accessed is accessed, authenticating the terminal which is pre-accessed to the equipment to be accessed according to the first identity electronic certificate, and determining whether the terminal is allowed to access the equipment to be accessed according to an authentication result. The invention realizes the verification of the environment identity of the equipment before, during and after the access, satisfies the current management of the whole process of the identity authentication of the application equipment, improves the safety of the equipment accessed into the network and prevents the access of counterfeit or illegal equipment.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a method and a system for access security based on a multi-factor environment perception digital certificate.
Background
With the wide popularization of the application of the internet and the internet of things, the safety control requirement of equipment access increases, and the authentication mode of the traditional CA certificate is difficult to meet the safety control requirement of diversified application equipment.
Disclosure of Invention
The invention aims to solve the technical problem of the prior art and provides a method and a system for access security based on a multi-factor environment perception digital certificate.
The technical scheme for solving the technical problems is as follows:
a method of secure access based on multi-factor context-aware digital certificates, the method comprising:
acquiring first environment identity information of equipment to be accessed, and obtaining a first identity electronic certificate of the equipment to be accessed according to the first environment identity information;
when the equipment to be accessed is accessed, acquiring second environment identity information of the equipment to be accessed, comparing the second environment identity information with the first identity electronic certificate, and determining whether the equipment to be accessed is allowed to be accessed according to a comparison result;
and when the equipment to be accessed is accessed, authenticating the terminal which is accessed to the equipment to be accessed in advance according to the first identity electronic certificate, and determining whether the terminal is allowed to access the equipment to be accessed according to an authentication result.
On the basis of the technical scheme, the invention can be further improved as follows.
Further, the acquiring first environment identity information of a device to be accessed and obtaining a first identity electronic certificate of the device to be accessed according to the first environment identity information specifically include:
the first environment identity information comprises a physical address, an IP address, a CPU serial number, a mainboard serial number, operating system information, browser information and application system information of the equipment to be accessed;
hashing a physical address, an IP address, a CPU serial number, a mainboard serial number, operating system information, browser information and application system information of the equipment to be accessed to obtain a first identity electronic certificate of the equipment to be accessed;
and storing a first identity electronic certificate copy in the equipment to be accessed.
Further, when the device to be accessed is accessed, acquiring second environment identity information of the device to be accessed, comparing the second environment identity information with the first identity electronic certificate, and determining whether the device to be accessed allows access according to a comparison result, specifically including:
acquiring the first identity electronic certificate copy stored in the electronic equipment to be accessed;
verifying the first identity electronic certificate copy and the first identity electronic certificate to obtain a verification result;
acquiring second environment identity information of the electronic equipment to be accessed, and obtaining a second identity electronic certificate of the electronic equipment to be accessed according to the second environment identity information;
and determining whether the equipment to be accessed is allowed to be accessed or not according to the verification result, the first identity electronic certificate and the second identity electronic certificate.
Further, the determining, according to the verification result, the first identity electronic certificate, and the second identity electronic certificate, whether the device to be accessed allows access specifically includes:
when the authentication result is authentication success and the first identity electronic certificate and the second identity electronic certificate are not identical,
and re-collecting the third environment identity information of the equipment to be accessed, and performing real-time authentication on the equipment to be accessed according to the third environment identity information.
Further, the performing real-time authentication on the device to be accessed according to the third environment identity information specifically includes:
when the third environment identity information comprises a physical address, verifying whether the physical address is consistent with the physical address in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises an IP address, verifying whether the IP address is consistent with the IP address in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises a CPU serial number, verifying whether the CPU serial number is consistent with the CPU serial number in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises a mainboard serial number, verifying whether the mainboard serial number is consistent with the mainboard serial number in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises operating system information, verifying whether the operating system information is consistent with the operating system information in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises browser information, verifying whether the browser information is consistent with the browser information in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises application system information, verifying whether the application system information is consistent with the application system information in the first environment identity, and if not, determining that the environment identity information changes;
and when the environment identity information changes, generating a third identity electronic certificate of the equipment to be accessed according to the third environment identity information, and storing a copy of the third identity electronic certificate in the equipment to be accessed.
Further, when the device to be accessed is accessed, according to the first identity electronic certificate, authenticating the terminal that has accessed the device to be accessed in advance, and determining whether the terminal allows access to the device to be accessed according to an authentication result, specifically includes:
receiving an access request sent by the terminal, wherein the access request comprises a terminal electronic digital certificate;
verifying the terminal electronic digital certificate according to the first identity electronic certificate;
if the verification is successful, allowing the terminal to access;
otherwise, judging whether the terminal electronic digital certificate meets a preset security policy or not;
if yes, performing real-time verification according to the terminal electronic digital certificate;
if the verification is passed, allowing the terminal to access;
and if not, the terminal is refused to access.
The method has the beneficial effects that: the method comprises the steps of collecting first environment identity information of equipment to be accessed, and obtaining a first identity electronic certificate of the equipment to be accessed according to the first environment identity information; when the equipment to be accessed is accessed, acquiring second environment identity information of the equipment to be accessed, comparing the second environment identity information with the first identity electronic certificate, and determining whether the equipment to be accessed is allowed to be accessed according to a comparison result; and when the equipment to be accessed is accessed, authenticating the terminal which is accessed to the equipment to be accessed in advance according to the first identity electronic certificate, and determining whether the terminal is allowed to access the equipment to be accessed according to an authentication result. The invention realizes the identification of the authorized user and the authority of the authorized user through the digital certificate generated by multi-factor environment perception, and meets the current management of the whole process of the identity authentication of the application equipment through the verification of the environment identity of the equipment before, during and after the access, improves the safety of the equipment accessed to the network, and prevents the access of counterfeit or illegal equipment.
The invention also solves another technical scheme of the technical problems as follows:
a system for secure access based on multi-factor context-aware digital certificates, the system comprising:
the acquisition device is used for acquiring first environment identity information of the equipment to be accessed,
the authentication device is used for obtaining a first identity electronic certificate of the equipment to be accessed according to the first environment identity information;
the acquisition device is used for acquiring second environment identity information of the equipment to be accessed when the equipment to be accessed is accessed,
the authentication device is used for comparing the second environment identity information with the first identity electronic certificate and determining whether the equipment to be accessed is allowed to be accessed according to a comparison result;
and the authentication device is used for authenticating the terminal which is accessed to the equipment to be accessed in advance according to the first identity electronic certificate when the equipment to be accessed is accessed, and determining whether the terminal is allowed to access the equipment to be accessed according to an authentication result.
Further, the acquisition device is specifically configured to acquire a physical address, an IP address, a CPU serial number, a motherboard serial number, operating system information, browser information, and application system information of the device to be accessed;
the authentication device is specifically used for hashing a physical address, an IP address, a CPU serial number, a mainboard serial number, operating system information, browser information and application system information of the equipment to be accessed to obtain a first identity electronic certificate of the equipment to be accessed;
and storing a first identity electronic certificate copy in the equipment to be accessed.
Further, the authentication device is specifically configured to obtain the first identity electronic certificate copy stored in the to-be-accessed electronic device;
verifying the first identity electronic certificate copy and the first identity electronic certificate to obtain a verification result;
acquiring second environment identity information acquired again by the acquisition device and acquired by the to-be-accessed electronic equipment, and acquiring a second identity electronic certificate of the to-be-accessed equipment according to the second environment identity information;
and determining whether the equipment to be accessed is allowed to be accessed or not according to the verification result, the first identity electronic certificate and the second identity electronic certificate.
Further, the authentication device is specifically configured to, when the verification result is that the verification is successful and the first identity electronic certificate and the second identity electronic certificate are inconsistent,
and acquiring third environment identity information of the equipment to be accessed, which is acquired again by the acquisition device, and performing real-time authentication on the equipment to be accessed according to the third environment identity information.
Advantages of additional aspects of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments of the present invention or in the description of the prior art will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for secure access based on a multi-factor context-aware digital certificate according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a system for secure access based on a multi-factor context-aware digital certificate according to another embodiment of the present invention;
fig. 3 is a schematic installation diagram of a system for secure access based on multi-factor context-aware digital certificate according to another embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, shall fall within the scope of protection of the present invention.
Fig. 1 illustrates a method for secure access based on a multi-factor context-aware digital certificate according to an embodiment of the present invention, including the following steps:
110. acquiring first environment identity information of equipment to be accessed, and obtaining a first identity electronic certificate of the equipment to be accessed according to the first environment identity information.
It should be understood that the device to be accessed may be a service network, a storage device, or a terminal, and in an initial state, when the device to be accessed is not yet accessed, the environment information of the device to be accessed is acquired by installing an agent client in the device to be accessed, and the environment identity information includes hardware information, application software information, network information, and the like.
The identity electronic certificate is obtained by processing the environment identity information, for example, hashing or encrypting, and the specific methods are many, and are not described in detail in this embodiment.
120. When the equipment to be accessed is accessed, acquiring second environment identity information of the equipment to be accessed, comparing the second environment identity information with the first identity electronic certificate, and determining whether the equipment to be accessed is allowed to be accessed according to a comparison result.
It should be understood that, when the device to be accessed is accessed to the network, the environmental identity information of the device to be accessed in the current state is collected, and at this time, in order to verify whether the hardware information, the software information or the network information of the device to be accessed changes, and through the verification of the device to be accessed, the security risk caused by accessing the device which is not subjected to identity verification to the network can be prevented.
130. And when the equipment to be accessed is accessed, authenticating the terminal which is accessed to the equipment to be accessed in advance according to the first identity electronic certificate, and determining whether the terminal is allowed to access the equipment to be accessed according to an authentication result.
It should be understood that when there is another terminal or accesses to the device to be accessed, the terminal is authenticated, and the access to the device by the terminal which is not authenticated can be prevented. Meanwhile, the access authority of the terminal is limited through the security policy set in the device to be accessed.
Based on the foregoing embodiment, further, step 110 specifically includes:
the first environment identity information comprises a physical address, an IP address, a CPU serial number, a mainboard serial number, operating system information, browser information and application system information of the equipment to be accessed.
And hashing the physical address, the IP address, the CPU serial number, the mainboard serial number, the operating system information, the browser information and the application system information of the equipment to be accessed to obtain a first identity electronic certificate of the equipment to be accessed.
It should be understood that the operating system information includes a name and a version number of the operating system, the browser information includes a name and a version number of the browser, and all or part of the application system information in the device to be accessed may be included in the application system information.
And storing a first identity electronic certificate copy in the equipment to be accessed.
Further, step 120 specifically includes:
121. and acquiring the first identity electronic certificate copy stored in the electronic equipment to be accessed.
122. And verifying the first identity electronic certificate copy and the first identity electronic certificate to obtain a verification result.
123. And acquiring second environment identity information of the electronic equipment to be accessed, and obtaining a second identity electronic certificate of the electronic equipment to be accessed according to the second environment identity information.
124. And determining whether the equipment to be accessed is allowed to be accessed or not according to the verification result, the first identity electronic certificate and the second identity electronic certificate.
Further, step 124 specifically includes:
and when the verification result is that the verification is successful and the first identity electronic certificate is inconsistent with the second identity electronic certificate, re-acquiring third environment identity information of the equipment to be accessed, and performing real-time authentication on the equipment to be accessed according to the third environment identity information.
Further, when the third environment identity information includes a physical address, verifying whether the physical address is consistent with the physical address in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises an IP address, verifying whether the IP address is consistent with the IP address in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises a CPU serial number, verifying whether the CPU serial number is consistent with the CPU serial number in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises a mainboard serial number, verifying whether the mainboard serial number is consistent with the mainboard serial number in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises operating system information, verifying whether the operating system information is consistent with the operating system information in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises browser information, verifying whether the browser information is consistent with the browser information in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises application system information, verifying whether the application system information is consistent with the application system information in the first environment identity, and if not, determining that the environment identity information changes;
and when the environment identity information changes, generating a third identity electronic certificate of the equipment to be accessed according to the third environment identity information, and storing a copy of the third identity electronic certificate in the equipment to be accessed.
Further, step 130 specifically includes:
receiving an access request sent by the terminal, wherein the access request comprises a terminal electronic digital certificate;
verifying the terminal electronic digital certificate according to the first identity electronic certificate;
if the verification is successful, allowing the terminal to access;
otherwise, judging whether the terminal electronic digital certificate meets a preset security policy or not;
if yes, performing real-time verification according to the terminal electronic digital certificate;
if the verification is passed, allowing the terminal to access;
and if not, the terminal is refused to access.
It should be understood that, as shown in fig. 3, in the above embodiment, a data-collecting client agent is deployed on a device to be accessed (such as a server, a storage, a mobile office device, a mobile communication device, an industrial terminal, etc.), environment identity information of the terminal device, including but not limited to an IP, an MAC address, an operating system name and version number, a browser name and version number, or client characteristic information and a verification code of the product, is collected and uploaded to the authentication management module or system, and at the same time, the management module or system is configured to make or use an electronic digital certificate using the environment identity information of the terminal. When the equipment is accessed or an access request is made, whether the digital certificate exists or not, the environment identity of the terminal equipment and the consistency of the authentication certificate are verified before, so that different access controls such as access refusing, access allowing, real-time verification access needing to be added and the like are adopted respectively.
When the system is deployed, the management module or the system is deployed on an application server or cloud computing equipment, and an application terminal downloads and installs or pre-installs a client agent of the system to perform initial configuration;
a client agent of the application terminal is started to acquire environment identity information (including but not limited to IP, MAC, operating system name and version number, browser name and version number, client characteristic information, verification codes and the like, the type of specific acquired information can be preset through a security policy according to user security requirements), and the acquired information is uploaded to an authentication management module or system;
and the identity environment information uploaded by the authentication management module or the system terminal is made into an identity electronic digital certificate, and a copy of the electronic digital certificate is sent to the application terminal. The system can configure the access authority of each electronic digital certificate in a differentiated way;
in a working state, when the application terminal is started, the self environment identity information is firstly collected again and compared with the local digital electronic certificate, if the environment identity information is inconsistent with the local digital electronic certificate, the environment identity information is prompted to change, and re-authentication or supplementary real-time authentication is needed;
in the working state, the access to the protected application system or the device access (internet of things) needs to pre-authenticate the electronic digital certificate of the access device. For a terminal without an electronic digital certificate, access or access is refused, for a mobile terminal such as a notebook computer, verification means such as WeChat verification or short message password verification can be added when the ip address is not accordant, and for a fixed terminal, a security policy that the certificate is in full conformity to the user can access a protected application system or equipment can be set.
The method for secure access based on the multi-factor environment sensing digital certificate comprises the steps of collecting first environment identity information of equipment to be accessed, and obtaining a first identity electronic certificate of the equipment to be accessed according to the first environment identity information; when the equipment to be accessed is accessed, acquiring second environment identity information of the equipment to be accessed, comparing the second environment identity information with the first identity electronic certificate, and determining whether the equipment to be accessed is allowed to be accessed according to a comparison result; and when the equipment to be accessed is accessed, authenticating the terminal which is accessed to the equipment to be accessed in advance according to the first identity electronic certificate, and determining whether the terminal is allowed to access the equipment to be accessed according to an authentication result. The invention realizes the identification of the authorized user and the authority of the authorized user through the digital certificate generated by multi-factor environment perception, and meets the current management of the whole process of the identity authentication of the application equipment through the verification of the environment identity of the equipment before, during and after the access, improves the safety of the equipment accessed to the network, and prevents the access of counterfeit or illegal equipment.
Fig. 2 illustrates a method for secure access based on a multi-factor context-aware digital certificate according to an embodiment of the present invention, including the following steps:
a system for secure access based on multi-factor context-aware digital certificates, the system comprising:
the acquisition device is used for acquiring first environment identity information of the equipment to be accessed,
the authentication device is used for obtaining a first identity electronic certificate of the equipment to be accessed according to the first environment identity information;
the acquisition device is used for acquiring second environment identity information of the equipment to be accessed when the equipment to be accessed is accessed,
the authentication device is used for comparing the second environment identity information with the first identity electronic certificate and determining whether the equipment to be accessed is allowed to be accessed according to a comparison result;
and the authentication device is used for authenticating the terminal which is accessed to the equipment to be accessed in advance according to the first identity electronic certificate when the equipment to be accessed is accessed, and determining whether the terminal is allowed to access the equipment to be accessed according to an authentication result.
Further, the collecting device is specifically configured to collect a physical address, an IP address, a CPU serial number, a motherboard serial number, operating system information, browser information, and application system information of the device to be accessed;
the authentication device is specifically used for hashing a physical address, an IP address, a CPU serial number, a mainboard serial number, operating system information, browser information and application system information of the equipment to be accessed to obtain a first identity electronic certificate of the equipment to be accessed;
and storing a first identity electronic certificate copy in the equipment to be accessed.
Further, the authentication device is specifically configured to obtain the first identity electronic certificate copy stored in the to-be-accessed electronic device;
verifying the first identity electronic certificate copy and the first identity electronic certificate to obtain a verification result;
acquiring second environment identity information acquired again by the acquisition device and acquired by the to-be-accessed electronic equipment, and acquiring a second identity electronic certificate of the to-be-accessed equipment according to the second environment identity information;
and determining whether the equipment to be accessed is allowed to be accessed or not according to the verification result, the first identity electronic certificate and the second identity electronic certificate.
Further, the authentication device is specifically configured to, when the verification result is that the verification is successful and the first identity electronic certificate and the second identity electronic certificate are inconsistent,
and acquiring third environment identity information of the equipment to be accessed, which is acquired again by the acquisition device, and performing real-time authentication on the equipment to be accessed according to the third environment identity information.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other ways. For example, the above-described embodiments of the apparatus/terminal device are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium.
Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain other components which may be suitably increased or decreased as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media which may not include electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (6)
1. A method for secure access based on multi-factor context-aware digital certificates, the method comprising:
acquiring first environment identity information of equipment to be accessed, and obtaining a first identity electronic certificate of the equipment to be accessed according to the first environment identity information;
when the equipment to be accessed is accessed, acquiring second environment identity information of the equipment to be accessed, comparing the second environment identity information with the first identity electronic certificate, and determining whether the equipment to be accessed is allowed to be accessed according to a comparison result;
when the equipment to be accessed is accessed, according to the first identity electronic certificate, authenticating a terminal which is accessed to the equipment to be accessed in advance, and determining whether the terminal is allowed to access the equipment to be accessed according to an authentication result;
the method for acquiring the first environment identity information of the equipment to be accessed and obtaining the first identity electronic certificate of the equipment to be accessed according to the first environment identity information specifically comprises the following steps:
the first environment identity information comprises a physical address, an IP address, a CPU serial number, a mainboard serial number, operating system information, browser information and application system information of the equipment to be accessed;
hashing the physical address, the IP address, the CPU serial number, the mainboard serial number, the operating system information, the browser information and the application system information to obtain a first identity electronic certificate of the equipment to be accessed;
storing a first identity electronic certificate copy in the equipment to be accessed;
when the device to be accessed is accessed, acquiring second environment identity information of the device to be accessed, comparing the second environment identity information with the first identity electronic certificate, and determining whether the device to be accessed allows access according to a comparison result, specifically comprising:
acquiring a first identity electronic certificate copy stored in equipment to be accessed;
verifying the first identity electronic certificate copy and the first identity electronic certificate to obtain a verification result;
acquiring second environment identity information of the equipment to be accessed, and obtaining a second identity electronic certificate of the equipment to be accessed according to the second environment identity information;
and determining whether the equipment to be accessed is allowed to be accessed or not according to the verification result, the first identity electronic certificate and the second identity electronic certificate.
2. The method for secure access based on multi-factor context-aware digital certificate of claim 1, wherein the determining whether the device to be accessed allows access according to the verification result, the first identity electronic certificate, and the second identity electronic certificate specifically includes:
when the authentication result is authentication success and the first identity electronic certificate and the second identity electronic certificate are not identical,
and re-collecting the third environment identity information of the equipment to be accessed, and performing real-time authentication on the equipment to be accessed according to the third environment identity information.
3. The method for secure access based on multi-factor context-aware digital certificate according to claim 2, wherein the authenticating the device to be accessed in real time according to the third context identity information specifically includes:
when the third environment identity information comprises a physical address, verifying whether the physical address is consistent with the physical address in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises an IP address, verifying whether the IP address is consistent with the IP address in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises a CPU serial number, verifying whether the CPU serial number is consistent with the CPU serial number in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises a mainboard serial number, verifying whether the mainboard serial number is consistent with the mainboard serial number in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises operating system information, verifying whether the operating system information is consistent with the operating system information in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises browser information, verifying whether the browser information is consistent with the browser information in the first environment identity, and if not, determining that the environment identity information changes;
when the third environment identity information comprises application system information, verifying whether the application system information is consistent with the application system information in the first environment identity, and if not, determining that the environment identity information changes;
and when the environment identity information changes, generating a third identity electronic certificate of the equipment to be accessed according to the third environment identity information, and storing a copy of the third identity electronic certificate in the equipment to be accessed.
4. The method according to claim 1, wherein when the device to be accessed has been accessed, according to the first identity electronic certificate, authenticating a terminal that has accessed the device to be accessed in advance, and determining whether the terminal allows access to the device to be accessed according to an authentication result, specifically includes:
receiving an access request sent by the terminal, wherein the access request comprises a terminal electronic digital certificate;
verifying the terminal electronic digital certificate according to the first identity electronic certificate;
if the verification is successful, allowing the terminal to access;
otherwise, judging whether the terminal electronic digital certificate meets a preset security policy or not;
if yes, real-time verification is carried out according to the terminal electronic digital certificate;
if the verification is passed, allowing the terminal to access;
and if not, the terminal is refused to access.
5. A system for secure access based on multi-factor context-aware digital certificates, the system comprising:
the acquisition device is used for acquiring first environment identity information of the equipment to be accessed,
the authentication device is used for obtaining a first identity electronic certificate of the equipment to be accessed according to the first environment identity information;
the acquisition device is used for acquiring second environment identity information of the equipment to be accessed when the equipment to be accessed is accessed,
the authentication device is used for comparing the second environment identity information with the first identity electronic certificate and determining whether the equipment to be accessed is allowed to be accessed according to a comparison result;
the authentication device is used for authenticating a terminal which is pre-accessed to the equipment to be accessed according to the first identity electronic certificate when the equipment to be accessed is accessed, and determining whether the terminal is allowed to access the equipment to be accessed according to an authentication result;
the acquisition device is specifically used for acquiring a physical address, an IP address, a CPU serial number, a mainboard serial number, operating system information, browser information and application system information of the equipment to be accessed;
the authentication device is specifically used for hashing a physical address, an IP address, a CPU serial number, a mainboard serial number, operating system information, browser information and application system information of the equipment to be accessed to obtain a first identity electronic certificate of the equipment to be accessed;
storing a first identity electronic certificate copy in the equipment to be accessed;
the authentication device is specifically configured to obtain the first identity electronic certificate copy stored in the device to be accessed;
verifying the first identity electronic certificate copy and the first identity electronic certificate to obtain a verification result;
acquiring second environment identity information acquired again by the acquisition device and acquired by the equipment to be accessed, and acquiring a second identity electronic certificate of the equipment to be accessed according to the second environment identity information;
and determining whether the equipment to be accessed is allowed to be accessed or not according to the verification result, the first identity electronic certificate and the second identity electronic certificate.
6. The system for secure access based on multi-factor context-aware digital certificates according to claim 5,
the authentication device is specifically configured to, when the verification result is that the verification is successful and the first identity electronic certificate and the second identity electronic certificate are inconsistent,
and acquiring third environment identity information of the equipment to be accessed, which is acquired again by the acquisition device, and performing real-time authentication on the equipment to be accessed according to the third environment identity information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110680494.2A CN113312674B (en) | 2021-06-18 | 2021-06-18 | Access security method and system based on multi-factor environment perception digital certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110680494.2A CN113312674B (en) | 2021-06-18 | 2021-06-18 | Access security method and system based on multi-factor environment perception digital certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113312674A CN113312674A (en) | 2021-08-27 |
| CN113312674B true CN113312674B (en) | 2022-06-24 |
Family
ID=77379288
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110680494.2A Active CN113312674B (en) | 2021-06-18 | 2021-06-18 | Access security method and system based on multi-factor environment perception digital certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113312674B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710340B (en) * | 2022-03-25 | 2023-05-23 | 绿盟科技集团股份有限公司 | Security authentication system and method |
| CN116192447B (en) * | 2022-12-20 | 2024-01-30 | 江苏云涌电子科技股份有限公司 | Multi-factor identity authentication method |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023911B (en) * | 2012-12-25 | 2015-10-14 | 北京工业大学 | Trustable network equipment access trustable network authentication method |
| CN104468595A (en) * | 2014-12-15 | 2015-03-25 | 中电长城网际系统应用有限公司 | Authorization method and device of NAS equipment, NAS equipment and server |
| CN110601855B (en) * | 2019-09-20 | 2022-05-13 | 腾讯科技(深圳)有限公司 | Root certificate management method and device, electronic equipment and storage medium |
| CN112073422A (en) * | 2020-09-15 | 2020-12-11 | 南方电网科学研究院有限责任公司 | Intelligent home protection system and protection method thereof |
| CN112165382B (en) * | 2020-09-28 | 2023-09-08 | 大唐高鸿信安(浙江)信息科技有限公司 | Software authorization method and device, authorization server side and terminal equipment |
-
2021
- 2021-06-18 CN CN202110680494.2A patent/CN113312674B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113312674A (en) | 2021-08-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109005155B (en) | Identity authentication method and device | |
| US8898759B2 (en) | Application registration, authorization, and verification | |
| CN113312674B (en) | Access security method and system based on multi-factor environment perception digital certificate | |
| CN113536258A (en) | Terminal access control method and device, storage medium and electronic equipment | |
| US9124571B1 (en) | Network authentication method for secure user identity verification | |
| CN106549957B (en) | terminal application copyright authentication method and system | |
| US9589130B2 (en) | Application trust-listing security service | |
| CN104202338A (en) | Secure access method applicable to enterprise-level mobile applications | |
| CN111800377B (en) | Mobile terminal identity authentication system based on safe multi-party calculation | |
| CN112000951A (en) | Access method, device, system, electronic equipment and storage medium | |
| CN112583607A (en) | Equipment access management method, device, system and storage medium | |
| CN114021103A (en) | Single sign-on method, device, terminal and storage medium based on identity authentication | |
| CN112487450A (en) | File server access grading method | |
| CN104486322B (en) | Terminal access authentication authorization method and terminal access authentication authoring system | |
| CN110753029B (en) | Identity verification method and biological identification platform | |
| CN109858235B (en) | Portable equipment and password obtaining method and device thereof | |
| CN112738005A (en) | Access processing method, device, system, first authentication server and storage medium | |
| CN110971609A (en) | Anti-cloning method of DRM client certificate, storage medium and electronic equipment | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment | |
| CN115086090A (en) | Network login authentication method and device based on UKey | |
| CN113326483A (en) | Application program authorization method and related product | |
| CN108574657B (en) | Server access method, device and system, computing equipment and server | |
| CN112311716A (en) | Data access control method and device based on openstack and server | |
| CN108449759B (en) | Wireless access method and wireless access authentication method | |
| CN114741664B (en) | Software authorization method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20211123 Address after: 100045 No.416, building 22, Sanlihe Third District, Xicheng District, Beijing Applicant after: He Xiaolin Address before: 100192 room 101-02, building 10, yard 1, Baosheng South Road, Haidian District, Beijing Applicant before: Beijing tailixin Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |