CN113630405B

CN113630405B - Network access authentication method and device, electronic equipment and storage medium

Info

Publication number: CN113630405B
Application number: CN202110874471.5A
Authority: CN
Inventors: 闫帅
Original assignee: Beijing Dajia Internet Information Technology Co Ltd
Current assignee: Beijing Dajia Internet Information Technology Co Ltd
Priority date: 2021-07-30
Filing date: 2021-07-30
Publication date: 2023-05-02
Anticipated expiration: 2041-07-30
Also published as: CN113630405A

Abstract

The disclosure relates to a network access authentication method, a network access authentication device, a terminal and a storage medium, and belongs to the technical field of network security. The network access authentication method comprises the following steps: receiving a network access request of a terminal, wherein the network access request comprises a target identity certificate and a terminal identifier, and the target identity certificate is used for reflecting whether a user corresponding to the terminal has network access permission for accessing a target network; according to the corresponding relation between the identity certificate and the grant terminal identifier, determining a target grant terminal identifier corresponding to the target identity certificate, wherein the terminal indicated by the grant terminal identifier is the terminal granted with the corresponding identity certificate; carrying out consistency verification on the terminal identifier and the target grant terminal identifier; when the terminal identification is different from the target grant terminal identification, prohibiting the terminal from accessing the target network; and allowing the terminal to access the target network when the terminal identifier is the same as the target grant terminal identifier. The method and the device can improve the security of network access authentication.

Description

Network access authentication method and device, electronic equipment and storage medium

Technical Field

The disclosure relates to the technical field of network security, and in particular relates to a network access authentication method, a network access authentication device, electronic equipment and a storage medium.

Background

With the wide application of various wired networks and wireless networks, how to realize effective access authentication for network users so as to ensure that a terminal accessing the network is a compliant terminal becomes a more concern of people. For example, for an enterprise wireless network, it is important to ensure that a terminal accessing the network is a terminal corresponding to an enterprise employee by effectively accessing and authenticating a network user, so as to further ensure the security of the enterprise network.

At present, when a terminal accesses to a network, the terminal can access to the network only after network access authentication is needed in an authentication server. When the terminal initiates network access authentication to the authentication server, the authentication server only authenticates the account name and the password of the user logged in by the terminal. The account name and the password of the user are easy to forget, leak, be stolen and the like, so that the security of the current terminal network access authentication mode is low.

Disclosure of Invention

The invention provides a network access authentication method, a network access authentication device, a terminal and a storage medium, which can solve the problem of lower security of the current network access authentication mode of the terminal to a certain extent.

According to a first aspect of an embodiment of the present disclosure, there is provided a network access authentication method, applied to a server, the method including:

Receiving a network access request of a terminal, wherein the network access request comprises a target identity certificate and a terminal identifier, and the target identity certificate is used for reflecting whether a user corresponding to the terminal has network access permission for accessing a target network;

determining a target grant terminal identifier corresponding to the target identity certificate according to the corresponding relation between the identity certificate and the grant terminal identifier, wherein the terminal indicated by the grant terminal identifier is the terminal to which the corresponding identity certificate is granted;

carrying out consistency verification on the terminal identification and the target grant terminal identification;

when the terminal identifier is different from the target grant terminal identifier, prohibiting the terminal from accessing the target network;

and allowing the terminal to access the target network when the terminal identifier is the same as the target grant terminal identifier.

In one possible implementation, before the allowing the terminal to access the target network, the method further includes:

verifying the validity of the target identity certificate using at least one piece of verification data, the verification data recording the validity status of the identity certificate, the at least one piece of verification data comprising: the first check data are updated in real time, and the second check data are updated periodically;

When any one of the verification data is adopted to determine that the target identity certificate is in an invalid state, prohibiting the terminal from accessing the target network;

the allowing the terminal to access the target network includes: and allowing the terminal to access the target network when all the verification data are adopted to determine that the target identity certificate is in a valid state.

In one possible implementation manner, the first verification data includes data stored in an identity card library, and verifying the validity of the target identity certificate by using the first verification data includes:

and calling an identity card library according to an online certificate status protocol, inquiring the validity status of the target identity certificate recorded in the identity card library, wherein the validity status at least comprises a valid status or an invalid status, and the validity status of each identity certificate stored in the identity card library is updated in real time.

In one possible implementation, the second verification data includes data recorded in a certificate revocation list, and verifying the validity of the target identity certificate using the second verification data includes:

acquiring a periodically updated certificate revocation list, wherein the certificate revocation list records an identity certificate in an invalid state;

Querying whether the certificate revocation list includes the target identity certificate;

when the certificate revocation list is determined to not comprise the target identity certificate, determining that the target identity certificate is in a valid state;

and when the certificate revocation list comprises the target identity certificate, determining that the target identity certificate is in an invalid state.

In one possible implementation, the certificate revocation list further includes: the expiration time of the identity certificate; and when the certificate revocation list is determined to include the target identity certificate, determining that the target identity certificate is in an invalid state includes:

and when the certificate revocation list comprises the target identity certificate and the current moment of the server side is larger than the expiration moment of the target identity certificate, determining that the target identity certificate is in an invalid state.

In one possible implementation manner, before the network access request of the receiving terminal, the method further includes:

receiving a network access request sent by the terminal for the first time, wherein the network access request sent for the first time comprises account information of the user and a terminal identifier of the terminal;

when the account corresponding to the account information is determined to belong to the accessible account corresponding to the target network, generating a target identity certificate in a valid state corresponding to the account information, wherein the target identity certificate in the valid state is used for reflecting the network access permission of the user to access the target network;

The terminal identifier is used as a target grant terminal identifier of the target identity certificate, and the corresponding relation between the target identity certificate and the target grant terminal identifier is recorded;

and sending a target identity certificate corresponding to the account information to the terminal, wherein the target identity certificate is used for being installed by the terminal.

In one possible implementation manner, before receiving the network access request first sent by the terminal, the method further includes: when receiving an identity verification request sent by the terminal, sending a verification message to the terminal;

the first-time network access request further includes: and the information to be verified, when determining that the account information belongs to the accessible account corresponding to the target network, generating a target identity certificate corresponding to the account information and in a valid state, wherein the method comprises the following steps:

and generating a target identity certificate in a valid state corresponding to the account information when the account information is determined to belong to an accessible account corresponding to the target network and the verification message is consistent with the message to be verified.

In one possible implementation manner, the first-sent network access request further includes: the generating the target identity certificate in a valid state corresponding to the account information includes:

And generating a target identity certificate of a target file type, wherein the target file type corresponds to the operating system type.

In one possible implementation manner, the identity card library also records the expiration time of the target identity certificate and the user valid state corresponding to the target identity certificate; the method further comprises the steps of:

when a setting event is detected, updating the validity state of the target identity certificate in the identity certificate library to an invalid state, wherein the setting event comprises at least one of the following:

the terminal identity is different from the destination grant terminal identity,

the current time of the server is greater than the expiration time of the target identity certificate recorded in the identity certificate library,

and updating the user valid state corresponding to the target identity certificate recorded in the identity certificate library into an invalid user state.

In one possible implementation, the identity certificate includes at least one of: country code, geographical location of the target network, business name, domain name of the target network, and number of days the identity certificate is valid.

According to a second aspect of an embodiment of the present disclosure, there is provided an access authentication apparatus applied to a server, the apparatus including:

The network access module is used for receiving a network access request of a terminal, wherein the network access request comprises a target identity certificate and a terminal identifier, and the target identity certificate is used for reflecting whether a user corresponding to the terminal has network access permission for accessing a target network;

the determining module is used for determining a target grant terminal identifier corresponding to the target identity certificate according to the corresponding relation between the identity certificate and the grant terminal identifier, wherein the terminal indicated by the grant terminal identifier is the terminal to which the corresponding identity certificate is granted;

the verification module is used for carrying out consistency verification on the terminal identification and the target grant terminal identification;

an access module, configured to prohibit the terminal from accessing the target network when the terminal identifier is different from the target grant terminal identifier; and the terminal is further used for allowing the terminal to access the target network when the terminal identifier is the same as the target grant terminal identifier.

In one possible implementation manner, the verification module is further configured to verify the validity of the target identity certificate using at least one piece of verification data, where the verification data records the validity state of the identity certificate, and the at least one piece of verification data includes: the first check data are updated in real time, and the second check data are updated periodically;

The access module is further configured to prohibit the terminal from accessing the target network when any one of the check data is used to determine that the target identity certificate is in an invalid state;

the access module is further configured to allow the terminal to access the target network when the target identity certificate is determined to be in a valid state by using all the verification data.

In one possible implementation, the first verification data includes data stored in an identity card library, and the verification module is further configured to:

In one possible implementation, the second verification data includes data recorded in a certificate revocation list, the verification module being further configured to:

In one possible implementation, the certificate revocation list further includes: the expiration time of the identity certificate; the verification module is further configured to determine that the target identity certificate is in an invalid state when it is determined that the certificate revocation list includes the target identity certificate and a current time of the server is greater than a failure time of the target identity certificate.

In one possible implementation manner, the receiving module is further configured to receive a network access request sent by the terminal for the first time, where the network access request sent for the first time includes account information of the user and a terminal identifier of the terminal;

the apparatus further comprises:

the generation module is used for generating a target identity certificate in a valid state corresponding to the account information when the account corresponding to the account information is determined to belong to an accessible account corresponding to the target network, wherein the target identity certificate in the valid state is used for reflecting the network access permission of the user to access the target network;

The recording module is used for taking the terminal identifier as a target grant terminal identifier of the target identity certificate and recording the corresponding relation between the target identity certificate and the target grant terminal identifier;

and the sending module is used for sending a target identity certificate corresponding to the account information to the terminal, wherein the target identity certificate is used for being installed by the terminal.

In one possible implementation manner, the sending module is further configured to send a verification message to the terminal when receiving an authentication request sent by the terminal;

the first-time network access request further includes: and the generation module is also used for generating a target identity certificate in a valid state corresponding to the account information when the account information is determined to belong to an accessible account corresponding to the target network and the verification information is consistent with the information to be verified.

In one possible implementation manner, the first-sent network access request further includes: the terminal comprises an operating system type of the terminal, a generating module and a target identity certificate, wherein the generating module is also used for generating a target identity certificate of a target file type, and the target file type corresponds to the operating system type.

In one possible implementation manner, the identity card library also records the expiration time of the target identity certificate and the user valid state corresponding to the target identity certificate; the apparatus further comprises:

the detection module is used for updating the validity state of the target identity certificate in the identity certificate library to be invalid when a setting event is detected, wherein the setting event comprises at least one of the following steps:

According to a third aspect of embodiments of the present disclosure, there is provided an electronic device, comprising:

one or more processors;

one or more memories for storing the one or more processor-executable instructions;

Wherein the one or more processors are configured to perform the network entry authentication method of any one of the above aspects or any one of the possible implementation forms of any one of the above aspects.

According to a fourth aspect of embodiments of the present disclosure, there is provided a computer readable storage medium, which when executed by a processor of an electronic device, enables the electronic device to perform the network entry authentication method of the first aspect or any one of the possible implementations of the first aspect.

According to a fifth aspect of embodiments of the present disclosure, there is provided a computer program product comprising computer program instructions which, when executed by a processor, implement the network access authentication method of the first aspect or any one of the possible implementations of the first aspect.

According to a sixth aspect of embodiments of the present disclosure, there is provided an application program product, which when executed by a processor of a terminal, enables the terminal to perform the network access authentication method according to the first aspect or any one of the possible implementation manners of the first aspect.

The technical scheme provided by the embodiment of the disclosure can comprise the following beneficial effects:

According to the network access authentication method, the network access authentication device, the electronic equipment and the storage medium, after the network access request from the terminal is received, the target grant terminal identification corresponding to the target identity certificate included in the network access request can be determined through the corresponding relation between the identity certificate and the grant terminal identification. And judging whether the terminal is allowed to access the target network according to a consistency check result of the terminal identifier included in the network access request and the target grant terminal identifier. Compared with the mode of network access authentication of the terminal in the related art, the technical scheme does not involve verification of the account name and the password of the user, avoids the problem of lower safety of the network access authentication mode caused by forgetting, revealing, stolen and other reasons of the account name and the password, reduces the risk of network access authentication of the terminal, and improves the network completeness. And because the terminal granted with the terminal identification indication is the terminal granted with the corresponding identity certificate, whether the terminal is allowed to access the target network is judged according to the consistency check result of the terminal identification included in the network access request and the target granted terminal identification, thereby realizing the identity check of the network access terminal, further avoiding the influence of the condition of the identity certificate being stolen and the like on the security of the network access authentication mode, and improving the network completeness.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.

Fig. 1 is a schematic diagram illustrating an implementation environment of a network access authentication method according to an exemplary embodiment.

Fig. 2 is a schematic diagram illustrating an implementation environment of another network entry authentication method according to an exemplary embodiment.

Fig. 3 is a flow chart illustrating a method of network entry authentication according to an exemplary embodiment.

Fig. 4 is a schematic diagram of a network login interface, shown according to an example embodiment.

Fig. 5 is a flow chart illustrating another method of network entry authentication according to an example embodiment.

Fig. 6 is a block diagram illustrating an access authentication apparatus according to an exemplary embodiment.

Fig. 7 is a block diagram of an electronic device, according to an example embodiment.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.

It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.

Fig. 1 is a schematic diagram illustrating an implementation environment of a network access authentication method according to an exemplary embodiment. As shown in fig. 1, the implementation environment includes: a terminal 101 and a server 102. The terminal 101 may be connected to the server 102 through a wired network or a wireless network.

The server 102 belongs to a target network, and may be used to implement a network access authentication function of the target network, so as to ensure security of the target network. By way of example, the server 102 may be any device that provides computing services, is capable of responding to service requests, and processes, such as a conventional server, cloud host, virtual center, etc. The terminal 101 may access the target network after network access authentication by the server 102. By way of example, the terminal 101 may be a smart phone, tablet, personal computer, wearable device, or the like. In one implementation scenario, the target network to which the server 102 belongs may be an enterprise network belonging to a certain enterprise, and the network access authentication method provided by the embodiment of the present disclosure may be applied to network access authentication for the enterprise network.

Optionally, the network access authentication function that the server 102 may perform may include: authentication function of device dimension and authentication function of user identity dimension. The network access request sent by the terminal 101 to the server 102 may include: target identity certificate and terminal identification. The target identity certificate is used for reflecting whether a user corresponding to the terminal has network access permission for accessing the target network. The authentication function of the device dimension may refer to the identity of the terminal carried in the network access request, and the identity of the granted terminal to which the target identity certificate is granted. The authentication function of the user identity dimension may refer to authentication for the validity of the target identity certificate.

In an alternative implementation, as shown in fig. 2, based on the implementation environment shown in fig. 1, the server 102 may include: the first server 102A and at least one second server. The first server 102A may be configured to receive a network access request sent by the terminal 101, and perform an authentication function of a device dimension with respect to an initiating terminal of the network access request. The at least one second server may be configured to perform an authentication function of a user identity dimension with respect to an originating terminal of the network access request. In an alternative implementation, the first service 102A may be a remote user dial-up authentication system (Remote authentication dial in userservice, radius) service. The interactive data between the terminal 101 and the server needs to be encapsulated into a Radius protocol message. The Radius server can be used for carrying out Radius protocol message encapsulation and decapsulation on the data to be transmitted between the terminal and the server, so as to realize data interaction.

Optionally, the authentication of the user identity dimension for the initiating terminal of the network access request may have multiple authentication manners. The number of the second service ends can be multiple, and one second service end can be used for realizing the authentication function of the user identity dimension based on one authentication mode. Fig. 2 illustrates that the implementation environment may correspondingly include two second servers (102B 1 and 102B 2) when implementing the user identity dimension authentication function through two authentication methods.

In the exemplary network access authentication system according to the embodiment of the present disclosure, the terminal 101 may access the target network to which the server 102 belongs through network access authentication. Wherein the terminal 101 may be configured to initiate a network access request to the server 102 based on its installed identity credentials. Server 102 may be configured to perform a verification process on the user's access rights based on the access request. And allowing the terminal to access the target network when the access permission passes the verification.

Fig. 3 is a flow chart illustrating a method of network entry authentication according to an exemplary embodiment. The network access authentication method can be applied to the implementation environment shown in fig. 1 or fig. 2, and executed by the server 102 in the implementation environment. As shown in fig. 3, the network access request includes:

In step 301, a network access request of a terminal is received, where the network access request includes a target identity certificate and a terminal identifier, where the target identity certificate is used to reflect whether a user corresponding to the terminal has network access permission to access to a target network.

In embodiments of the present disclosure, the terminal identification may be a media access control address (Media Access Control Address, MAC) and/or an internet protocol address (Internet Protocol Address, IP) of the terminal. The target identity certificate may be a digital certificate generated by the server and issued to the terminal. The validity of the target identity certificate may be used to reflect whether the user corresponding to the terminal has access rights to the target network. If the user wants to make the user's terminal access to the target network affiliated to the server under the condition that the user's terminal is already provided with the target identity certificate, the user can execute the network access operation so as to make the terminal generate a network access request and send the network access request to the server. The server side can receive the network access request of the terminal, so that subsequent network access authentication operation is executed according to the network access request.

For example, if the terminal of the user wants to make the terminal of the user access to the target network of the enterprise in the case that the target identity certificate is installed. The user may enter the network name of the target network, secest-1-sec, select the extended authentication protocol (Extensible Authentication Protocol, EAP) as an identity credential, select the security type WPA2 enterprise AES, and click the save button at the network login interface as shown in fig. 4. After receiving the click operation for the save button, the terminal may generate a network access request in response to the click operation, where the network access request includes a target identity certificate installed on the terminal and a terminal identifier. And sending the network access request to the server so that the server receives the network access request. The selection of the security type WPA2 AES is to select the encryption mode of network transmission as WPA2 AES, where WPA2 AES is an encryption mode based on Wi-Fi protected access II (WPA 2) and Advanced Encryption Standard (AES).

In step 302, a target grant terminal identifier corresponding to the target identity certificate is determined according to the correspondence between the identity certificate and the grant terminal identifier. The terminal granted with the terminal identification indication is the terminal granted with the corresponding identity certificate.

In the embodiment of the disclosure, the server may store the identity certificate in association with the grant terminal identifier of the terminal to which the identity certificate is granted, so as to characterize the correspondence between the identity certificate and the grant terminal identifier based on the association relationship. Alternatively, the server may store the identity credential document. The identity certificate document records the corresponding relation between the identity certificate and the granted terminal identifier. The server can inquire the corresponding relation between the certificate and the grant terminal identifier, and inquire the target grant terminal identifier corresponding to the target identity certificate from the compared relation. The format of the identity certificate document can be a form, text or the like.

Optionally, the granted terminal identification may be the terminal's media access control address (Media Access Control Address, MAC) and/or internet protocol address (Internet Protocol Address, IP). For example, the type of the granted terminal identifier may be the same as the type of the terminal identifier carried in the network access request. Alternatively, the type of terminal identification granted may be different from the type of terminal identification carried in the network access request. If the type of the granted terminal identifier can be different from the type of the terminal identifier carried in the network access request, the server stores the corresponding relation between the type of the granted terminal identifier and the type of the terminal identifier carried in the network access request.

In step 303, a consistency verification is performed on the terminal identity and the destination grant terminal identity.

In the embodiment of the disclosure, the server may compare the target grant terminal identifier corresponding to the determined target identity certificate with the terminal identifier carried in the network access request, so as to determine whether the two identifiers are consistent.

In step 304, the terminal is prohibited from accessing the target network when the terminal identification is different from the target grant terminal identification.

In the embodiment of the disclosure, when determining that the terminal identifier is different from the target grant terminal identifier, the server indicates that the terminal currently sending the network access request including the target identity certificate is not the same terminal as the terminal to which the target identity certificate is granted. And further, the fact that the target identity certificate may be stolen and the terminal which is requested to access the target network at present may belong to an abnormal terminal is indicated, and the server side prohibits the terminal from accessing the target network.

In step 305, the terminal is allowed to access the target network when the terminal identity is the same as the target grant terminal identity.

In the embodiment of the disclosure, when determining that the terminal identifier is the same as the target grant terminal identifier, the server indicates that the terminal currently sending the network access request including the target identity certificate is the same terminal as the terminal to which the target identity certificate is granted. And further indicates that the terminal currently requesting access to the target network may belong to an accessible terminal, the server allows the terminal to access the target network.

In summary, according to the network access authentication method provided by the embodiment of the present disclosure, after receiving a network access request from a terminal, a target grant terminal identifier corresponding to a target identity certificate included in the network access request may be determined through a correspondence between the identity certificate and the grant terminal identifier. And judging whether the terminal is allowed to access the target network according to a consistency check result of the terminal identifier included in the network access request and the target grant terminal identifier. Compared with the mode of network access authentication of the terminal in the related art, the technical scheme does not involve verification of the account name and the password of the user, avoids the problem of lower safety of the network access authentication mode caused by forgetting, revealing, stolen and other reasons of the account name and the password, reduces the risk of network access authentication of the terminal, and improves the network completeness. And because the terminal granted with the terminal identification indication is the terminal granted with the corresponding identity certificate, whether the terminal is allowed to access the target network is judged according to the consistency check result of the terminal identification included in the network access request and the target granted terminal identification, thereby realizing the identity check of the network access terminal, further avoiding the influence of the condition of the identity certificate being stolen and the like on the security of the network access authentication mode, and improving the network completeness.

Referring to fig. 5, fig. 5 shows a flowchart of another network access authentication method according to an embodiment of the disclosure. The network access authentication method can be applied to the implementation environment shown in fig. 1. As shown in fig. 5, the network access request includes:

in step 501, the terminal first sends a network access request to the server, where the network access request includes account information of a user and a terminal identifier of the terminal.

In the embodiment of the disclosure, if the user wants to enable the terminal to access the target network for the first time, the user may perform a network access operation, so that the terminal sends a network access request to the server for the first time. The network access request may include account information of the user and a terminal identification of the terminal. The account information of the user may include an account name and a password corresponding to the user. The terminal identification may be a media access control address (Media Access Control Address, MAC) and/or an internet protocol address (Internet Protocol Address, IP) of the terminal.

For example, the terminal may generate a network access request according to a data transmission protocol between the terminal and the server, where the network access request includes a formatting parameter for carrying an account name, a formatting parameter for carrying a password corresponding to the account name, and a formatting parameter for carrying a terminal identifier of the terminal.

In step 502, when determining that the account information belongs to an accessible account corresponding to the target network, the server generates a target identity certificate corresponding to the account information and in a valid state.

In the embodiment of the disclosure, the target identity certificate is used for reflecting whether the user corresponding to the terminal has network access permission to access the target network. The target identity certificate in a valid state is used to reflect that the user has access to the target network. Accordingly, the target identity certificate in the invalid state is used for reflecting that the user does not have access to the network of the target network. After receiving the network access request sent by the terminal for the first time, the server can analyze the network access request to obtain account information included in the network access request. And judging whether the account information belongs to an accessible account corresponding to a target network to which the terminal wants to access. The accessible account corresponding to the target network may be determined by a manager of the target network.

Optionally, the server may communicate with a database storing accessible accounts and passwords corresponding to the accounts. The database may be integrated with the server or the database may be independent of the server. The server side can traverse all the accessible accounts in the database and sequentially judge whether the accessible accounts obtained through traversing are the same as the accounts corresponding to the account information. If so, the server can judge whether the passwords of the same accessible account are the same as the passwords of the account corresponding to the account information. If the account information is the same, the server determines that the account information belongs to an accessible account corresponding to the target network. If the accessible account obtained through traversing is different from the account corresponding to the account information, the server determines that the account information does not belong to the accessible account corresponding to the target network, and the server prohibits the terminal from accessing the target network. If the accessible account obtained through traversing is the same as the account corresponding to the account information, but the password of the same accessible account is different from the password of the account corresponding to the account information, the server determines that the account information does not belong to the accessible account corresponding to the target network.

By way of example, consider the scenario in which the target network is an enterprise network. After the enterprise staff transacts the job, the enterprise manager generates an account name and a password for the enterprise staff to log in the enterprise network, wherein the account belongs to an accessible account of the enterprise network. The enterprise administrator synchronizes and persists the assigned account name and password for the employee into a lightweight directory access protocol (Lightweight Directory Access Protocol, LDAP) database. The LDAP database is used for storing account names and corresponding passwords of accessible accounts corresponding to the enterprise network, and is positioned on the LDAP server. After the server side acquires the account information included in the network access request, the account name and the password included in the account information are transmitted to the LDAP server according to a transmission protocol between the server side and the LDAP server. And after receiving the account name and the password included in the network access request, the LDAP server executes the authentication of the account name and the password. And determining that the account name included in the network access request exists in the LDAP database, and determining that the authentication of the account name and the password passes by the password corresponding to the same account name in the LDAP database and the password included in the network access request are the same. And the LDAP server sends a verification result for indicating that the account name and the password pass verification to the server. When the server receives the verification result, the account information included in the network access request is determined to belong to an accessible account corresponding to the target network, and then a target identity certificate in a valid state corresponding to the account information is generated.

In the embodiment of the disclosure, the server side can verify the identity of the user by judging whether the account information belongs to the accessible account corresponding to the target network or not so as to achieve the purpose of verifying the account information. And when the account information is determined to belong to the accessible account corresponding to the target network, generating a target identity certificate which corresponds to the account information and is in a valid state. The server may also verify the identity of the user by verifying other factors. The security of network access authentication is improved.

Optionally, before performing step 501, the method further comprises: and the terminal sends an identity verification request to the server. And the server sends a verification message to the terminal when receiving the authentication request sent by the terminal. Accordingly, in step 501, the first network access request sent by the terminal may further include: the message is to be validated. The message to be authenticated may be entered by the user based on the received authentication message.

Accordingly, when determining that the account information belongs to the accessible account corresponding to the target network, the process of generating the target identity certificate in a valid state corresponding to the account information may include: when the server determines that the account information belongs to an accessible account corresponding to the target network and the verification message is consistent with the message to be verified, generating a target identity certificate corresponding to the account information and in a valid state.

For example, the server may also verify the user identity by means of sms authentication, mailbox authentication, etc. Under the condition that the identity of the user is verified through a short message identity verification mode, before the terminal sends a network access request to the server, the terminal can send an identity verification request to the server, wherein the identity verification request comprises the telephone contact mode of the terminal. When receiving an authentication request sent by a terminal, the server sends an authentication message to the terminal through a telephone contact way. The terminal sends a network access request to the server, and the network access request may further include: the message is to be validated. The message to be authenticated may be entered by the user based on the received authentication message. And when the account information is determined to belong to an accessible account corresponding to the target network and the verification message is consistent with the message to be verified, generating a target identity certificate which corresponds to the account information and is in a valid state. Therefore, by introducing the identity verification mechanisms in various modes, the checking function of the user identity can be further enhanced, the security of the network access authentication mode is further improved, and the network completeness is improved.

In an embodiment of the present disclosure, a process of generating, by a server, a target identity certificate in a valid state corresponding to account information may include: and the server generates a target identity certificate with a unique serial number according to the account name included in the account information, wherein the target identity certificate corresponds to the account information. The format of the target identity certificate may be an X509 format, an X500 format, etc.

Optionally, the identity certificate may comprise at least one of: certificate subject data, certificate extension data, and certificate authority data. The certificate subject data includes at least one of: country code, geographical location of target network, name of enterprise, domain name of target network, effective days of identity certificate, related information of encryption algorithm of identity certificate, and public key cipher.

For example, the target identity certificate generated by the server may include: country code: CN (CN represents china), province of the address location of the target network: beijin, city of address location of target network: beijing, organization of target network: beijingKs, name of enterprise to which the target network belongs: ks, domain name of target network: root, number of valid days of identity certificate: 365, related information of identity certificate encryption algorithm: RSA (one encryption algorithm) number of bits is 2048, public key cipher: xxx. Public key cryptography may refer to certificate public key encryption standard (Public Key Cryptography Standards, PCKS) 12 cryptography.

Optionally, the network access request sent by the terminal may further include: the operating system type of the terminal. The process of generating the target identity certificate in the valid state corresponding to the account information by the server side may further include: the server generates a target identity certificate of a target file type, wherein the target file type corresponds to the operating system type. By way of example, the operating system type may be mac, windows, android (Android), or the like. Therefore, the server can generate the target identity card certificate matched with the file type corresponding to the operating system type according to the operating system type of the terminal, so that the problem of possible discomfort of the target identity card and the terminal operating system is avoided, the availability of the target identity card is improved, and the network access authentication efficiency is further ensured.

In step 503, the server takes the terminal identifier in the network access request sent by the terminal for the first time as the target grant terminal identifier of the target identity certificate, and records the corresponding relationship between the target identity certificate and the target grant terminal identifier.

Optionally, the server may store the target identity certificate in association with a target grant terminal identifier of the terminal to which the target identity certificate is granted, so as to characterize a correspondence between the target identity certificate and the target grant terminal identifier based on the association relationship. Alternatively, the server may store the identity credential document. The identity certificate document records the corresponding relation between the target identity certificate and the target grant terminal identifier.

In step 504, the server sends a target identity certificate corresponding to the account information to the terminal, where the target identity certificate is installed by the terminal.

In the embodiment of the disclosure, the server may encrypt the target identity certificate to obtain the encrypted target identity certificate. And the server sends the encrypted target identity certificate to the terminal. After receiving the encrypted target identity certificate, the terminal decrypts the encrypted target identity certificate to obtain a decrypted target identity certificate. And the user executes the target operation and installs the decrypted target identity certificate to the terminal. Optionally, the server may encrypt the target identity certificate with a public key in the target identity certificate. Correspondingly, the terminal can decrypt the encrypted target identity certificate by using the private key corresponding to the public key.

In step 505, the terminal sends a network access request to the server, where the network access request includes a target identity certificate and a terminal identifier.

In the embodiment of the disclosure, after the terminal of the user has installed the target identity card, if the user wants to enable the terminal of the user to access the target network, the user can execute network access operation, and verification of network access permission of the terminal is realized by using the target identity card installed by the terminal. The terminal may generate a network access request based on the target identity certificate and send the network access request to the server, so that the terminal generates the network access request and sends the network access request to the server. The server side can receive the network access request of the terminal, so that subsequent network access authentication operation is executed according to the network access request.

In step 506, the server determines, according to the correspondence between the identity certificate and the grant terminal identifier, the target grant terminal identifier corresponding to the target identity certificate.

In the embodiment of the disclosure, when the server side stores the identity certificate in association with the grant terminal identifier of the terminal to which the identity certificate is granted, so as to characterize the corresponding relationship between the identity certificate and the grant terminal identifier based on the association relationship, the server side may read the target grant terminal identifier corresponding to the target identity certificate from the storage address of the target grant terminal identifier according to the association relationship between the storage address of the target identity certificate and the storage address of the corresponding target grant terminal identifier.

Alternatively, the server may store the identity credential document. The identity certificate document records the corresponding relation between the identity certificate and the granted terminal identifier. The server side can inquire from the identity certificate document to obtain a target grant terminal identifier corresponding to the target identity certificate. The format of the identity certificate document can be a form, text or the like.

In step 507, the server performs consistency verification on the terminal identifier and the destination grant terminal identifier.

In step 508, the server prohibits the terminal from accessing the target network when the terminal identification is different from the target grant terminal identification.

In step 509, when the terminal identifier is the same as the destination grant terminal identifier, the server verifies the validity of the destination identity certificate by using at least one type of verification data, where the verification data records the validity status of the identity certificate.

In the embodiment of the disclosure, when determining that the terminal identifier is the same as the target grant terminal identifier, the server indicates that the terminal currently sending the network access request including the target identity certificate is the same terminal as the terminal to which the target identity certificate is granted. And further indicates that the terminal currently requesting access to the target network may belong to an accessible terminal, the server may further verify the identity certificate. The server side can verify the validity of the target identity certificate by adopting at least one verification data. The at least one check data may include: the first check data updated in real time and the second check data updated periodically. Therefore, under the condition that the number of the verification data is multiple, the server can realize multiple verification of multiple target identity certificates based on different verification data, and the verification accuracy of the identity certificates is improved. And further improves the security of the network access authentication mode.

Based on this, the embodiment of the disclosure exemplarily describes a process of verifying the validity of the target identity certificate by using different verification data by the server.

In a first alternative implementation, in case the verification data is first verification data updated in real time, the verification data may comprise data stored in an identity card library. The process of verifying the validity of the target identity certificate by the server side through the first verification data comprises the following steps:

the identity library is invoked according to an online certificate status protocol (Online Certificate Status Protocol, OCSP), and the validity status of the target identity certificate recorded in the identity library is queried, wherein the validity status at least comprises a valid status or an invalid status. Wherein the validity state of each identity certificate stored in the identity certificate library is updated in real time.

In the disclosed embodiments, the standard specification is verified based on the data certificate. If the server needs to call the identity certificate library to verify the target identity certificate, the network access request received by the server is a request encoded by adopting an OCSP protocol. The request includes an identification of the target identity certificate after formatting according to the OCSP protocol, which may be a serial number. Correspondingly, the server side can analyze the received network access request by adopting the OCSP protocol to obtain the identification of the target identity certificate.

The identity card library records the identification of the full-quantity identity certificates issued by the target network and the validity state corresponding to each identity certificate. The validity state of the identity certificate comprises at least a valid state or an invalid state. The valid state may be referred to as an un-revoked state, and an identity certificate in the valid state may reflect that a terminal corresponding to the certificate may have access to the network of the target network. The invalid state is also called a revocation state, and the identity certificate in the invalid state can reflect that the terminal corresponding to the certificate does not have access to the network of the target network. The server may determine, based on the identification of the target identity certificate, a valid state corresponding to the target identity certificate from the identity certificate library. The validity of the target identity certificate is checked by adopting the data in the identity certificate library.

Thus, since the identity card library is typically maintained by an issuing authority for identity certificates, the validity status of each identity certificate stored in the identity card library needs to be updated in real time to ensure the accuracy of the validity status of each identity certificate. Therefore, on the basis of higher accuracy of the validity state of each identity certificate in the identity certificate library, the accuracy of the validity state of the target identity certificate is verified by adopting the identity certificate library, and the effective improvement of the security of the network access authentication mode is realized.

Optionally, the server may execute an information detection policy to detect a setting event, so as to ensure accuracy of validity states of the identity certificates in the identity certificate library. The setup event is used to reflect identity credential expiration. For example, the identity certificate library also records the expiration time of the target identity certificate and the user valid state corresponding to the target identity certificate. The method further comprises the steps of: and when the server detects a setting event, updating the validity state of the target identity certificate in the identity certificate library into an invalid state. Wherein the setting event comprises at least one of: the terminal identification is different from the target grant terminal identification, the current moment of the server is larger than the invalidation moment of the target identity certificate recorded in the identity certificate library, and the user valid state corresponding to the target identity certificate recorded in the identity certificate library is updated to be an invalid user state.

In a scenario where the target network is an enterprise network, any of the following situations may cause the user valid state in the identity credential repository to be an invalid user state. The conditions may include: employee departure, limited access rights due to employee personal behavior, and the like.

In the embodiment of the disclosure, in the optional implementation environment shown in fig. 2, the second server may be a server that uses the first verification data to verify the validity of the target identity certificate, and the server may be an OCSP server. The Radius server can analyze the received network request to obtain the target identity card. And sending a certificate verification request to the OCSP server according to the OCSP protocol. The certificate verification request includes an identification of the target identity certificate after being formatted in accordance with OCSP. After receiving the certificate verification request, the OCSP server may analyze the certificate verification request according to the OCSP protocol to obtain the identifier of the target identity certificate. The OCSP server determines the valid state corresponding to the target identity certificate from the identity certificate database. And sending a certificate verification response aiming at the certificate verification request to the Radius server. The credential verification response is used to indicate whether the validity state of the target identity credential is an invalid state. The Radius server can determine whether to run the terminal to access the target network according to the certificate verification response.

In a second alternative implementation, in case the verification data is periodically updated second verification data, the verification data may comprise data recorded in a certificate revocation list. The process of verifying the validity of the target identity certificate by the server side through the second verification data comprises the following steps:

a periodically updated certificate revocation list (Certificate Revocation List, CRL) is obtained, which records identity certificates in an invalid state. It is queried whether the certificate revocation list includes a target identity certificate. And when the certificate revocation list is determined to not comprise the target identity certificate, determining that the target identity certificate is in a valid state. And when the certificate revocation list comprises the target identity certificate, determining that the target identity certificate is in an invalid state. In this way, the periodically updated certificate revocation list is adopted to verify the target identity certificate, and the update frequency of the certificate revocation list is low, so that the latest certificate revocation list for verification does not need to be acquired more frequently, and the network overhead is reduced.

In the embodiment of the disclosure, the certificate revocation list can be manually maintained by a manager of the target network. Which can be seen as an "access blacklist" of the target network. Thus, the certificate revocation list may be updated periodically to save labor costs.

Optionally, the certificate revocation list may further include: the expiration time of the identity certificate. Then, upon determining that the certificate revocation list includes the target identity certificate, determining that the target identity certificate is in an invalid state may comprise: and when the certificate revocation list comprises the target identity certificate and the current moment of the server side is larger than the expiration moment of the target identity certificate, determining that the target identity certificate is in an invalid state. Correspondingly, when the server determines that the certificate revocation list does not include the target identity certificate, the server determines that the target identity certificate is in a valid state. Or when the server side determines that the certificate revocation list comprises the target identity certificate and the current moment of the server side is not more than the expiration moment, determining that the target identity certificate is in a valid state. In this way, the judging condition of the expiration time of the identity certificate is increased in the process of judging whether the target identity certificate is expired based on the certificate revocation list because the expiration time of the identity certificate is increased in the certificate revocation list. Therefore, misoperation under certain conditions can be avoided, and the accuracy of verifying the validity of the target identity certificate based on the certificate revocation list is improved.

In the embodiment of the disclosure, in the optional implementation environment shown in fig. 2, a second server may be configured to generate a certificate revocation list, and send the generated certificate revocation list to the server. The server may be a CRL server. The second server may send the periodically updated certificate revocation list to the Radius server of the server. The Radius server may parse the received certificate revocation list to determine validity of the target identity certificate by using the certificate revocation list obtained by parsing. In an alternative implementation, the certificate revocation list may further include: validity of the certificate revocation list. That is, the server can effectively judge the validity of the target identity certificate by using the certificate revocation list in the validity period.

In a third alternative implementation, the checking data includes: under the condition of the first check data updated in real time and the second check data updated periodically, the process of verifying the validity of the target identity certificate by the server side through the first check data and the second check data comprises the following steps:

the server side calls an identity card library according to an online certificate status protocol, and inquires the validity status of a target identity certificate recorded in the identity card library. And under the condition that the validity state of the target identity certificate is determined, acquiring a periodically updated certificate revocation list. It is queried whether the certificate revocation list includes a target identity certificate. And when the certificate revocation list is determined to not comprise the target identity certificate, determining that the target identity certificate is in a valid state. And when the certificate revocation list comprises the target identity certificate, determining that the target identity certificate is in an invalid state.

Or the server acquires the periodically updated certificate revocation list. It is queried whether the certificate revocation list includes a target identity certificate. And when the certificate revocation list is determined to not comprise the target identity certificate, determining that the target identity certificate is in a valid state. And when the certificate revocation list is determined to comprise the target identity certificate, calling an identity certificate library according to an online certificate status protocol, and inquiring the validity status of the target identity certificate recorded in the identity certificate library.

It should be noted that, in a third alternative implementation manner, the server side invokes the identity card library according to the online certificate status protocol, queries the validity status of the target identity certificate recorded in the identity card library, and obtains the periodically updated certificate revocation list. The explanation and implementation of querying whether the certificate revocation list includes the target identity certificate may refer to the aforementioned first alternative implementation or the second alternative implementation, respectively, which is not described in detail in the embodiments of the present disclosure.

In step 510, the server prohibits the terminal from accessing the target network when the target identity certificate is determined to be in an invalid state by using any one of the verification data.

In the embodiment of the disclosure, when the server determines that the target identity certificate is in an invalid state by adopting any one of the verification data, the server indicates that the target identity certificate is invalid at present, and the target identity certificate reflects that the user corresponding to the terminal does not have the network access permission to access the target network, and the server prohibits the terminal from accessing the target network.

In step 511, the server side allows the terminal to access the target network when all the verification data are used to determine that the target identity certificate is in a valid state.

In the embodiment of the disclosure, when the server determines that the target identity certificate is in a valid state by adopting all the verification data, the server can indicate that the target identity certificate is valid currently, and the target identity certificate reflects that the user corresponding to the terminal has the access authority for accessing the target network, and the server allows the terminal to access the target network.

Fig. 6 is a flow chart illustrating an access authentication apparatus according to an exemplary embodiment. The network access authentication device is applied to the server. As shown in fig. 6, the network entry authentication apparatus includes:

the receiving module 601 is configured to receive a network access request of a terminal, where the network access request includes a target identity certificate and a terminal identifier, where the target identity certificate is used to reflect whether a user corresponding to the terminal has network access permission to access to a target network;

a determining module 602, configured to determine, according to a correspondence between the identity certificate and the grant terminal identifier, a target grant terminal identifier corresponding to the target identity certificate, where the terminal indicated by the grant terminal identifier is a terminal to which the corresponding identity certificate is granted;

a verification module 603, configured to perform consistency verification on the terminal identifier and the target grant terminal identifier;

an access module 604, configured to prohibit the terminal from accessing the target network when the terminal identifier is different from the target grant terminal identifier; and is further configured to allow the terminal to access the target network when the terminal identification is the same as the target grant terminal identification.

In one possible implementation, the verification module 603 is further configured to verify the validity of the target identity certificate using at least one verification data, where the verification data records the validity status of the identity certificate, and the at least one verification data includes: the first check data are updated in real time, and the second check data are updated periodically;

The access module 604 is further configured to prohibit the terminal from accessing the target network when it is determined that the target identity certificate is in an invalid state by using any one of the verification data;

the access module 604 is further configured to allow the terminal to access the target network when it is determined that the target identity certificate is in a valid state by using all the verification data.

In one possible implementation, the first verification data comprises data stored in a library of identity cards,

the verification module 603 is further configured to: according to the on-line certificate status protocol, the identity certificate library is called, the validity status of the target identity certificate recorded in the identity certificate library is queried, the validity status at least comprises a valid status or an invalid status, and the validity status of each identity certificate stored in the identity certificate library is updated in real time.

In one possible implementation, the second verification data comprises data recorded in a certificate revocation list, the verification module 603 being further configured to:

querying whether the certificate revocation list includes a target identity certificate;

In one possible implementation, the certificate revocation list further includes: the expiration time of the identity certificate; the verification module 603 is further configured to determine that the target identity certificate is in an invalid state when it is determined that the certificate revocation list includes the target identity certificate and a current time of the server is greater than a failure time of the target identity certificate.

In one possible implementation manner, the receiving module 601 is further configured to receive a network access request sent by the terminal for the first time, where the network access request sent for the first time includes account information of a user and a terminal identifier of the terminal;

the apparatus further comprises:

the generation module is used for generating a target identity certificate in a valid state corresponding to the account information when the account corresponding to the account information is determined to belong to an accessible account corresponding to the target network, wherein the target identity certificate in the valid state is used for reflecting the network access permission of a user for accessing the target network;

And the sending module is used for sending a target identity certificate corresponding to the account information to the terminal, wherein the target identity certificate is provided for the terminal to install.

the first transmitted network access request further includes: the generation module is further used for generating a target identity certificate in a valid state corresponding to the account information when the account information is determined to belong to an accessible account corresponding to the target network and the verification information is consistent with the to-be-verified information.

In one possible implementation, the first-transmitted network access request further includes: the terminal comprises an operating system type of the terminal, a generating module and a target identity certificate, wherein the generating module is also used for generating a target identity certificate of a target file type, and the target file type corresponds to the operating system type.

In one possible implementation manner, the expiration time of the target identity certificate and the user valid state corresponding to the target identity certificate are also recorded in the identity certificate library; the apparatus further comprises:

the current moment of the server is greater than the expiration moment of the target identity certificate recorded in the identity certificate library,

In one possible implementation, the identity certificate includes at least one of: country code, geographical location of the target network, business name, domain name of the target network, number of days the identity certificate is valid.

In summary, after receiving a network access request from a terminal, the network access authentication device provided in the embodiment of the present disclosure may determine, through a correspondence between an identity credential and a grant terminal identifier, a target grant terminal identifier corresponding to a target identity credential included in the network access request. And judging whether the terminal is allowed to access the target network according to a consistency check result of the terminal identifier included in the network access request and the target grant terminal identifier. Compared with the mode of network access authentication of the terminal in the related art, the technical scheme does not involve verification of the account name and the password of the user, avoids the problem of lower safety of the network access authentication mode caused by forgetting, revealing, stolen and other reasons of the account name and the password, reduces the risk of network access authentication of the terminal, and improves the network completeness. And because the terminal granted with the terminal identification indication is the terminal granted with the corresponding identity certificate, whether the terminal is allowed to access the target network is judged according to the consistency check result of the terminal identification included in the network access request and the target granted terminal identification, thereby realizing the identity check of the network access terminal, further avoiding the influence of the condition of the identity certificate being stolen and the like on the security of the network access authentication mode, and improving the network completeness.

Fig. 7 is a block diagram of an electronic device, according to an example embodiment. The electronic device may be a terminal or a server of the present disclosure. The electronic device 700 may be: a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group Audio Layer III, motion picture expert compression standard audio plane 3), an MP4 (Moving Picture Experts Group Audio Layer IV, motion picture expert compression standard audio plane 4) player, a notebook computer, or a desktop computer. Electronic device 700 may also be referred to by other names of user devices, portable terminals, laptop terminals, desktop terminals, and the like.

In general, the electronic device 700 includes: a processor 701 and a memory 702.

Processor 701 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 701 may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor 701 may also include a main processor, which is a processor for processing data in an awake state, also referred to as a CPU (Central Processing Unit ); a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 701 may integrate a GPU (Graphics Processing Unit, image processor) for rendering and drawing of content required to be displayed by the display screen. In some embodiments, the processor 701 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.

Memory 702 may include one or more computer-readable storage media, which may be non-transitory. The memory 702 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 702 is used to store at least one instruction for execution by processor 701 to implement the network access authentication method provided by the method embodiments in the present application.

In some embodiments, the electronic device 700 may further optionally include: a peripheral interface 703 and at least one peripheral. The processor 701, the memory 702, and the peripheral interface 703 may be connected by a bus or signal lines. The individual peripheral devices may be connected to the peripheral device interface 703 via buses, signal lines or a circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 704, a display 705, a camera 706, audio circuitry 707, a positioning component 708, and a power supply 709.

A peripheral interface 703 may be used to connect I/O (Input/Output) related at least one peripheral device to the processor 701 and memory 702. In some embodiments, the processor 701, memory 702, and peripheral interface 703 are integrated on the same chip or circuit board; in some other embodiments, either or both of the processor 701, the memory 702, and the peripheral interface 703 may be implemented on separate chips or circuit boards, which is not limited in this embodiment.

The Radio Frequency circuit 704 is configured to receive and transmit RF (Radio Frequency) signals, also referred to as electromagnetic signals. The radio frequency circuitry 704 communicates with a communication network and other communication devices via electromagnetic signals. The radio frequency circuit 704 converts an electrical signal into an electromagnetic signal for transmission, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 704 includes: antenna systems, RF transceivers, one or more amplifiers, tuners, oscillators, digital signal processors, codec chipsets, subscriber identity module cards, and so forth. The radio frequency circuitry 704 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocol includes, but is not limited to: metropolitan area networks, various generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi (Wireless Fidelity ) networks. In some embodiments, the radio frequency circuitry 704 may also include NFC (Near Field Communication ) related circuitry, which is not limited in this application.

The display screen 705 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display 705 is a touch display, the display 705 also has the ability to collect touch signals at or above the surface of the display 705. The touch signal may be input to the processor 701 as a control signal for processing. At this time, the display 705 may also be used to provide virtual buttons and/or virtual keyboards, also referred to as soft buttons and/or soft keyboards. In some embodiments, the display 705 may be one, providing a front panel of the electronic device 700; in other embodiments, the display 705 may be at least two, respectively disposed on different surfaces of the electronic device 700 or in a folded design; in still other embodiments, the display 705 may be a flexible display disposed on a curved surface or a folded surface of the electronic device 700. Even more, the display 705 may be arranged in a non-rectangular irregular pattern, i.e. a shaped screen. The display 705 may be made of LCD (Liquid Crystal Display ), OLED (Organic Light-Emitting Diode) or other materials.

The camera assembly 706 is used to capture images or video. Optionally, the camera assembly 706 includes a front camera and a rear camera. Typically, the front camera is disposed on the front panel of the terminal and the rear camera is disposed on the rear surface of the terminal. In some embodiments, the at least two rear cameras are any one of a main camera, a depth camera, a wide-angle camera and a tele camera, so as to realize that the main camera and the depth camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize a panoramic shooting and Virtual Reality (VR) shooting function or other fusion shooting functions. In some embodiments, camera assembly 706 may also include a flash. The flash lamp can be a single-color temperature flash lamp or a double-color temperature flash lamp. The dual-color temperature flash lamp refers to a combination of a warm light flash lamp and a cold light flash lamp, and can be used for light compensation under different color temperatures.

The audio circuit 707 may include a microphone and a speaker. The microphone is used for collecting sound waves of users and environments, converting the sound waves into electric signals, and inputting the electric signals to the processor 701 for processing, or inputting the electric signals to the radio frequency circuit 704 for voice communication. For purposes of stereo acquisition or noise reduction, the microphone may be multiple, and disposed at different locations of the electronic device 700. The microphone may also be an array microphone or an omni-directional pickup microphone. The speaker is used to convert electrical signals from the processor 701 or the radio frequency circuit 704 into sound waves. The speaker may be a conventional thin film speaker or a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, not only the electric signal can be converted into a sound wave audible to humans, but also the electric signal can be converted into a sound wave inaudible to humans for ranging and other purposes. In some embodiments, the audio circuit 707 may also include a headphone jack.

The location component 708 is operative to locate a current geographic location of the electronic device 700 for navigation or LBS (Location Based Service, location-based services). The positioning component 708 may be a positioning component based on the United states GPS (Global Positioning System ), the Beidou system of China, the Granati system of Russia, or the Galileo system of the European Union.

The power supply 709 is used to power the various components in the electronic device 700. The power supply 709 may be an alternating current, a direct current, a disposable battery, or a rechargeable battery. When the power supply 709 includes a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.

In some embodiments, the electronic device 700 further includes one or more sensors 7010. The one or more sensors 7010 include, but are not limited to: acceleration sensor 7011, gyroscope sensor 7012, pressure sensor 7013, fingerprint sensor 7014, optical sensor 7015, and proximity sensor 7016.

The acceleration sensor 7011 can detect the magnitudes of accelerations on three coordinate axes of the coordinate system established with the electronic device 700. For example, the acceleration sensor 7011 may be used to detect components of gravitational acceleration on three coordinate axes. The processor 701 may control the display screen 705 to display a user interface in a landscape view or a portrait view based on the gravitational acceleration signal acquired by the acceleration sensor 7011. The acceleration sensor 7011 may also be used for acquisition of motion data of a game or a user.

The gyro sensor 7012 may detect a body direction and a rotation angle of the electronic device 700, and the gyro sensor 7012 may cooperate with the acceleration sensor 7011 to collect 3D actions of the user on the electronic device 700. The processor 701 may implement the following functions according to the data collected by the gyro sensor 7012: motion sensing (e.g., changing UI according to a tilting operation by a user), image stabilization at shooting, game control, and inertial navigation.

The pressure sensor 7013 may be disposed at a side frame of the electronic device 700 and/or at an underlying layer of the display screen 705. When the pressure sensor 7013 is disposed on a side frame of the electronic device 700, a grip signal of the electronic device 700 by a user may be detected, and the processor 701 performs left-right hand recognition or quick operation according to the grip signal collected by the pressure sensor 7013. When the pressure sensor 7013 is disposed at the lower layer of the display screen 705, the processor 701 controls the operability control on the UI interface according to the pressure operation of the user on the display screen 705. The operability controls include at least one of a button control, a scroll bar control, an icon control, and a menu control.

The fingerprint sensor 7014 is used for collecting the fingerprint of the user, and the processor 701 identifies the identity of the user according to the fingerprint collected by the fingerprint sensor 7014, or the fingerprint sensor 7014 identifies the identity of the user according to the collected fingerprint. Upon recognizing that the user's identity is a trusted identity, the processor 701 authorizes the user to perform relevant sensitive operations including unlocking the screen, viewing encrypted information, downloading software, paying for and changing settings, etc. The fingerprint sensor 7014 may be provided on the front, back, or side of the electronic device 700. When a physical key or vendor Logo is provided on the electronic device 700, the fingerprint sensor 7014 may be integrated with the physical key or vendor Logo.

The optical sensor 7015 is used to collect the ambient light intensity. In one embodiment, the processor 701 may control the display brightness of the display screen 705 based on the ambient light intensity collected by the optical sensor 7015. Specifically, when the intensity of the ambient light is high, the display brightness of the display screen 705 is turned up; when the ambient light intensity is low, the display brightness of the display screen 705 is turned down. In another embodiment, the processor 701 may also dynamically adjust the shooting parameters of the camera assembly 706 based on the ambient light intensity collected by the optical sensor 7015.

The proximity sensor 7016, also referred to as a distance sensor, is typically disposed on the front panel of the electronic device 700. The proximity sensor 7016 is used to capture the distance between the user and the front of the electronic device 700. In one embodiment, when the proximity sensor 7016 detects that the distance between the user and the front surface of the electronic device 700 gradually decreases, the processor 701 controls the display screen 705 to switch from the bright screen state to the off screen state; when the proximity sensor 7016 detects that the distance between the user and the front surface of the electronic device 700 gradually increases, the processor 701 controls the display screen 705 to switch from the off-screen state to the on-screen state.

Those skilled in the art will appreciate that the structure shown in fig. 7 is not limiting of the electronic device 700 and may include more or fewer components than shown, or may combine certain components, or may employ a different arrangement of components.

In an exemplary embodiment, a computer readable storage medium is also provided, which when executed by a processor of an electronic device, enables the electronic device to perform the network access authentication method provided by the above respective method embodiments.

For example, the non-transitory computer readable storage medium may be a ROM (Read-Only Memory), a RAM (Random Access Memory ), a CD-ROM (Compact Disc Read-Only Memory, a Read-Only optical disc), a magnetic tape, a floppy disk, an optical data storage device, and the like.

In an exemplary embodiment, a computer program product is also provided, comprising computer program instructions which, when executed by a processor, implement the network access authentication method provided by the above respective method embodiments.

In an exemplary embodiment, there is also provided an application program product, which when executed by a processor of a terminal, enables the terminal to perform the network access authentication method provided by the above respective method embodiments.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. The network access authentication method is characterized by being applied to a server, and comprises the following steps:

determining a target grant terminal identifier corresponding to the target identity certificate according to a corresponding relation between the identity certificate and the grant terminal identifier, wherein the terminal indicated by the grant terminal identifier is a terminal granted with the corresponding identity certificate, and the corresponding relation is stored in the server;

allowing the terminal to access the target network when the terminal identifier is the same as the target grant terminal identifier;

Before the network access request of the receiving terminal, the method further comprises:

2. The method of claim 1, wherein prior to said allowing said terminal to access said target network, said method further comprises:

3. The method of claim 2, wherein the first verification data comprises data stored in an identity card library, and verifying the validity of the target identity certificate using the first verification data comprises:

4. The method of claim 2, wherein the second verification data comprises data recorded in a certificate revocation list, and verifying the validity of the target identity certificate using the second verification data comprises:

5. The method of claim 4, wherein the certificate revocation list further comprises: the expiration time of the identity certificate; and when the certificate revocation list is determined to include the target identity certificate, determining that the target identity certificate is in an invalid state includes:

6. The method of claim 1, wherein prior to receiving the first network access request sent by the terminal, the method further comprises: when receiving an identity verification request sent by the terminal, sending a verification message to the terminal;

7. The method of claim 1, wherein the first transmitted request to access the network further comprises: the generating the target identity certificate in a valid state corresponding to the account information includes:

8. The method of claim 3, wherein the identity card library further records a time of expiration of the target identity certificate and a user validity status corresponding to the target identity certificate; the method further comprises the steps of:

9. The method according to any of claims 1-5, wherein the identity certificate comprises at least one of: country code, geographical location of the target network, business name, domain name of the target network, and number of days the identity certificate is valid.

10. An access authentication device, applied to a server, comprising:

the determining module is used for determining a target grant terminal identifier corresponding to the target identity certificate according to the corresponding relation between the identity certificate and the grant terminal identifier, wherein the terminal indicated by the grant terminal identifier is the terminal to which the corresponding identity certificate is granted, and the corresponding relation is stored in the server;

an access module, configured to prohibit the terminal from accessing the target network when the terminal identifier is different from the target grant terminal identifier; and the terminal is further used for allowing the terminal to access the target network when the terminal identifier is the same as the target grant terminal identifier;

the apparatus further comprises:

the receiving module is further configured to receive a network access request sent by the terminal for the first time, where the network access request sent for the first time includes account information of the user and a terminal identifier of the terminal;

the apparatus further comprises:

11. The apparatus of claim 10, wherein the authentication module is further configured to: verifying the validity of the target identity certificate using at least one piece of verification data, the verification data recording the validity status of the identity certificate, the at least one piece of verification data comprising: the first check data are updated in real time, and the second check data are updated periodically;

the access module is further configured to prohibit the terminal from accessing the target network when any one of the check data is used to determine that the target identity certificate is in an invalid state; and the terminal is further used for allowing the terminal to access the target network when all the verification data are adopted to determine that the target identity certificate is in a valid state.

12. The apparatus of claim 11, wherein the first verification data comprises data stored in an identity card library, the verification module further configured to:

13. The apparatus of claim 11, wherein the second verification data comprises data recorded in a certificate revocation list, the verification module further to:

14. The apparatus of claim 13, wherein the certificate revocation list further comprises: the expiration time of the identity certificate; the verification module is further configured to determine that the target identity certificate is in an invalid state when it is determined that the certificate revocation list includes the target identity certificate and a current time of the server is greater than a failure time of the target identity certificate.

15. The apparatus of claim 10, wherein the device comprises a plurality of sensors,

the sending module is further used for sending a verification message to the terminal when receiving the authentication request sent by the terminal;

The generation module is further configured to generate a target identity certificate in a valid state corresponding to the account information when it is determined that the account information belongs to an accessible account corresponding to the target network and the verification message is consistent with the message to be verified.

16. The apparatus of claim 10, wherein the first transmitted request to access the network further comprises: the terminal comprises an operating system type of the terminal, a generating module and a target identity certificate, wherein the generating module is also used for generating a target identity certificate of a target file type, and the target file type corresponds to the operating system type.

17. The apparatus of claim 12, wherein the identity card library further records a time of expiration of the target identity certificate and a user validity status corresponding to the target identity certificate; the apparatus further comprises:

18. The apparatus according to any of claims 10-14, wherein the identity certificate comprises at least one of: country code, geographical location of the target network, business name, domain name of the target network, and number of days the identity certificate is valid.

19. An electronic device, comprising:

one or more processors;

wherein the one or more processors are configured to perform the network entry authentication method of any one of claims 1-9.

20. A computer readable storage medium, characterized in that instructions in the computer readable storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the network access authentication method of any one of claims 1-9.