CN113886793A - Device login method, device, electronic device, system and storage medium - Google Patents

Device login method, device, electronic device, system and storage medium Download PDF

Info

Publication number
CN113886793A
CN113886793A CN202110185063.9A CN202110185063A CN113886793A CN 113886793 A CN113886793 A CN 113886793A CN 202110185063 A CN202110185063 A CN 202110185063A CN 113886793 A CN113886793 A CN 113886793A
Authority
CN
China
Prior art keywords
character string
login
public key
management
management device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110185063.9A
Other languages
Chinese (zh)
Inventor
吴蔚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jingdong Technology Holding Co Ltd
Original Assignee
Jingdong Technology Holding Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jingdong Technology Holding Co Ltd filed Critical Jingdong Technology Holding Co Ltd
Priority to CN202110185063.9A priority Critical patent/CN113886793A/en
Publication of CN113886793A publication Critical patent/CN113886793A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a device login method, a device, electronic equipment, a system and a storage medium, wherein the device login method comprises the following steps: sending a login request to target equipment; receiving an encrypted character string returned by the target device, wherein the encrypted character string is obtained by encrypting a first character string by the target device by using a public key of the management device stored in the secret-free service configuration table, and the public key is obtained by performing identity authentication on the management device by using a digital certificate provided by the management device by the target device and writing the public key into the secret-free service configuration table after the authentication is passed; decrypting the encrypted character string by using a private key to obtain a second character string, and sending the second character string to the target equipment; and receiving a login result returned by the target device, wherein the login result is obtained by comparing the first character string with the second character string by the target device.

Description

Device login method, device, electronic device, system and storage medium
Technical Field
The present invention relates to computer technologies, and in particular, to a device login method, an apparatus, an electronic device, a system, and a storage medium.
Background
When the target device is logged in through the management device, a common login method is an account name/password mode, and in the process of achieving the method, the inventor finds that the password is easy to leak and potential safety hazards exist by using the login mode of account name/password login.
Disclosure of Invention
The embodiment of the invention provides a device login method, a device, electronic equipment, a system and a storage medium, which can improve communication safety.
In a first aspect, an embodiment of the present invention provides an apparatus login method, including:
sending a login request to target equipment;
receiving an encrypted character string returned by the target device, wherein the encrypted character string is obtained by encrypting a first character string by the target device by using a public key of a management device stored in a secret-free service configuration table, and the public key is obtained by performing identity authentication on the management device by using a digital certificate provided by the management device by the target device and writing the public key into the secret-free service configuration table after the authentication is passed;
decrypting the encrypted character string by using a private key to obtain a second character string, and sending the second character string to the target equipment;
and receiving a login result returned by the target equipment, wherein the login result is obtained by comparing the first character string with the second character string by the target equipment.
In a second aspect, an embodiment of the present invention provides another device login method, including:
receiving a login request sent by management equipment;
encrypting a first character string by using a public key of the management equipment stored in a secret-free service configuration table to obtain an encrypted character string, and sending the encrypted character string to the management equipment, wherein the public key is used for performing identity authentication on the management equipment by using a digital certificate provided by the management equipment and writing the public key into the secret-free service configuration table after the authentication is passed;
receiving a second character string sent by the management device, wherein the second character string is obtained by the management device decrypting the encrypted character string by using a private key;
and comparing the first character string with the second character string to obtain a login result, and sending the login result to the management equipment.
In a third aspect, an embodiment of the present invention provides an apparatus login apparatus, including:
the first sending module is used for sending a login request to the target equipment;
a first receiving module, configured to receive an encrypted string returned by the target device, where the encrypted string is obtained by encrypting, by the target device, a first string with a public key of a management device stored in a secret-free service configuration table, and the public key is obtained by the target device performing identity authentication on the management device with a digital certificate provided by the management device and writing the public key into the secret-free service configuration table after the authentication is passed;
the first decryption module is used for decrypting the encrypted character string by using a private key to obtain a second character string;
the first sending module is further configured to send the second character string to the target device;
the first receiving module is further configured to receive a login result returned by the target device, where the login result is obtained by comparing the first character string and the second character string with the target device.
In a fourth aspect, an embodiment of the present invention provides another device login apparatus, including:
the second receiving module is used for receiving a login request sent by the management equipment;
the second encryption module is used for encrypting the first character string by using a public key of the management equipment stored in a secret-free service configuration table to obtain an encrypted character string, wherein the public key is used for performing identity authentication on the management equipment by using a digital certificate provided by the management equipment and is written into the secret-free service configuration table after the authentication is passed;
a second sending module, configured to send the encrypted character string to the management device;
the second receiving module is further configured to receive a second character string sent by the management device, where the second character string is obtained by the management device decrypting the encrypted character string with a private key;
the second sending module is further configured to compare the first character string and the second character string to obtain a login result, and send the login result to the management device.
In a fifth aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the device login method according to any one of the embodiments of the present invention.
In a sixth aspect, an embodiment of the present invention further provides an apparatus login system, including a management apparatus for executing the apparatus login method in any embodiment of the present invention, and a target apparatus for executing the apparatus management method in any embodiment of the present invention.
In a seventh aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the device login method according to any one of the embodiments of the present invention.
In the embodiment of the invention, a login request can be sent to a target device, an encrypted character string returned by the target device is received, the encrypted character string is obtained by encrypting a first character string by the target device by using a public key of a management device stored in a secret-free service configuration table, the public key is obtained by performing identity authentication on the management device by using a digital certificate provided by the management device by the target device and writing the authentication into the secret-free service configuration table after the authentication is passed, a second character string is obtained by decrypting the encrypted character string by using a private key, and the second character string is sent to the target device; receiving a login result returned by the target equipment, wherein the login result is obtained by comparing the first character string with the second character string by the target equipment; the embodiment of the invention provides a login method of password-free login, which avoids hidden danger of password leakage, and can enable target equipment to use a digital certificate to authenticate the identity of management equipment during password-free login, and when the authentication is passed, a public key of the management equipment is written into a password-free service configuration table for use, so that the management equipment and the public key can be verified, thereby avoiding lawless persons from maliciously implanting illegal public keys, and improving communication safety.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of a device login system according to an embodiment of the present invention.
Fig. 2 is a flowchart illustrating a device login method according to an embodiment of the present invention.
Fig. 3 is another schematic flowchart of a device login method according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of interaction between devices in the device login system according to the embodiment of the present invention.
Fig. 5 is a schematic flowchart of a device login method according to an embodiment of the present invention.
Fig. 6 is a schematic structural diagram of an apparatus login apparatus according to an embodiment of the present invention.
Fig. 7 is another schematic structural diagram of the device login apparatus according to the embodiment of the present invention.
Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a device login system according to an embodiment of the present invention, where the device login system includes a management device and at least one target device, where the at least one target device may include a target device 1, a target device 2, and a target device … …, and n is an integer greater than 2. Illustratively, the management device may be a local device, the target device may be a remote device, and the operation and maintenance personnel may log in at least one target device through the management device to perform operation, maintenance and management on the target device. For example, when the disk of the target device 1 is to be fully written with the application log, the operation and maintenance staff may log in the target device 1 through the management device, and clean the log directory or file on the target device 1 to release the disk space.
In addition, the device login system may further include a key management server, a certificate authority server, and a public key distribution server, and these servers may be deployed in a cluster manner. The key management server can provide services such as data encryption, decryption and key management, the certificate authorization server can provide services such as digital certificate issuing and certificate life management, and the public key distribution server can provide services for uploading and downloading files or text information.
The configuration of the device registration system and the number of devices shown in fig. 1 are merely exemplary, and are not limited thereto.
At present, when a target device is logged in through a management device, a common login method is an account name/password mode, because a password is generally complex and is inconvenient to remember manually, the password is generally required to be saved in a text, and a specific password is as follows: p4 rEsawinti 3gvby1F80Ca564gFhm 12. In actual operation, the cipher text is often leaked or lost due to factors such as weak safety consciousness, error or subjective intention of operation and maintenance personnel, and potential safety hazards exist.
The embodiment of the invention provides an equipment login method which can improve communication safety, and the equipment login method provided by the embodiment of the invention can be executed by the equipment login device provided by the embodiment of the invention, and the device can be realized in a software and/or hardware mode. In a particular embodiment, the apparatus may be integrated in a management device, such as the management device shown in fig. 1. Referring to fig. 2, fig. 2 is a flowchart of a device login method according to an embodiment of the present invention, where the method includes the following steps:
step 201, sending a login request to the target device.
For example, when the operation and maintenance management of the target device is needed, the management device may send a login request to the target device according to an operation of an operation and maintenance worker, where the login request may include identification information of the management device, and the identification information may be a user name, an account number, and the like of the management device.
Step 202, receiving an encrypted character string returned by the target device, where the encrypted character string is obtained by encrypting, by the target device, the first character string by using a public key of the management device stored in the privacy-free service configuration table, where the public key is obtained by performing, by the target device, identity authentication on the management device by using a digital certificate provided by the management device, and writing the public key into the privacy-free service configuration table after the authentication is passed.
In specific implementation, the management device may generate a key pair including a public key and a private key by itself to avoid the problem of data incompatibility, for example, an OpenSSH tool may be installed in the management device, the management device may generate a key pair including a public key and a private key in advance by using the OpenSSH tool installed therein, request a digital certificate from the certificate authority server by using the public key and the identification information of the management device, and then issue the requested digital certificate and the requested public key to the target device through the public key distribution server. After receiving the digital certificate and the public key, the target device may perform identity authentication on the management device based on the digital certificate, for example, to authenticate whether the digital certificate is authentic and valid, to authenticate whether the public key matches the digital certificate, and the like, and after the authentication is passed, write the public key into the privacy-free service configuration table. In addition, if the public key of the management device already exists in the privacy-free service configuration table, the original public key can be updated by using the newly obtained public key of the management device.
When the target device receives a login request sent by the management device, a string of character strings, namely a first character string, can be randomly generated, a public key of the management device is extracted from a password-free service configuration table according to identification information of the management device, the first character string is encrypted by using the public key of the management device to obtain an encrypted character string, the encrypted character string is sent to the management device, and the management device receives the encrypted character string.
And step 203, decrypting the encrypted character string by using a private key to obtain a second character string, and sending the second character string to the target device.
The management device may extract its own private key, and decrypt the encrypted character string using the private key, thereby obtaining the second character string.
And 204, receiving a login result returned by the target device, wherein the login result is obtained by comparing the first character string and the second character string by the target device.
Illustratively, the login result includes success or failure, and the login result is success when the first string and the second string are the same, and failure when the first string and the second string are different.
When the login result is successful, the operation and maintenance personnel can perform operation and maintenance management on the target equipment through the management equipment, and when the login result is failed, the operation and maintenance personnel can try to log in the target equipment again through the management equipment.
The method has the advantages that the whole login process is secret-free login, a password does not need to be logged in, hidden danger of password leakage is avoided, the target device can perform identity authentication on the management device by using a digital certificate during secret-free login, and when the authentication is passed, the public key of the management device is written into the secret-free service configuration table for use, so that the management device and the public key can be verified, illegal persons are prevented from being implanted into illegal public keys maliciously, and communication safety is improved.
Referring to fig. 3, fig. 3 is a flowchart of another device login method according to an embodiment of the present invention, where the method may be executed by a device login apparatus according to an embodiment of the present invention, and the apparatus may be integrated in a management device, for example, the management device shown in fig. 1. The device login method can comprise the following steps:
step 301, a key pair is generated, wherein the key pair comprises a public key and a private key.
For example, the management device may generate a key pair containing a public key and a private key by itself to avoid the problem of data incompatibility, for example, the management device may generate a key pair containing a public key and a private key by using an OpenSSH tool installed therein. Of course, in other embodiments, the key pair may also be generated by other devices for the management device, such as a certificate authority server for the management device, which is not limited herein. Where the public key is typically used to encrypt the session key, verify the digital signature, or encrypt data that may be decrypted with the corresponding private key. The public key and the private key are a key pair obtained through an algorithm, one of which is open to the outside world and is called a public key, and the other of which is reserved by itself and is called a private key, and the key pair obtained through the algorithm is guaranteed to be unique worldwide. When using this key pair, if one of the keys is used to encrypt a piece of data, the other key must be used to decrypt the piece of data, e.g., if the piece of data is encrypted with a public key, the piece of data must be decrypted with a private key, and if the piece of data is encrypted with the private key, the piece of data must also be decrypted with the public key, otherwise the decryption will not succeed.
Step 302, request a digital certificate from a certificate authority server.
The digital certificate is a digital certificate for marking the identity information of a communication party in internet communication and can be used for identifying the identity of the other party on the internet.
In a specific implementation, in order to enable the target device to perform identity authentication on the management device and to enable public key distribution to be verified, the management device may send identification information of the management device and the generated public key to the certificate authority server to request the certificate authority server to issue a digital certificate for the management device, where the identification information of the management device may be a user name, an account number, and the like of the management device. The certificate authority server can confirm whether the received public key is owned by the management device or not when receiving the identification information and the public key, and can generate a digital certificate for the management device if the received public key is owned by the management device, wherein the digital certificate can include information of an electronic certificate authority, identification information of the management device, the public key, signature and validity period of an authority, and the like, and the management device obtains the digital certificate from the certificate authority server.
Step 303, sending the public key and the digital certificate to the target device through the public key distribution server, so that the target device performs identity authentication on the management device by using the digital certificate, and writes the public key into a privacy-free service configuration table after the authentication is passed.
For example, the management device may package and upload identification information, a public key, a digital certificate, and the like of the management device to the public key distribution server, the target device may download the identification information, the public key, the digital certificate, and the like uploaded by the management device from the public key distribution server periodically, and after downloading, the target device may authenticate the management device based on the downloaded information. For example, the target device may authenticate whether the digital certificate is valid or not, authenticate whether the public key matches the digital certificate, authenticate whether the identification information matches the digital certificate, and the like, and write the public key into the privacy-free service configuration table after the authentication is passed. In addition, if the public key of the management device already exists in the privacy-free service configuration table, the original public key can be updated by using the newly obtained public key of the management device.
And step 304, encrypting the private key by using the key management server to obtain the private key in a ciphertext form.
For example, the management device may send an encryption request to the key management server to request the key management server to encrypt the private key, thereby obtaining the private key in a ciphertext form. Illustratively, the key management server may encrypt the private key using a symmetric Encryption algorithm, such as Advanced Encryption Standard (AES) Encryption, SM4 Encryption, or the like.
Step 305, store the private key in the form of ciphertext locally.
The private key is stored in a ciphertext mode, so that the private key can be prevented from being maliciously snooped or stolen, the problems of secret key leakage and tampering are fundamentally avoided, and the safety of the private key is ensured.
Step 306, send login request to target device.
For example, when the operation and maintenance management needs to be performed on the target device, the management device may send a login request to the target device according to an operation of an operation and maintenance worker, where the login request may include identification information of the management device.
And 307, receiving an encrypted character string returned by the target device, wherein the encrypted character string is obtained by encrypting the first character string by the target device by using the public key of the management device stored in the privacy-free service configuration table.
In the specific implementation, when the target device receives a login request sent by the management device, a string of character strings, that is, a first character string, may be randomly generated, the public key of the management device is extracted from the privacy-free service configuration table according to the identification information of the management device, the first character string is encrypted by using the public key of the management device to obtain an encrypted character string, the encrypted character string is sent to the management device, and the management device receives the encrypted character string returned by the target device.
And 308, decrypting the locally stored private key in the form of the ciphertext by using the key management server to obtain the private key in the form of the plaintext.
For example, the management device may send a decryption request to the key management server to request the key management server to decrypt the private key in the form of ciphertext stored locally to obtain the private key in the form of plaintext.
Step 309, the encrypted character string is decrypted by using a private key in a plaintext form to obtain a second character string.
Step 310, sending the second character string to the target device.
And 311, receiving a login result returned by the target device, wherein the login result is obtained by comparing the first character string with the second character string by the target device.
For example, when receiving the second character string, the target device may compare whether the first character string and the second character string are the same, and if the first character string and the second character string are the same, may return a successful login result to the management device, and if the first character string and the second character string are not the same, may return a failed login result to the management device.
When the login result is successful, the operation and maintenance personnel can perform operation and maintenance management on the target equipment through the management equipment, and when the login result is failed, the operation and maintenance personnel can try to log in the target equipment again through the management equipment.
It should be understood that, although the steps in the flowchart of fig. 3 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 3 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
In the embodiment of the invention, the whole login process is secret-free login without login passwords, so that hidden danger of password leakage is avoided; in addition, the private key is stored in a ciphertext form, so that the private key can be prevented from being maliciously snooped or stolen, the problems of secret key leakage and tampering are fundamentally solved, even if the private key ciphertext file is stolen and separated from the secret key management server, the private key ciphertext file cannot be decrypted, the secret key information cannot be used on other unauthorized equipment, and the safety of the private key is ensured; furthermore, when the password-free login is performed, the target device can perform identity authentication on the management device by using the digital certificate, and when the authentication is passed, the public key of the management device is written into the password-free service configuration table for use, so that the management device and the public key can be verified, thereby avoiding illegal persons from maliciously implanting illegal public keys and improving the communication safety.
The following describes the device login method according to the embodiment of the present invention, taking logging in the target device 1 shown in fig. 1 as an example, as shown in fig. 4, specifically, the following method may be used:
the management device can generate a key pair comprising a public key and a private key, request the key management server to encrypt the private key to obtain the private key in a ciphertext form, and locally store the private key in the ciphertext form; in addition, the management device can request a digital certificate from the certificate authority server, and the management device packages and uploads the public key and the requested digital certificate to the public key distribution server; the target device 1 downloads the public key and the digital certificate from the public key distribution server, and the target device 1 performs identity authentication on the management device by using the digital certificate and writes the public key into the privacy-free service configuration table after the authentication is passed.
When the management device needs to log in the target device 1, a login request can be sent to the target device 1, after the target device 1 receives the login request, a first character string can be generated, the first character string is encrypted by using a public key of the management device to obtain an encrypted character string, and the encrypted character string is sent to the management device; the management device requests the key management server to decrypt the private key in the form of the ciphertext stored locally to obtain the private key in the form of the plaintext, decrypts the encrypted character string by using the private key in the form of the plaintext to obtain a second character string, and sends the second character string to the target device 1; when receiving the second character string, the target device 1 may compare whether the first character string and the second character string are the same, and if the first character string and the second character string are the same, may return a successful login result to the management device, and if the first character string and the second character string are not the same, may return a failed login result to the management device.
Referring to fig. 5, fig. 5 is a flowchart of another device login method according to an embodiment of the present invention, where the method may be executed by a device login apparatus according to an embodiment of the present invention, and the apparatus may be integrated in a target device, for example, any one of the target devices shown in fig. 1. The device login method can comprise the following steps:
step 401, receiving a login request sent by a management device.
For example, when the operation and maintenance management of the target device is needed, the management device may send a login request to the target device according to an operation of an operation and maintenance worker, where the login request may include identification information of the management device, where the identification information may be a user name, an account number, and the like of the management device, and the target device receives the login request sent by the management device.
Step 402, encrypting the first character string by using the public key of the management device stored in the privacy-free service configuration table to obtain an encrypted character string, and sending the encrypted character string to the management device, wherein the public key is used for performing identity authentication on the management device by using a digital certificate provided by the management device, and is written into the privacy-free service configuration table after the authentication is passed.
In a specific implementation, the target device may download, from the public key distribution server, the identification information, the public key, the digital certificate, and the like uploaded by the management device in advance, and after downloading, the target device may perform identity authentication on the management device based on the downloaded information. For example, the target device may authenticate whether the digital certificate is valid or not, authenticate whether the public key matches the digital certificate, authenticate whether the identification information matches the digital certificate, and the like, and write the public key into the privacy-free service configuration table after the authentication is passed. In addition, if the public key of the management device already exists in the privacy-free service configuration table, the original public key can be updated by using the newly obtained public key of the management device.
When the target device receives a login request sent by the management device, a string of character strings, namely a first character string, can be randomly generated, a public key of the management device is extracted from the password-free service configuration table according to the identification information of the management device, the first character string is encrypted by using the public key of the management device to obtain an encrypted character string, and the encrypted character string is sent to the management device.
And step 403, receiving a second character string sent by the management device, wherein the second character string is obtained by the management device decrypting the encrypted character string by using a private key.
For example, when receiving the encrypted character string, the management device may extract its own private key, decrypt the encrypted character string using the private key, thereby obtaining a second character string, and send the second character string to the target device, where the target device receives the second character string sent by the management device.
And step 404, comparing the first character string with the second character string to obtain a login result, and sending the login result to the management device.
For example, when receiving the second character string, the target device may compare whether the first character string and the second character string are the same, if so, may return a successful login result to the management device, and if not, may return a failed login result to the management device.
When the login result is successful, the operation and maintenance personnel can perform operation and maintenance management on the target equipment through the management equipment, and when the login result is failed, the operation and maintenance personnel can try to log in the target equipment again through the management equipment.
The method has the advantages that the whole login process is secret-free login, a password does not need to be logged in, hidden danger of password leakage is avoided, identity authentication is conducted on the management equipment through a digital certificate during secret-free login, and when the authentication is passed, the public key of the management equipment is written into a secret-free service configuration table for use, so that the management equipment and the public key can be verified, illegal persons are prevented from being implanted with illegal public keys maliciously, and communication safety is improved.
Fig. 6 is a structural diagram of a device login apparatus according to an embodiment of the present invention, where the apparatus is adapted to execute the device login method according to an embodiment of the present invention, and the apparatus may be integrated on a management device. As shown in fig. 6, the apparatus may specifically include:
a first sending module 501, configured to send a login request to a target device;
a first receiving module 502, configured to receive an encrypted string returned by the target device, where the encrypted string is obtained by encrypting, by the target device, a first string by using a public key of the management device stored in a secret-free service configuration table, where the public key is obtained by performing, by the target device, identity authentication on the management device by using a digital certificate provided by the management device, and is written in the secret-free service configuration table after the authentication is passed;
the first decryption module 503 is configured to decrypt the encrypted character string with a private key to obtain a second character string;
the first sending module 501 is further configured to send the second character string to the target device;
the first receiving module 502 is further configured to receive a login result returned by the target device, where the login result is obtained by comparing the first character string and the second character string with the target device.
In one embodiment, the apparatus further comprises:
and the key generation module is used for generating a key pair, and the key pair comprises the public key and the private key.
In one embodiment, the apparatus further comprises:
a request module for requesting the digital certificate from a certificate authority server;
the first sending module 501 is further configured to send the public key and the digital certificate to the target device through a public key distribution server, so that the target device performs identity authentication on the management device by using the digital certificate, and writes the public key into the privacy-free service configuration table after the authentication is passed.
In one embodiment, the apparatus further comprises:
the key management module is used for encrypting the private key by using a key management server to obtain the private key in a ciphertext form; storing the private key in the ciphertext form locally.
In one embodiment, the first decryption module 503 is specifically configured to,
decrypting the private key in the ciphertext form stored locally by using the key management server to obtain the private key in a plaintext form;
and decrypting the encrypted character string by using the private key in the plaintext form to obtain the second character string.
In one embodiment, when the first string and the second string are the same, the login result is a success, and when the first string and the second string are different, the login result is a failure.
It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working process of the functional module, reference may be made to the corresponding process in the foregoing method embodiment, which is not described herein again.
The device of the embodiment of the invention can log in the target equipment by adopting a login mode of secret-free login, thereby avoiding hidden danger of password leakage, and when secret-free login is performed, the target equipment can carry out identity authentication on the management equipment by using a digital certificate, and when the authentication is passed, the public key of the management equipment is written into the secret-free service configuration table for use, so that the management equipment and the public key can be verified, thereby avoiding illegal public keys from being implanted by lawless persons, and improving the communication safety.
Fig. 7 is a block diagram of a device login apparatus according to an embodiment of the present invention, which is suitable for executing the device login method according to an embodiment of the present invention, and the apparatus may be integrated on a target device. As shown in fig. 7, the apparatus may specifically include:
a second receiving module 601, configured to receive a login request sent by a management device;
a second encryption module 602, configured to encrypt the first character string by using a public key of the management device stored in a secret-free service configuration table to obtain an encrypted character string, where the public key is obtained by performing identity authentication on the management device by using a digital certificate provided by the management device and is written in the secret-free service configuration table after the authentication is passed;
a second sending module 603, configured to send the encrypted character string to the management device;
the second receiving module 601 is further configured to receive a second character string sent by the management device, where the second character string is obtained by the management device decrypting the encrypted character string by using a private key;
the second sending module 603 is further configured to compare the first character string and the second character string to obtain a login result, and send the login result to the management device.
In one embodiment, the apparatus further comprises:
an obtaining module, configured to obtain the public key and the digital certificate provided by the management device from a public key distribution server;
and the writing module is used for carrying out identity authentication on the management equipment by using the digital certificate and writing the public key into the secret-free service configuration table after the authentication is passed.
The device of the embodiment of the invention can lead the management equipment to log in without secret, does not need to log in the password, thereby avoiding hidden danger of password leakage, utilizes the digital certificate to carry out identity authentication on the management equipment when logging in without secret, and writes the public key of the management equipment into the secret-free service configuration table for use when the authentication is passed, thereby leading the management equipment and the public key to be verified, avoiding illegal public keys from being implanted by lawless persons, and improving the communication safety.
The embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program that is stored in the memory and can be run on the processor, and when the processor executes the computer program, the device login method provided in any of the above embodiments is implemented.
The embodiment of the invention also provides a computer readable medium, on which a computer program is stored, and the program is executed by a processor to implement the device login method provided by any one of the above embodiments.
Referring now to FIG. 8, shown is a block diagram of a computer system 700 suitable for use with the electronic device implementing an embodiment of the present invention. The electronic device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 8, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 701.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules and/or units described in the embodiments of the present invention may be implemented by software, and may also be implemented by hardware. The described modules and/or units may also be provided in a processor, and may be described as: a processor comprises a first sending module, a first receiving module and a first decryption module; or may be described as: a processor includes a second receiving module, a second encryption module, and a second sending module. Wherein the names of the modules do not in some cases constitute a limitation of the module itself.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: sending a login request to target equipment; receiving an encrypted character string returned by the target device, wherein the encrypted character string is obtained by encrypting a first character string by the target device by using a public key of a management device stored in a secret-free service configuration table, and the public key is obtained by performing identity authentication on the management device by using a digital certificate provided by the management device by the target device and writing the public key into the secret-free service configuration table after the authentication is passed; decrypting the encrypted character string by using a private key to obtain a second character string, and sending the second character string to the target equipment; and receiving a login result returned by the target equipment, wherein the login result is obtained by comparing the first character string with the second character string by the target equipment.
Or when the one or more programs are executed by an apparatus, cause the apparatus to include: receiving a login request sent by management equipment; encrypting a first character string by using a public key of the management equipment stored in a secret-free service configuration table to obtain an encrypted character string, and sending the encrypted character string to the management equipment, wherein the public key is used for performing identity authentication on the management equipment by using a digital certificate provided by the management equipment and writing the public key into the secret-free service configuration table after the authentication is passed; receiving a second character string sent by the management device, wherein the second character string is obtained by the management device decrypting the encrypted character string by using a private key; and comparing the first character string with the second character string to obtain a login result, and sending the login result to the management equipment.
According to the technical scheme of the embodiment of the invention, a secret-free login target device mode is provided, hidden danger of password leakage is avoided, the target device can perform identity authentication on the management device by using a digital certificate during secret-free login, and when the authentication is passed, the public key of the management device is written into a secret-free service configuration table for use, so that the management device and the public key can be verified, illegal persons are prevented from maliciously implanting illegal public keys, and communication safety is improved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (13)

1. A device login method, comprising:
sending a login request to target equipment;
receiving an encrypted character string returned by the target device, wherein the encrypted character string is obtained by encrypting a first character string by the target device by using a public key of a management device stored in a secret-free service configuration table, and the public key is obtained by performing identity authentication on the management device by using a digital certificate provided by the management device by the target device and writing the public key into the secret-free service configuration table after the authentication is passed;
decrypting the encrypted character string by using a private key to obtain a second character string, and sending the second character string to the target equipment;
and receiving a login result returned by the target equipment, wherein the login result is obtained by comparing the first character string with the second character string by the target equipment.
2. The device login method according to claim 1, further comprising, before sending the login request to the target device:
requesting the digital certificate from a certificate authority server;
and sending the public key and the digital certificate to the target equipment through a public key distribution server, so that the target equipment performs identity authentication on the management equipment by using the digital certificate and writes the public key into the privacy-free service configuration table after the authentication is passed.
3. The device login method according to claim 1, further comprising, before sending the login request to the target device:
encrypting the private key by using a key management server to obtain the private key in a ciphertext form;
storing the private key in the ciphertext form locally.
4. The device login method according to claim 3, wherein decrypting the encrypted string with a private key to obtain a second string comprises:
decrypting the private key in the ciphertext form stored locally by using the key management server to obtain the private key in a plaintext form;
and decrypting the encrypted character string by using the private key in the plaintext form to obtain the second character string.
5. The device login method according to claim 1, wherein the login result is a success when the first character string and the second character string are the same, and the login result is a failure when the first character string and the second character string are different.
6. The device login method according to claim 1, further comprising, before sending the login request to the target device:
generating a key pair, the key pair comprising the public key and the private key.
7. A device login method, comprising:
receiving a login request sent by management equipment;
encrypting a first character string by using a public key of the management equipment stored in a secret-free service configuration table to obtain an encrypted character string, and sending the encrypted character string to the management equipment, wherein the public key is used for performing identity authentication on the management equipment by using a digital certificate provided by the management equipment and writing the public key into the secret-free service configuration table after the authentication is passed;
receiving a second character string sent by the management device, wherein the second character string is obtained by the management device decrypting the encrypted character string by using a private key;
and comparing the first character string with the second character string to obtain a login result, and sending the login result to the management equipment.
8. The device login method according to claim 7, further comprising, before receiving the login request sent by the management device:
acquiring the public key and the digital certificate provided by the management device from a public key distribution server;
and performing identity authentication on the management equipment by using the digital certificate, and writing the public key into the secret-free service configuration table after the authentication is passed.
9. An apparatus login device, comprising:
the first sending module is used for sending a login request to the target equipment;
a first receiving module, configured to receive an encrypted string returned by the target device, where the encrypted string is obtained by encrypting, by the target device, a first string with a public key of a management device stored in a secret-free service configuration table, and the public key is obtained by the target device performing identity authentication on the management device with a digital certificate provided by the management device and writing the public key into the secret-free service configuration table after the authentication is passed;
the first decryption module is used for decrypting the encrypted character string by using a private key to obtain a second character string;
the first sending module is further configured to send the second character string to the target device;
the first receiving module is further configured to receive a login result returned by the target device, where the login result is obtained by comparing the first character string and the second character string with the target device.
10. An apparatus login device, comprising:
the second receiving module is used for receiving a login request sent by the management equipment;
the second encryption module is used for encrypting the first character string by using a public key of the management equipment stored in a secret-free service configuration table to obtain an encrypted character string, wherein the public key is used for performing identity authentication on the management equipment by using a digital certificate provided by the management equipment and is written into the secret-free service configuration table after the authentication is passed;
a second sending module, configured to send the encrypted character string to the management device;
the second receiving module is further configured to receive a second character string sent by the management device, where the second character string is obtained by the management device decrypting the encrypted character string with a private key;
the second sending module is further configured to compare the first character string and the second character string to obtain a login result, and send the login result to the management device.
11. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the device login method according to any one of claims 1 to 6 when executing the program, or the processor implements the device login method according to claim 7 or 8 when executing the program.
12. A device login system comprising a management device for performing the device login method according to any one of claims 1 to 6, and a target device for performing the device login method according to claim 7 or 8.
13. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements a device login method according to any one of claims 1 to 6, or which, when being executed by a processor, implements a device login method according to claim 7 or 8.
CN202110185063.9A 2021-02-10 2021-02-10 Device login method, device, electronic device, system and storage medium Pending CN113886793A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110185063.9A CN113886793A (en) 2021-02-10 2021-02-10 Device login method, device, electronic device, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110185063.9A CN113886793A (en) 2021-02-10 2021-02-10 Device login method, device, electronic device, system and storage medium

Publications (1)

Publication Number Publication Date
CN113886793A true CN113886793A (en) 2022-01-04

Family

ID=79013091

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110185063.9A Pending CN113886793A (en) 2021-02-10 2021-02-10 Device login method, device, electronic device, system and storage medium

Country Status (1)

Country Link
CN (1) CN113886793A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174236A (en) * 2022-07-08 2022-10-11 上海百家云科技有限公司 Authentication method, authentication device, electronic equipment and storage medium
CN115277191A (en) * 2022-07-27 2022-11-01 中国工商银行股份有限公司 Health check method and device for background server

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174236A (en) * 2022-07-08 2022-10-11 上海百家云科技有限公司 Authentication method, authentication device, electronic equipment and storage medium
CN115277191A (en) * 2022-07-27 2022-11-01 中国工商银行股份有限公司 Health check method and device for background server

Similar Documents

Publication Publication Date Title
CN108650082B (en) Encryption and verification method of information to be verified, related device and storage medium
US9917829B1 (en) Method and apparatus for providing a conditional single sign on
US20220191012A1 (en) Methods For Splitting and Recovering Key, Program Product, Storage Medium, and System
US9674158B2 (en) User authentication over networks
CN106936577B (en) Method, terminal and system for certificate application
US8904504B2 (en) Remote keychain for mobile devices
CN105915338B (en) Generate the method and system of key
US20140096213A1 (en) Method and system for distributed credential usage for android based and other restricted environment devices
US11831753B2 (en) Secure distributed key management system
CN106936588B (en) Hosting method, device and system of hardware control lock
CN110611657A (en) File stream processing method, device and system based on block chain
CN108809633B (en) Identity authentication method, device and system
KR101648364B1 (en) Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption
CN103684766A (en) Private key protection method and system for terminal user
CN112565265B (en) Authentication method, authentication system and communication method between terminal devices of Internet of things
CN111538977A (en) Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server
CN113886793A (en) Device login method, device, electronic device, system and storage medium
CN116244750A (en) Secret-related information maintenance method, device, equipment and storage medium
CN107171814A (en) A kind of digital certificate updating method and device
US20190305940A1 (en) Group shareable credentials
CN110807210B (en) Information processing method, platform, system and computer storage medium
CN110602075A (en) File stream processing method, device and system for encryption access control
KR102053993B1 (en) Method for Authenticating by using Certificate
CN114021111B (en) Login authentication method, login authentication device, electronic equipment and computer readable storage medium
CN112769560B (en) Key management method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination