CN113918251B - User access control method and device for equipment isolation - Google Patents
User access control method and device for equipment isolation Download PDFInfo
- Publication number
- CN113918251B CN113918251B CN202111097860.8A CN202111097860A CN113918251B CN 113918251 B CN113918251 B CN 113918251B CN 202111097860 A CN202111097860 A CN 202111097860A CN 113918251 B CN113918251 B CN 113918251B
- Authority
- CN
- China
- Prior art keywords
- user
- partition
- verification
- equipment
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/451—Execution arrangements for user interfaces
- G06F9/452—Remote windowing, e.g. X-Window System, desktop virtualisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Abstract
The application provides a user access control method and device with isolated equipment, and relates to the technical field of computers. The user access control method for the equipment isolation comprises the steps that firstly, a user service partition, an equipment service partition, a common application partition, a safety partition and a control partition are built, corresponding functional services are configured for the built partitions, and login of different users can be uniformly managed through introduction of the user service partitions; and based on the partition architecture and the coordination work among all the partitions, the data transmission between the virtualization equipment and the physical equipment can be uniformly controlled, and the overall safety and reliability of the system and the flow control quality of the information are improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for controlling user access with isolated devices.
Background
Virtualization refers to a computer running on a virtual basis rather than a real basis. Virtualization technology can enlarge the capacity of hardware and simplify the reconfiguration process of software. For example, a computer may be virtualized into multiple logical computers through virtualization techniques. A plurality of logic computers are simultaneously operated on one computer, each logic computer can operate different operating systems, and application programs can operate in mutually independent spaces without mutual influence, so that the working efficiency of the computer is obviously improved.
The virtualization device can be realized by using a virtualization technology, and although isolation from a user to a physical device is realized, data transmission between the virtualization device and the physical device is not uniformly controlled, and login of different users is difficult to uniformly manage, so that a technical problem needs to be solved.
Disclosure of Invention
In view of the above, the present application is proposed to provide a device isolated user access control method and apparatus that overcomes or at least partially solves the above mentioned problems. The technical scheme is as follows:
in a first aspect, a method for controlling user access in device isolation is provided, where the method includes:
constructing a user service partition, an equipment service partition, a common application partition, a safety partition and a control partition for a system in advance, and configuring corresponding functional services for each constructed partition;
after the system is started, the user service partition takes over equipment for interacting with the user and provides a uniform login interface for the user;
when a login request containing login account information and submitted by a user through the login interface is received, the user service partition requests the control partition to use the system according to the login request;
the control partition receives a request for using the system from the user service partition, transmits the request for using the system to the security partition, and then the security partition returns a corresponding user security level to the control partition according to the login account information; then the control partition creates a login session of the user, and allocates a common application partition to provide application support for the user according to the user security level;
the common application partition transmits the interactive data of the user and the equipment to a bottom-layer partition support kernel through an inter-partition communication channel in a session process; the partition support kernel forwards the interactive data to the equipment service partition through a control instruction issued by a communication channel between management partitions; and the equipment service partition executes a corresponding service program according to the interaction data so as to realize the access and interaction of the user to the equipment.
In one possible implementation, the apparatus for taking over by the user service partition for interacting with the user includes:
the user service partition adopts virtualization technology to perform virtualization operation on equipment used for interacting with a user to obtain virtualized equipment, and then manages the virtualized equipment to take over the equipment used for interacting with the user;
the common application partition transmits the interactive data of the user and the equipment to a bottom-layer partition support kernel through an inter-partition communication channel in a session process, and the method comprises the following steps:
and the common application partition transmits the interactive data of the user and the virtualization equipment to a bottom-layer partition support kernel through an inter-partition communication channel in a session process.
In another possible implementation manner, the method further includes: and the common application subarea divides the applications of different security domains according to the security control strategy and provides application service support for the system.
In another possible implementation manner, the requesting, by the user service partition, a system to be used from the control partition according to the login request includes:
the user service partition verifies the login account information according to the login request, and if the verification is passed, the user service partition requests the control partition to use the system; and if the verification is not passed, returning prompt information indicating that the login account information is not passed through the verification to the user.
In another possible implementation manner, after the login account information submitted by the user passes verification, the system performs secondary verification, and the secondary verification process is as follows:
step A1, popping up a secondary verification interface after the login account information submitted by the user passes verification, prompting the user to input a dynamic verification code, and if the dynamic verification code is correct, passing the secondary verification and enabling the user to enter a system; otherwise, the user cannot enter the system; the verification code generation logic of the user secondary verification is as follows:
after a user registers an account for the first time, a system generates a unique security code according to account information, equipment information and registration time information registered by the user, wherein a calculation formula of the security code M is as follows:
wherein T is a millisecond system timestamp when the user successfully registers the account for the first time, which is an integer of 13 bits, s is a binary value corresponding to the device ID of the system when the user successfully registers the account for the first time, and u is a binary value corresponding to the device ID of the user;
step A2, after the user successfully registers the account for the first time, the system generates a security code M and generates a two-dimensional code corresponding to the security code M, the user scans the two-dimensional code on the mobile device and inputs two dynamic verification codes to complete binding verification of the mobile device, and the generation formula of the dynamic verification codes is as follows:
wherein pi is 3.14, t is the millisecond time stamp when the dynamic verification code is input, m t Is a dynamic authentication code with a timestamp of t, i.e.,
for convenient input, m is generated each time t Then, the first 6 digits after the neglected decimal point are taken as a final dynamic verification code, and after the user inputs the correct final dynamic verification code twice, the binding verification of the mobile equipment is completed;
and step A3, generating a final dynamic verification code in real time in the mobile equipment of the user, finishing the verification of the login account information when the user logs in subsequently, inputting the final dynamic verification code, and entering the system after the final dynamic verification code passes the verification.
In a second aspect, an apparatus for controlling access to a device isolated user is provided, the apparatus comprising:
the system comprises a construction module, a management module and a management module, wherein the construction module is used for constructing a user service partition, an equipment service partition, a common application partition, a safety partition and a control partition for a system in advance and configuring corresponding functional services for each constructed partition;
the control module is used for taking over equipment for interacting with the user by the user service partition after the system is started, and providing a uniform login interface for the user; and
when a login request containing login account information and submitted by a user through the login interface is received, the user service partition requests the control partition to use the system according to the login request;
the control partition receives a request for using the system from the user service partition, transmits the request for using the system to the security partition, and then the security partition returns a corresponding user security level to the control partition according to the login account information; then the control partition creates a login session of the user and allocates a common application partition to provide application support for the user according to the user security level;
the common application partition transmits the interactive data of the user and the equipment to a bottom-layer partition support kernel through an inter-partition communication channel in a session process; the partition support kernel forwards the interactive data to the equipment service partition through a control instruction issued by a communication channel between management partitions; and the equipment service partition executes a corresponding service program according to the interaction data so as to realize the access and interaction of the user to the equipment.
In one possible implementation, the control module is further configured to:
the user service partition adopts virtualization technology to perform virtualization operation on equipment used for interacting with a user to obtain virtualized equipment, and then manages the virtualized equipment to take over the equipment used for interacting with the user;
and the common application partition transmits the interactive data of the user and the virtualization equipment to a bottom-layer partition support kernel through an inter-partition communication channel in a session process.
In another possible implementation manner, the control module is further configured to:
and the common application subarea divides the applications of different security domains according to the security control strategy and provides application service support for the system.
In another possible implementation manner, the building module is further configured to:
the user service partition verifies the login account information according to the login request, and if the verification is passed, the user service partition requests the control partition to use the system; and if the verification is not passed, returning prompt information indicating that the login account information is not passed through the verification to the user.
In another possible implementation manner, the control module is further configured to:
after the login account information submitted by the user passes the verification, the system performs secondary verification, and the secondary verification process comprises the following steps:
step A1, popping up a secondary verification interface after the login account information submitted by the user passes verification, prompting the user to input a dynamic verification code, if the dynamic verification code is correct, passing the secondary verification, and enabling the user to enter a system; otherwise, the user cannot enter the system; the verification code generation logic of the user secondary verification is as follows:
after a user registers an account for the first time, a system generates a unique security code according to account information, equipment information and registration time information registered by the user, wherein a calculation formula of the security code M is as follows:
the system comprises a system, a user, a server and a server, wherein T is a millisecond-level system timestamp when the user successfully registers an account for the first time, the millisecond-level system timestamp is an integer of 13 bits, s is a binary value corresponding to a device ID of the system when the user successfully registers the account for the first time, and u is a binary value corresponding to the user registration account ID;
step A2, after the user successfully registers the account for the first time, the system generates a security code M and generates a two-dimensional code corresponding to the security code M, the user scans the two-dimensional code on the mobile device and inputs two dynamic verification codes to complete binding verification of the mobile device, and the generation formula of the dynamic verification codes is as follows:
wherein pi is 3.14, t is the millisecond time stamp when the dynamic verification code is input, m t Is a dynamic authentication code with a timestamp of t, i.e.,
for convenient input, m is generated each time t Then, the first 6 bits after the neglected decimal point are taken asThe final dynamic verification code is obtained, and after the user inputs the correct final dynamic verification code twice, the binding verification of the mobile equipment is completed;
and step A3, generating a final dynamic verification code in real time in the user mobile equipment, finishing the verification and verification of the login account information when a user logs in subsequently, inputting the final dynamic verification code, and entering the system after the final dynamic verification code passes.
By means of the technical scheme, the user access control method for device isolation, provided by the embodiment of the application, comprises the steps of firstly constructing a user service partition, a device service partition, a common application partition, a safety partition and a control partition, configuring corresponding functional services for each constructed partition, and performing unified management on login of different users by introducing the user service partitions; and based on the partition architecture and the coordination work among all the partitions, the data transmission between the virtualization equipment and the physical equipment can be uniformly controlled, and the overall safety and reliability of the system and the flow control quality of the information are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings used in the description of the embodiments of the present application will be briefly described below.
FIG. 1 shows a flow diagram of a device isolated user access control method according to an embodiment of the application;
fig. 2 shows a block diagram of a device-isolated user access control apparatus according to an embodiment of the application.
Detailed Description
Exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the accompanying drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that such uses are interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the term "include" and its variants are to be read as open-ended terms meaning "including, but not limited to".
The embodiment of the application provides a user access control method for device isolation, which can be applied to electronic devices such as a server, a personal computer, a smart phone, a tablet computer, and a smart watch, and as shown in fig. 1, the user access control method for device isolation may include the following steps S101 to S105:
step S101, constructing a user service partition, an equipment service partition, a common application partition, a safety partition and a control partition for a system in advance, and configuring corresponding functional services for each constructed partition;
step S102, after the system is started, the user service partition takes over the equipment used for interacting with the user and provides a uniform login interface for the user;
step S103, when a login request containing login account information submitted by a user through a login interface is received, the user service partition requests the control partition to use the system according to the login request;
step S104, the control partition receives a request for using the system from the user service partition, transmits the request for using the system to the security partition, and then the security partition returns a corresponding user security level to the control partition according to the login account information; then, the control partition creates a login session of the user, and allocates a common application partition to provide application support for the user according to the user security level;
step S105, the common application partition transmits the interactive data of the user and the equipment to a bottom partition support kernel through an inter-partition communication channel in the session process; the partition support kernel forwards the interactive data to the equipment service partition through a control instruction issued by a communication channel between the management partitions; and the equipment service partition executes a corresponding service program according to the interactive data so as to realize the access and interaction of the user to the equipment.
The user access control method for device isolation provided by the embodiment of the application comprises the steps of firstly constructing a user service partition, a device service partition, a common application partition, a safety partition and a control partition, configuring corresponding functional services for each constructed partition, and uniformly managing the login of different users by introducing the user service partition; and based on the partition architecture and the coordination work among all partitions, the data transmission between the virtualization device and the physical device can be uniformly controlled, and the overall safety and reliability of the system and the flow control quality of the information are improved.
In step S101, when configuring corresponding functional services for each constructed partition, the following configuration may be specifically made:
1) And (3) user service partition: the users uniformly access the login service subarea;
2) And (3) equipment service partition: running service programs related to the equipment according to different equipment requirements, and processing equipment interaction data transmitted by other partitions;
3) Common application partitioning: applications which can be divided into different security domains according to security control are used for providing application service support for the system;
4) And (4) safe partitioning: managing security control information and user management information of the entire system;
5) And (3) control partition: and controlling the information flow of the whole system, and carrying out information management and control through the safety instructions transmitted by the safety partitions.
It can be seen that, based on the above partition architecture and the function configuration of each partition, the partitions can coordinate with each other, so that the system can perform unified control on data transmission between the virtualized device and the physical device, thereby improving the overall safety and reliability of the system and the quality of information flow control.
In the embodiment of the present application, a possible implementation manner is provided, where in step S102, the user service partition takes over the device for interacting with the user, specifically, the user service partition performs virtualization operation on the device for interacting with the user by using a virtualization technology to obtain a virtualized device, and then manages the virtualized device to take over the device for interacting with the user. Further, in the above step S105, the common application partition transfers the interaction data of the user and the device to the underlying partition support kernel through the inter-partition communication channel in the session process, specifically, the common application partition transfers the interaction data of the user and the virtualization device to the underlying partition support kernel through the inter-partition communication channel in the session process. According to the embodiment, data are transmitted through the inter-partition communication channel, and the safety and reliability of the data are guaranteed, so that the overall safety and reliability of the system and the flow control quality of the information are improved.
In the embodiment of the present application, a possible implementation manner is provided, where in step S103, when a login request including login account information submitted by a user through a login interface is received, a user service partition requests a control partition to use a system according to the login request, specifically, the user service partition verifies the login account information according to the login request, and if the verification is passed, requests the control partition to use the system; if the verification is not passed, the prompt message indicating that the login account information verification is not passed is returned to the user, so that the user can re-input the login account information and perform verification in time. The embodiment improves the safety of the system and the user experience.
In addition, in step S105, the partition support kernel forwards the interactive data to the device service partition through the control instruction issued through the management inter-partition communication channel, or the partition support kernel forwards the interactive data to the device service partition or the physical device through the control instruction issued through the management inter-partition communication channel. Therefore, direct communication between the devices can be realized, and the efficiency of access interaction is improved.
The embodiment of the application provides a possible implementation manner, in order to ensure the safety of equipment and a system and prevent an illegal user from acquiring login account information in an abnormal manner, such as a database collision manner, a brute force cracking manner and the like, after the user passes verification, the system performs secondary verification, and the secondary verification process comprises the following steps:
step A1, popping up a secondary verification interface after the login account information submitted by the user passes verification, prompting the user to input a dynamic verification code, if the dynamic verification code is correct, passing the secondary verification, and enabling the user to enter a system; otherwise, the user cannot enter the system; the verification code generation logic of the user secondary verification is as follows:
after a user registers an account for the first time, a system generates a unique security code according to account information, equipment information and registration time information registered by the user, and the computing formula of the security code M is as follows:
wherein T is a millisecond system timestamp when the user successfully registers the account for the first time, which is an integer of 13 bits, s is a binary value corresponding to the device ID of the system when the user successfully registers the account for the first time, and u is a binary value corresponding to the device ID of the user;
step A2, after the user successfully registers the account for the first time, the system generates a security code M and generates a two-dimensional code corresponding to the security code M, the user scans the two-dimensional code on the mobile device and inputs two dynamic verification codes to complete binding verification of the mobile device, and the generation formula of the dynamic verification codes is as follows:
wherein pi is 3.14, t is the millisecond time stamp when the dynamic verification code is input, m t The dynamic authentication code is a code that is dynamically validated at a time stamp of t, i.e.,
for convenient input, m is generated each time t Then, the first 6 digits after the neglect decimal point are taken as a final dynamic verification code, and after a user inputs the correct final dynamic verification code twice, the binding verification of the mobile equipment is finished;
and step A3, generating a final dynamic verification code in real time in the user mobile equipment, finishing the verification and verification of the login account information when a user logs in subsequently, inputting the final dynamic verification code, and entering the system after the final dynamic verification code passes.
In the above embodiment, after the user performs account password authentication, secondary authentication of the dynamic authentication code is added, so that an illegal user is prevented from acquiring login account information to invade the system by means of library collision, brute force destruction and the like, the security of the system is greatly improved, the dynamic authentication code is generated according to the account information, the equipment information, the registration time information and the current time information when the user registers, the algorithm is complex, any information or all information is leaked, and the security of the system can be ensured under the condition that the algorithm is not leaked, so that the user, namely the equipment information, is effectively protected.
It should be noted that, in practical applications, all the possible embodiments described above may be combined in a combined manner at will to form possible embodiments of the present application, and details are not described here again.
Based on the same inventive concept, the embodiment of the present application further provides a device-isolated user access control apparatus.
Fig. 2 shows a block diagram of a device-isolated user access control apparatus according to an embodiment of the application. As shown in fig. 2, the isolated user access control device of the apparatus may include a building module 210 and a control module 220.
A building module 210, configured to build a user service partition, an equipment service partition, a common application partition, a security partition, and a control partition for a system in advance, and configure corresponding functional services for each built partition;
the control module 220 is used for taking over the equipment used for interacting with the user by the user service partition after the system is started, and providing a uniform login interface for the user; and
when a login request containing login account information submitted by a user through a login interface is received, a user service partition requests a control partition to use the system according to the login request;
the control partition receives a request for using the system from the user service partition, transmits the request for using the system to the security partition, and then the security partition returns a corresponding user security level to the control partition according to the login account information; then controlling the partition to create a login session of the user, and distributing a common application partition according to the user security level to provide application support for the user;
in the session process of the common application partition, the interactive data of the user and the equipment are transmitted to a bottom partition support kernel through an inter-partition communication channel; the partition support kernel forwards the interactive data to the equipment service partition through a control instruction issued by a communication channel between the management partitions; and the equipment service partition executes a corresponding service program according to the interaction data so as to realize the access and interaction of the user to the equipment.
In an embodiment of the present application, a possible implementation manner is provided, and the control module 220 is further configured to:
the user service partition adopts virtualization technology to perform virtualization operation on equipment for interacting with the user to obtain virtualized equipment, and then manages the virtualized equipment to take over the equipment for interacting with the user;
and in the session process of the common application partition, the interactive data of the user and the virtualization equipment is transmitted to the bottom-layer partition support kernel through the communication channel between the partitions.
In the embodiment of the present application, a possible implementation manner is provided, and the control module 220 is further configured to:
and the common application subarea divides the applications of different security domains according to the security control strategy and provides application service support for the system.
In an embodiment of the present application, a possible implementation manner is provided, and the constructing module 210 is further configured to:
the user service partition verifies the login account information according to the login request, and if the verification is passed, the user service partition requests the control partition to use the system; if the verification is not passed, the prompt message which indicates that the login account information is not passed is returned to the user.
In an embodiment of the present application, a possible implementation manner is provided, and the control module 220 is further configured to:
after the login account information submitted by the user passes the verification, the system performs secondary verification, and the secondary verification process comprises the following steps:
step A1, popping up a secondary verification interface after the login account information submitted by the user passes verification, prompting the user to input a dynamic verification code, if the dynamic verification code is correct, passing the secondary verification, and enabling the user to enter a system; otherwise, the user cannot enter the system; the verification code generation logic of the user secondary verification is as follows:
after a user registers an account for the first time, a system generates a unique security code according to account information, equipment information and registration time information registered by the user, and the computing formula of the security code M is as follows:
wherein T is a millisecond system timestamp when the user successfully registers the account for the first time, which is an integer of 13 bits, s is a binary value corresponding to the device ID of the system when the user successfully registers the account for the first time, and u is a binary value corresponding to the device ID of the user;
step A2, after the user successfully registers the account for the first time, the system generates a security code M and generates a two-dimensional code corresponding to the security code M, the user scans the two-dimensional code on the mobile device and inputs two dynamic verification codes to complete binding verification of the mobile device, and the generation formula of the dynamic verification codes is as follows:
wherein pi is 3.14, t is the millisecond time stamp when the dynamic verification code is input, m t Is a dynamic authentication code with a timestamp of t, i.e.,
for convenient input, m is generated each time t Then, the first 6 digits after the neglected decimal point are taken as a final dynamic verification code, and after the user inputs the correct final dynamic verification code twice, the binding verification of the mobile equipment is completed;
and step A3, generating a final dynamic verification code in real time in the user mobile equipment, finishing the verification and verification of the login account information when a user logs in subsequently, inputting the final dynamic verification code, and entering the system after the final dynamic verification code passes.
It can be clearly understood by those skilled in the art that the specific working processes of the system, the apparatus, and the module described above may refer to the corresponding processes in the foregoing method embodiments, and for the sake of brevity, the detailed description is omitted here.
Those of ordinary skill in the art will understand that: the technical solution of the present application may be essentially or wholly or partially embodied in the form of a software product, where the computer software product is stored in a storage medium and includes program instructions for enabling an electronic device (e.g., a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application when the program instructions are executed. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or the like.
Alternatively, all or part of the steps of the foregoing method embodiments may be implemented by hardware (such as an electronic device, for example, a personal computer, a server, or a network device) related to program instructions, where the program instructions may be stored in a computer-readable storage medium, and when the program instructions are executed by a processor of the electronic device, the electronic device executes all or part of the steps of the method according to the embodiments of the present application.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments can be modified or some or all of the technical features can be equivalently replaced within the spirit and principle of the present application; such modifications or substitutions do not depart from the scope of the present application.
Claims (8)
1. A user access control method for device isolation is characterized by comprising the following steps:
constructing a user service partition, an equipment service partition, a common application partition, a safety partition and a control partition for a system in advance, and configuring corresponding functional services for each constructed partition;
after the system is started, the user service partition takes over equipment for interacting with the user and provides a uniform login interface for the user;
when a login request containing login account information and submitted by a user through the login interface is received, the user service partition requests the control partition to use the system according to the login request;
the control partition receives a request for using the system from the user service partition, transmits the request for using the system to the security partition, and then the security partition returns a corresponding user security level to the control partition according to the login account information; then the control partition creates a login session of the user and allocates a common application partition to provide application support for the user according to the user security level;
the common application partition transmits the interactive data of the user and the equipment to a bottom-layer partition support kernel through an inter-partition communication channel in a session process; the partition support kernel forwards the interactive data to the equipment service partition through a control instruction issued by a communication channel between management partitions; the equipment service partition executes a corresponding service program according to the interaction data so as to realize the access and interaction of the user to the equipment;
after the login account information submitted by the user passes the verification, the system performs secondary verification, and the secondary verification process comprises the following steps:
step A1, popping up a secondary verification interface after the login account information submitted by the user passes verification, prompting the user to input a dynamic verification code, if the dynamic verification code is correct, passing the secondary verification, and enabling the user to enter a system; otherwise, the user cannot enter the system; the verification code generation logic of the user secondary verification is as follows:
after a user registers an account for the first time, a system generates a unique security code according to account information, equipment information and registration time information registered by the user, wherein a calculation formula of the security code M is as follows:
wherein T is a millisecond system timestamp when the user successfully registers the account for the first time, which is an integer of 13 bits, s is a binary value corresponding to the device ID of the system when the user successfully registers the account for the first time, and u is a binary value corresponding to the device ID of the user;
step A2, after the user successfully registers the account for the first time, the system generates a security code M and generates a two-dimensional code corresponding to the security code M, the user scans the two-dimensional code on the mobile device and inputs two dynamic verification codes to complete binding verification of the mobile device, and the generation formula of the dynamic verification codes is as follows:
wherein pi is 3.14, t is the millisecond time stamp when the dynamic verification code is input, m t The dynamic authentication code is a code that is dynamically validated at a time stamp of t, i.e.,
for convenient input, m is generated each time t Then, the first 6 digits after the neglected decimal point are taken as a final dynamic verification code, and after the user inputs the correct final dynamic verification code twice, the binding verification of the mobile equipment is completed;
and step A3, generating a final dynamic verification code in real time in the mobile equipment of the user, finishing the verification of the login account information when the user logs in subsequently, inputting the final dynamic verification code, and entering the system after the final dynamic verification code passes the verification.
2. The device isolated user access control method of claim 1,
the user service partition takes over the device for interaction with the user, comprising:
the user service partition adopts virtualization technology to perform virtualization operation on equipment used for interacting with a user to obtain virtualized equipment, and then manages the virtualized equipment to take over the equipment used for interacting with the user;
the common application partition transmits the interactive data of the user and the equipment to a bottom-layer partition support kernel through an inter-partition communication channel in a session process, and the method comprises the following steps:
and the common application partition transmits the interactive data of the user and the virtualization equipment to a bottom-layer partition support kernel through an inter-partition communication channel in the session process.
3. The device isolated user access control method of claim 1, the method further comprising: and the common application subarea divides the applications of different security domains according to the security control strategy and provides application service support for the system.
4. The device-isolated user access control method of claim 1, wherein the user service partition requesting use of the system from the control partition based on the login request, comprises:
the user service partition verifies the login account information according to the login request, and if the verification is passed, the user service partition requests the control partition to use the system; if the verification is not passed, returning prompt information indicating that the login account information is not passed to the user.
5. An apparatus isolated user access control device, comprising:
the system comprises a construction module, a management module and a management module, wherein the construction module is used for constructing a user service partition, an equipment service partition, a common application partition, a safety partition and a control partition for a system in advance and configuring corresponding functional services for each constructed partition;
the control module is used for taking over equipment for interacting with the user by the user service partition after the system is started, and providing a uniform login interface for the user; and
when a login request containing login account information and submitted by a user through the login interface is received, the user service partition requests the control partition to use the system according to the login request;
the control partition receives a request for using the system from the user service partition, transmits the request for using the system to the security partition, and then the security partition returns a corresponding user security level to the control partition according to the login account information; then the control partition creates a login session of the user, and allocates a common application partition to provide application support for the user according to the user security level;
the common application partition transmits the interactive data of the user and the equipment to a bottom-layer partition support kernel through an inter-partition communication channel in a session process; the partition support kernel forwards the interactive data to the equipment service partition through a control instruction issued by a communication channel between management partitions; the equipment service partition executes a corresponding service program according to the interaction data so as to realize the access and interaction of the user to the equipment;
wherein the control module is further configured to:
after the login account information submitted by the user passes the verification, the system performs secondary verification, and the secondary verification process comprises the following steps:
step A1, popping up a secondary verification interface after the login account information submitted by the user passes verification, prompting the user to input a dynamic verification code, if the dynamic verification code is correct, passing the secondary verification, and enabling the user to enter a system; otherwise, the user cannot enter the system; the verification code generation logic of the user secondary verification is as follows:
after a user registers an account for the first time, a system generates a unique security code according to account information, equipment information and registration time information registered by the user, and the computing formula of the security code M is as follows:
wherein T is a millisecond system timestamp when the user successfully registers the account for the first time, which is an integer of 13 bits, s is a binary value corresponding to the device ID of the system when the user successfully registers the account for the first time, and u is a binary value corresponding to the device ID of the user;
step A2, after the user successfully registers the account for the first time, the system generates a security code M and generates a two-dimensional code corresponding to the security code M, the user scans the two-dimensional code on the mobile device and inputs two dynamic verification codes to complete binding verification of the mobile device, and the generation formula of the dynamic verification codes is as follows:
wherein pi is 3.14, t is the millisecond time stamp when the dynamic verification code is input, m t Is a dynamic authentication code with a timestamp of t, i.e.,
for convenient input, m is generated each time t Then, the first 6 digits after the neglected decimal point are taken as a final dynamic verification code, and after the user inputs the correct final dynamic verification code twice, the binding verification of the mobile equipment is completed;
and step A3, generating a final dynamic verification code in real time in the user mobile equipment, finishing the verification and verification of the login account information when the user logs in subsequently, inputting the final dynamic verification code, and entering the system after the final dynamic verification code passes.
6. The device-isolated user access control apparatus of claim 5, wherein the control module is further configured to:
the user service partition adopts virtualization technology to perform virtualization operation on equipment used for interacting with a user to obtain virtualized equipment, and then manages the virtualized equipment to take over the equipment used for interacting with the user;
and the common application partition transmits the interactive data of the user and the virtualization equipment to a bottom-layer partition support kernel through an inter-partition communication channel in the session process.
7. The device-isolated user access control apparatus of claim 5, wherein the control module is further configured to:
and the common application subarea divides the applications of different security domains according to the security control strategy and provides application service support for the system.
8. The device isolated user access control apparatus of claim 5, wherein the building module is further configured to:
the user service partition verifies the login account information according to the login request, and if the verification is passed, the user service partition requests the control partition to use the system; if the verification is not passed, returning prompt information indicating that the login account information is not passed to the user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111097860.8A CN113918251B (en) | 2021-09-18 | 2021-09-18 | User access control method and device for equipment isolation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111097860.8A CN113918251B (en) | 2021-09-18 | 2021-09-18 | User access control method and device for equipment isolation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113918251A CN113918251A (en) | 2022-01-11 |
| CN113918251B true CN113918251B (en) | 2022-10-28 |
Family
ID=79235710
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111097860.8A Active CN113918251B (en) | 2021-09-18 | 2021-09-18 | User access control method and device for equipment isolation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113918251B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103379089A (en) * | 2012-04-12 | 2013-10-30 | 中国航空工业集团公司第六三一研究所 | Access control method and system based on security domain isolation |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103403732B (en) * | 2012-10-15 | 2015-07-08 | 华为技术有限公司 | Processing method and device for input and output opeartion |
| CN105187362B (en) * | 2014-06-23 | 2020-01-10 | 中兴通讯股份有限公司 | Method and device for connection authentication between desktop cloud client and server |
| CN110113329B (en) * | 2019-04-28 | 2021-11-09 | 北京信安世纪科技股份有限公司 | Verification method and device for verification code |
-
2021
- 2021-09-18 CN CN202111097860.8A patent/CN113918251B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103379089A (en) * | 2012-04-12 | 2013-10-30 | 中国航空工业集团公司第六三一研究所 | Access control method and system based on security domain isolation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113918251A (en) | 2022-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10601596B2 (en) | Techniques to secure computation data in a computing environment | |
| US10447770B2 (en) | Blockchain micro-services framework | |
| US11665000B2 (en) | Method and apparatus for processing privacy data of block chain, device, and storage medium | |
| US10122713B2 (en) | Method and device for the secure authentication and execution of programs | |
| WO2019213292A1 (en) | Distributed consent protecting data across systems and services | |
| US10817327B2 (en) | Network-accessible volume creation and leasing | |
| CN104850787B (en) | Based on the high mobile terminal operating system and its implementation for ensureing kernel module | |
| US20040088562A1 (en) | Authentication framework for smart cards | |
| CN104318182A (en) | Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension | |
| JP2008500651A (en) | Method and apparatus for providing secure virtualization of a trusted platform module | |
| US9231943B2 (en) | Client-based authentication | |
| CN111782344A (en) | Method and system for providing password resources and host machine | |
| US11368291B2 (en) | Mutually authenticated adaptive management interfaces for interaction with sensitive infrastructure | |
| CN117077123A (en) | Service processing method and device for multiple password cards and electronic equipment | |
| CN113918251B (en) | User access control method and device for equipment isolation | |
| CN110912703B (en) | Network security-based multi-level key management method, device and system | |
| CN115048679B (en) | Multi-service partition isolation chip integrating in-chip safety protection function | |
| CN104102524A (en) | Method for realizing virtual secure element (VSE) | |
| JP6705907B2 (en) | Input recognition method and system using variable grid index | |
| CN113392350A (en) | Page routing processing method, device, equipment, storage medium and program product | |
| CN111783071A (en) | Password-based and privacy data-based verification method, device, equipment and system | |
| CN114008614A (en) | User authentication | |
| CN113849261A (en) | Method, host and device for processing data | |
| Khadhim et al. | Virtualization in Mobile Cloud Computing for Augmented Reality Challenges | |
| CA3087593A1 (en) | Centralized authentication and authorization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |