CN114297597B - Account management method, system, equipment and computer readable storage medium - Google Patents
Account management method, system, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114297597B CN114297597B CN202111645839.7A CN202111645839A CN114297597B CN 114297597 B CN114297597 B CN 114297597B CN 202111645839 A CN202111645839 A CN 202111645839A CN 114297597 B CN114297597 B CN 114297597B
- Authority
- CN
- China
- Prior art keywords
- key
- client
- user
- server
- account
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The application discloses an account management method, system, device and computer readable storage medium, which are applied to a client and used for judging whether a user key is stored; if the user key is not stored, marking the state of the user account as the lack of the key, and acquiring the user key for storage; if the user key is stored, judging whether the user account is logged in; if the user account is not logged in, marking the state of the user account as not logged in, and logging in the account based on the user key; and if the user account is logged in, marking the state of the user account as logged in. In the application, under the condition that the client side stores the user key but does not log in, the client side needs to log in the account based on the user key, and the safe login of the account is realized by means of the user key, so that the safety of account information is protected; in addition, the account state is divided into three states of lack of keys, no login and login, the user account can be rapidly and flexibly controlled, and the operability is good.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an account management method, system, device, and computer-readable storage medium.
Background
Currently, a user needs to perform operations such as registration and login in the process of application software and the like, account information needs to be delivered to a corresponding server such as software and the like for processing in the process, and if an attacker makes a bad job in the process, the user account information is leaked, so that the security of the user account information is low.
In summary, how to improve the security of the user account information is a problem that those skilled in the art are in urgent need to solve.
Disclosure of Invention
The application aims to provide an account management method which can solve the technical problem of improving the safety of user account information to a certain extent. The application also provides an account management system, equipment and a computer readable storage medium.
In order to achieve the above object, the present application provides the following technical solutions:
an account management method is applied to a client and comprises the following steps:
judging whether a user key is stored or not;
if the user key is not stored, marking the state of the user account as the lack of the key, and acquiring the user key for storage;
if the user key is stored, judging whether the user account is logged in;
if the user account is not logged in, marking the state of the user account as not logged in, and logging in the account based on the user key;
and if the user account is logged in, marking the state of the user account as logged in.
Preferably, the user key includes an extended key of the client and an identification key of the client;
the obtaining the user key comprises:
acquiring a system public key of a server;
acquiring user identification information;
generating a first symmetric key, and encrypting the first symmetric key based on a system public key of the server to obtain a target encryption key;
transmitting the user identification information and the target encryption key to the server so that the server decrypts the user identification information and the target encryption key based on a system private key of the server to obtain the first symmetric key;
receiving target data sent by the server, wherein the target data comprises a data set and first signature information of the data set generated based on a system private key of the server, the data set comprises an extended key of the client and a first encryption result obtained by encrypting a generated identification key of the client based on the first symmetric key, and the identification key of the client is generated based on the user identification information and a key base;
verifying the target data based on the system public key of the server, if the verification is successful, obtaining an extended key of the client, and decrypting the first encryption result based on the first symmetric key to obtain an identification key of the client;
wherein the key base comprises a key generation matrix of 8*8.
Preferably, the user identification information includes a mobile phone number of the user;
before the transmitting the user identification information and the target encryption key to the server, the method further includes:
transmitting the user mobile phone number and a short message verification request to the server so that the server transmits a short message verification code to the user mobile phone number;
acquiring a target short message verification code;
after the transmitting the user identification information and the target encryption key to the server, the method further includes:
and transmitting the target short message verification code to the server so that the server sends the target data after verifying that the target short message verification code is correct.
Preferably, the storing the user key includes:
directly storing the expansion key of the client;
acquiring a target secret password;
generating a second symmetric key based on the target secret password;
and encrypting the identification key of the client based on the second symmetric key to obtain and store a second encryption result.
Preferably, the extended key of the client includes an extended private key of the client and an extended public key of the client; the identification key of the client comprises an identification public key of the client and an identification private key of the client;
the account login based on the user key comprises the following steps:
combining the expansion private key of the client and the identification private key of the client to generate a user private key of the client;
acquiring account login information;
encrypting the account login information based on the system public key of the server to obtain a third encryption result;
signing the third encryption result based on a user private key of the client to obtain second signature information;
transmitting the third encryption result and the second signature information to the server, so that the server obtains the account login information by decrypting the second signature information based on a system private key of the server after verifying that the second signature information is legal based on a user public key of the client, and generates a login token corresponding to the account login information; the user public key of the client is generated based on the combination of the extension public key of the client and the identification public key of the client;
receiving target token information sent by the server, wherein the target token information comprises encrypted token information and third signature information of the encrypted token information, the encrypted token information comprises information obtained by encrypting the login token based on a user public key of the client, and the third signature information comprises information obtained by signing the encrypted token based on a system private key of the server;
and if the third signature information is verified to be legal based on the system public key of the server, decrypting the encrypted token information based on the user private key of the client to obtain the login token and storing the login token.
Preferably, the obtaining the system public key of the server includes:
acquiring identification information of the server;
acquiring the key base generated in advance by the server, wherein the key base comprises a key generation matrix of 8*8;
generating an identification public key of the server based on the identification information of the server and a public key base in the key base;
acquiring an extended public key of the server;
and combining the identification public key of the server and the extended public key of the server to generate a system public key of the server.
Preferably, after the marking the status of the user account as logged in, the method further includes:
acquiring an account logout request;
encrypting the account logout request based on the system public key of the server to obtain a fourth encryption result;
signing the fourth encryption result based on a user private key of the client to obtain fourth signature information;
and transmitting the fourth encryption result and the fourth signature information to the server, so that the server obtains the account logout request and logs out the corresponding user account by decrypting the system private key based on the server after verifying that the fourth signature information is legal based on the user public key of the client.
An account management system applied to a client comprises:
the first judgment module is used for judging whether a user key is stored or not; if the user key is not stored, marking the state of the user account as the lack of the key, and acquiring the user key for storage;
the second judgment module is used for judging whether the user account is logged in or not if the user key is stored; if the user account is not logged in, marking the state of the user account as not logged in, and logging in the account based on the user key;
and the third judgment module is used for marking the state of the user account as logged if the user account is logged in.
An account management device comprising:
a memory for storing a computer program;
a processor for implementing the steps of the account management method as described in any one of the above when executing the computer program.
A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the account management method according to any of the preceding claims.
The application provides an account management method, which is applied to a client and used for judging whether a user key is stored or not; if the user key is not stored, marking the state of the user account as the lack of the key, and acquiring the user key for storage; if the user key is stored, judging whether the user account is logged in; if the user account is not logged in, marking the state of the user account as not logged in, and logging in the account based on the user key; and if the user account is logged in, marking the state of the user account as logged in. In the application, the client needs to acquire the user key under the condition that the client does not store the user key; under the condition that the user key is stored but not logged in, account login needs to be carried out based on the user key, the safe login of the account is realized by means of the user key, and the safety of account information is protected; in addition, the account state is divided into three states of lack of keys, no login and login, the user account can be rapidly and flexibly controlled by means of the three states, and the operability is good. The account management system, the account management equipment and the computer-readable storage medium solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an account management method according to an embodiment of the present application;
FIG. 2 is a flow chart of obtaining a user key in the present application;
FIG. 3 is a flowchart illustrating a process for a client to log in an account based on a user key according to the present application;
fig. 4 is a schematic structural diagram of an account management system according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an account management device according to an embodiment of the present application;
fig. 6 is another schematic structural diagram of an account management device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of an account management method according to an embodiment of the present disclosure.
The account management method provided by the embodiment of the application is applied to a client and can comprise the following steps:
step S101: judging whether a user key is stored; if the user key is not stored, executing step S102; if the user key is stored, step S103 is executed.
Step S102: and marking the state of the user account as lack of the key, and acquiring the user key for storage.
In practical application, the client may first determine whether the client stores the user key, and if the client does not store the user key, mark the state of the user account as a lack of the user key, and obtain the user key for storage, so as to ensure login security based on the user key in the subsequent login process.
It should be noted that, after acquiring the user key and storing the user key, the client may return to execute step S101, or directly execute subsequent step S103, and the like, which is not specifically limited herein.
Step S103: judging whether a user account is logged in; if the user account is not logged in, executing step S104; if the user account is logged in, step S105 is executed.
Step S104: and marking the state of the user account as not logged in, and logging in the account based on the user key.
Step S105: the status of the user account is marked as logged in.
In practical application, after judging that the client stores the user key, the client can judge whether the user account of the client is logged in, if not, the state of the user account is marked as not logged in, account logging is carried out based on the user key, and if the user account is logged in, the state of the user account is directly marked as logged in, so that the user account is flexibly controlled by means of the three states of the user account.
It should be noted that, in a specific application scenario, a situation that a user account logs in different devices also exists, at this time, in a process of determining whether the user account has logged in, the client may first determine whether a login token exists and whether the login token is within a validity period, and if the login token does not exist or is not within the validity period, determine that the state of the user account is not logged in; if the login token is stored in the terminal device, and the login token is in the valid period, acquiring the identifier of the terminal device where the client is located, judging whether the terminal is the latest login device or not through the server based on the device identifier, and if the terminal is the latest login device, marking the state of the user account as logged-in; if the terminal device is not the most recently logged-in device, the user can verify whether the terminal device is safe, if the terminal device is safe, the state of the user account is marked as logged-in, if the terminal device is not safe, the state of the user account can be marked as not logged-in, and the like, and of course, the state of the user account can be directly marked as not logged-in, and the like. In addition, in a case that the client cannot communicate with the server, that is, cannot acquire the latest login device of the user account, the state of the user account may be directly marked as logged in, and the like.
The application provides an account management method, which is applied to a client and used for judging whether a user key is stored or not; if the user key is not stored, marking the state of the user account as the lack of the key, and acquiring the user key for storage; if the user key is stored, judging whether the user account is logged in; if the user account is not logged in, marking the state of the user account as not logged in, and logging in the account based on the user key; and if the user account is logged in, marking the state of the user account as logged in. In the application, the client needs to acquire the user key under the condition that the client does not store the user key; under the condition that the user key is stored but not logged in, account login needs to be carried out based on the user key, the safe login of the account is realized by means of the user key, and the safety of account information is protected; in addition, the account state is divided into three states of lack of keys, no login and login, the user account can be rapidly and flexibly controlled by means of the three states, and the operability is good.
Referring to fig. 2, fig. 2 is a flowchart for acquiring a user key according to the present application.
In the account management method provided by the embodiment of the application, the user key may include an extended key of the client and an identification key of the client; correspondingly, the client may perform the following steps in the process of obtaining the user key:
step S201: and acquiring a system public key of the server.
In practical application, the client may first obtain the system public key of the server, so as to encrypt data subsequently transmitted to the server by means of the system public key of the server, thereby ensuring the security of the transmitted data.
Step S202: and acquiring user identification information.
In practical applications, after obtaining the system public key of the server, the client may obtain the user identification information, so as to generate a corresponding user key based on the user identification information.
Step S203: and generating a first symmetric key, and encrypting the first symmetric key based on the system public key of the server to obtain a target encryption key.
In practical application, in order to ensure the security of data transmitted by the server to the client, the client may further generate a first symmetric key, encrypt the first symmetric key based on a system public key of the server to obtain a target encryption key, and transmit the target encryption key to the server, where the first symmetric key may be safely transmitted to the server.
It should be noted that, in the process of generating the first symmetric key, the client may generate the first symmetric key through an SM4 algorithm, and the like, which is not specifically limited herein.
Step S204: and transmitting the user identification information and the target encryption key to the server so that the server decrypts the system private key based on the server to obtain a first symmetric key.
In an actual application scenario, in order to further ensure the security of information interaction between the client and the server, the user identification information may further include a user mobile phone number; correspondingly, before transmitting the user identification information and the target encryption key to the server, the client can also transmit a user mobile phone number and a short message verification request to the server so that the server transmits a short message verification code to the user mobile phone number; acquiring a target short message verification code; after the user identification information and the target encryption key are transmitted to the server, the target short message verification code can be transmitted to the server, so that the server verifies that the target short message verification code is correct and then generates and transmits target data.
It is understood that, because the mobile phone number received by the client is sent by the server, after receiving the mobile phone number of the user and the target short message verification code, the server can verify whether the mobile phone number of the user and the target short message verification code are matched, namely, whether the target short message verification code is sent to the mobile phone number of the user by itself, if the mobile phone number of the user and the target short message verification code are verified to be matched, the subsequent flow can be executed, and if the mobile phone number of the user and the target short message verification code are verified to be not matched, the obtaining flow of the user key can be directly finished, so that the malicious client is prevented from attacking the server and threatening the safety of the server.
Step S205: receiving target data sent by a server, wherein the target data comprises a data set and first signature information of the data set generated based on a system private key of the server, the data set comprises an expanded key of a client and a first encryption result obtained by encrypting a generated identification key of the client based on a first symmetric key, and the identification key of the client is generated based on user identification information and a key base, wherein the key base comprises a key generation matrix of 8*8.
Step S206: and verifying the target data based on the system public key of the server, if the verification is successful, obtaining an extended key of the client, and decrypting the first encryption result based on the first symmetric key to obtain an identification key of the client.
In practical application, after the client generates the target encryption key, the client can transmit user identification information and the target encryption key to the server, correspondingly, after the server decrypts the first symmetric key, the server can generate an identification key of the client based on the user identification information and a key base, generate an extended key of the client, combine the first encryption result and the extended key into a data set based on a first encryption result obtained by encrypting the identification key of the client based on the first symmetric key, sign the data set based on a system private key of the client, and finally send the data set and the signature of the data set to the client as target data.
Correspondingly, after receiving the target data sent by the server, the client needs to check the target data based on the system public key of the server, if the check is successful, the client expansion key in the target data is obtained, and the first encryption result in the target data is decrypted based on the first symmetric key to obtain the client identification key. It is understood that if the client fails to verify the target data based on the system public key of the server, it indicates that the target data is not sent by the server but is forged by an attacker, and at this time, the client may directly end the key acquisition process, and other operations may be performed, such as waiting for a certain period of time and determining whether correct target data can be received to complete key acquisition.
In a specific application scenario, in the process of storing the user key of the client, the client can directly store the extended key of the client in order to safely store the identification key of the client; acquiring a target secret password; generating a second symmetric key based on the target password, for example, generating the second symmetric key based on the target password by using a key derivation algorithm, and the like; and encrypting the identification key of the client based on the second symmetric key to obtain and store a second encryption result. Correspondingly, when the self identification key is applied, the input target secret password can be received; generating a second symmetric key based on the target key password; and decrypting the second encryption result based on the second symmetric key to obtain the self identification key of the client. It is understood that when the secret password input by the user in the decryption stage is different from the secret password input in the encryption stage, the generated second symmetric key is different, so that the encrypted identification key of the client cannot be decrypted, that is, the security of the identification key of the client can be protected by means of the secret password.
Referring to fig. 3, fig. 3 is a flowchart illustrating a client performing account login based on a user key according to the present application.
In the account management method provided by the embodiment of the application, the extended key of the client may include an extended private key of the client and an extended public key of the client; the identification key of the client can comprise an identification public key of the client and an identification private key of the client; correspondingly, during the process of account login based on the user key, the client may perform the following steps:
step S301: and combining the expanded private key of the client and the identification private key of the client to generate the user private key of the client.
In practical application, the client can combine the own extended private key and the own identification private key to generate the own user private key.
Step S302: and acquiring account login information.
Step S303: and encrypting the account login information based on the system public key of the server to obtain a third encryption result.
In practical applications, after the client acquires the account login information to be logged in, for example, the user name and the login password of the account, the client may encrypt the account login information based on the system public key of the server to obtain a third encryption result, so as to perform security protection on the account login information by means of the system public key of the server.
Step S304: and signing the third encryption result based on the user private key of the client to obtain second signature information.
Step S305: transmitting the third encryption result and the second signature information to the server, so that the server obtains account login information by decrypting a system private key based on the server after verifying that the second signature information is legal based on a user public key of the client, and generating a login token corresponding to the account login information; the user public key of the client is generated based on the combination of the extension public key of the client and the identification public key of the client.
In practical application, after the client generates the third encryption result, the client can sign the third encryption result based on the user private key of the client to obtain the second signature information, and transmit the third encryption result and the second signature information to the server, so that after the server verifies that the second signature information is legal based on the user public key of the client, the server can decrypt the second signature information based on the system private key of the server to obtain account login information and generate a login token corresponding to the account login information, so as to complete the account login process of the client.
It should be noted that, in the present application, the user public key of the client is generated based on the combination of the extension public key of the client and the identification public key of the client; and after the server verifies that the second signature information is illegal based on the user public key of the client, the server can directly judge that the client is a malicious attack client, end the account login process and the like, so that the safety of the user account and the server are ensured. The method and the system can ensure the security of the user account login by means of the user private key of the client, the system public key of the server, the system private key of the server, the user public key of the client and encryption, decryption and signature principles.
Step S306: receiving target token information sent by a server, wherein the target token information comprises encrypted token information and third signature information of the encrypted token information, the encrypted token information comprises information obtained by encrypting the login token based on a user public key of the client, and the third signature information comprises information obtained by signing the encrypted token information based on a system private key of the server.
Step S307: and if the third signature information is verified to be legal by the system public key based on the server, decrypting the encrypted token information by the user private key based on the client to obtain and store the login token.
In practical application, in order to protect the security of the login token, the server may further encrypt the login token based on a user public key of the client to obtain encrypted token information, sign the encrypted token information based on a system private key of the server to obtain third signature information, and synthesize the encrypted token information and the third signature information of the encrypted token information into target token information to be sent to the client. Correspondingly, the client decrypts the encrypted token information based on the user private key of the client only after the third signature information is verified to be legal by the system public key based on the server, and the login token is obtained and stored. It is understood that if the user private key of the client used by the client is not matched with the user public key of the client used by the server, and/or the system public key of the server used by the client is not matched with the system private key of the server used by the server, the client cannot acquire the login token from the server, and the account login process cannot be completed, so that the security of the user login process can be ensured.
In a specific application scenario, a client can acquire identification information of a server in the process of acquiring a system public key of the server; acquiring a key base generated in advance by a server, wherein the key base comprises a key generation matrix of 8*8; generating an identification public key of the server based on the identification information of the server and a public key base in the key base; acquiring an extended public key of a server; and combining the identification public key of the server and the extension public key of the server to generate a system public key of the server. That is, in the present application, the public key of the server or the client may be generated based on the combination of the identification public key and the extended public key, and the private key of the server or the client may be generated based on the combination of the identification private key and the extended private key, in short, the key in the present application may be generated based on the combination of the identification private key and the extended private key, for example, the identification key and the extended private key are spliced to obtain a final key, the identification key and the extended private key are xored to obtain a final key, and the identification key is generated based on the identification information and the key base, and the extended private key may be generated based on the SM2 algorithm. In addition, since the key base in the present application is the key generation matrix of 8*8, on one hand, the identification key can be quickly generated by means of the key generation matrix of 8*8, and on the other hand, the diversity of the finally generated user key can be ensured by means of the combination of the identification key and the extended key.
In a specific application scenario, after the state of marking the user account is logged in, a logout flow of the user account and the like can be executed, and in the process, in order to avoid malicious logout of the user account by an attacker, an account logout request can be acquired; encrypting the account logout request based on the system public key of the server to obtain a fourth encryption result; signing the fourth encryption result based on a user private key of the client to obtain fourth signature information; and transmitting the fourth encryption result and the fourth signature information to the server so that the server decrypts the system private key based on the server to obtain an account logout request and logs out the corresponding user account after verifying that the fourth signature information is legal based on the user public key of the client. That is, the server only logs out the user account after verifying that the fourth signature is legal and successfully decrypting the account logging-out request, so that the security of the user account is ensured.
Referring to fig. 4, fig. 4 is a schematic structural diagram of an account management system according to an embodiment of the present disclosure.
The account management system provided by the embodiment of the application is applied to a client, and can include:
a first determining module 11, configured to determine whether a user key is stored; if the user key is not stored, marking the state of the user account as the lack of the key, and acquiring the user key for storage;
the second judging module 12 is configured to judge whether the user account is logged in if the user key is stored; if the user account is not logged in, marking the state of the user account as not logged in, and logging in the account based on the user key;
and the third judging module 13 is configured to mark the state of the user account as logged if the user account is logged in.
The account management system provided by the embodiment of the application is applied to a client, and a user key comprises an expansion key of the client and an identification key of the client;
the first determining module may be specifically configured to: acquiring a system public key of a server; acquiring user identification information; generating a first symmetric key, and encrypting the first symmetric key based on a system public key of a server to obtain a target encryption key; transmitting the user identification information and the target encryption key to a server so that the server decrypts the system private key based on the server to obtain a first symmetric key; receiving target data sent by a server, wherein the target data comprises a data set and first signature information of the data set generated based on a system private key of the server, the data set comprises an expanded key of a client and a first encryption result obtained by encrypting a generated identification key of the client based on a first symmetric key, and the identification key of the client is generated based on user identification information and a key base; the method comprises the steps that a system public key based on a server checks target data, if the check is successful, an extended secret key of a client side is obtained, and a first encryption result is decrypted based on a first symmetric secret key to obtain an identification secret key of the client side; wherein the key base comprises a key generation matrix of 8*8.
The account management system provided by the embodiment of the application is applied to a client, and the user identification information comprises a user mobile phone number; the method can also comprise the following steps:
the first transmission module is used for transmitting the user mobile phone number and the short message verification request to the server before the first judgment module transmits the user identification information and the target encryption key to the server so that the server transmits the short message verification code to the user mobile phone number;
the first acquisition module is used for acquiring a target short message verification code;
and the second transmission module is used for transmitting the target short message verification code to the server after the first judgment module transmits the user identification information and the target encryption key to the server so as to ensure that the server sends the target data after verifying that the target short message verification code is correct.
The account management system provided by the embodiment of the application is applied to a client, and the first determining module may be specifically configured to: directly storing the expanded key of the client; acquiring a target secret password; generating a second symmetric key based on the target secret password; and encrypting the identification key of the client based on the second symmetric key to obtain a second encryption result and storing the second encryption result.
The account management system provided by the embodiment of the application is applied to a client, and an extended key of the client comprises an extended private key of the client and an extended public key of the client; the identification key of the client comprises an identification public key of the client and an identification private key of the client;
the second determination module may be specifically configured to: combining the expansion private key of the client and the identification private key of the client to generate a user private key of the client; acquiring account login information; encrypting the account login information based on the system public key of the server to obtain a third encryption result; signing the third encryption result based on a user private key of the client to obtain second signature information; transmitting the third encryption result and the second signature information to the server, so that the server obtains account login information by decrypting a system private key based on the server after verifying that the second signature information is legal based on a user public key of the client, and generating a login token corresponding to the account login information; the user public key of the client is generated based on the combination of the extension public key of the client and the identification public key of the client; receiving target token information sent by a server, wherein the target token information comprises encrypted token information and third signature information of the encrypted token information, the encrypted token information comprises information obtained by encrypting a login token based on a user public key of a client, and the third signature information comprises information obtained by signing the encrypted token based on a system private key of the server; and if the third signature information is verified to be legal by the system public key based on the server, decrypting the encrypted token information by the user private key based on the client to obtain and store the login token.
The account management system provided by the embodiment of the application is applied to a client, and the second judging module can be specifically used for: acquiring identification information of a server; acquiring a key base generated in advance by a server, wherein the key base comprises a key generation matrix of 8*8; generating an identification public key of the server based on the identification information of the server and a public key base in the key base; acquiring an extended public key of a server; and combining the identification public key of the server and the extension public key of the server to generate a system public key of the server.
The account management system provided by the embodiment of the application is applied to a client, and the third judging module can be used for: after the state of the user account is marked as logged in, acquiring an account logout request; encrypting the account logout request based on the system public key of the server to obtain a fourth encryption result; signing the fourth encryption result based on a user private key of the client to obtain fourth signature information; and transmitting the fourth encryption result and the fourth signature information to the server so that the server decrypts the system private key based on the server to obtain an account logout request and logs out the corresponding user account after verifying that the fourth signature information is legal based on the user public key of the client.
The application also provides account management equipment and a computer readable storage medium, which have corresponding effects of the account management method provided by the embodiment of the application. Referring to fig. 5, fig. 5 is a schematic structural diagram of an account management device according to an embodiment of the present application.
The account management device provided in the embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the steps of the account management method described in any of the above embodiments when executing the computer program.
Referring to fig. 6, another account management device provided in the embodiment of the present application may further include: an input port 203 connected to the processor 202, for transmitting externally input commands to the processor 202; a display unit 204 connected to the processor 202, for displaying the processing result of the processor 202 to the outside; and the communication module 205 is connected with the processor 202 and is used for realizing the communication between the user account management device and the outside world. The display unit 204 may be a display panel, a laser scanning display, or the like; the communication method adopted by the communication module 205 includes, but is not limited to, mobile high definition link technology (HML), universal Serial Bus (USB), high Definition Multimedia Interface (HDMI), and wireless connection: wireless fidelity technology (WiFi), bluetooth communication technology, bluetooth low energy communication technology, ieee802.11s based communication technology.
The computer-readable storage medium provided in the embodiments of the present application stores a computer program, and when the computer program is executed by a processor, the steps of the account management method described in any of the above embodiments are implemented.
The computer-readable storage media to which this application relates include Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage media known in the art.
For a description of a relevant part in the account management system, the device, and the computer-readable storage medium provided in the embodiments of the present application, reference is made to detailed descriptions of a corresponding part in the account management method provided in the embodiments of the present application, and details are not repeated here. In addition, parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of corresponding technical solutions in the prior art, are not described in detail so as to avoid redundant description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (7)
1. An account management method is applied to a client and comprises the following steps:
judging whether a user key is stored or not;
if the user key is not stored, marking the state of the user account as the lack of the key, and acquiring the user key for storage;
if the user key is stored, judging whether the user account is logged in;
if the user account is not logged in, marking the state of the user account as not logged in, and logging in the account based on the user key;
if the user account is logged in, marking the state of the user account as logged in;
the user key comprises an expansion key of the client and an identification key of the client;
the acquiring the user key comprises:
acquiring a system public key of a server;
acquiring user identification information;
generating a first symmetric key, and encrypting the first symmetric key based on a system public key of the server to obtain a target encryption key;
transmitting the user identification information and the target encryption key to the server so that the server decrypts the user identification information and the target encryption key based on a system private key of the server to obtain the first symmetric key;
receiving target data sent by the server, wherein the target data comprises a data set and first signature information of the data set generated based on a system private key of the server, the data set comprises an extended key of the client and a first encryption result obtained by encrypting a generated identification key of the client based on the first symmetric key, and the identification key of the client is generated based on the user identification information and a key base;
verifying the target data based on the system public key of the server, if the verification is successful, obtaining an extended key of the client, and decrypting the first encryption result based on the first symmetric key to obtain an identification key of the client;
wherein the key base comprises a key generation matrix of 8*8;
wherein saving the user key comprises: directly storing the expansion key of the client; acquiring a target secret password; generating a second symmetric key based on the target secret password; encrypting the identification key of the client based on the second symmetric key to obtain and store a second encryption result;
the client-side expanded key comprises an expanded private key of the client-side and an expanded public key of the client-side; the identification key of the client comprises an identification public key of the client and an identification private key of the client;
the account login based on the user key comprises the following steps: combining the expansion private key of the client and the identification private key of the client to generate a user private key of the client; acquiring account login information; encrypting the account login information based on the system public key of the server to obtain a third encryption result; signing the third encryption result based on a user private key of the client to obtain second signature information; transmitting the third encryption result and the second signature information to the server, so that the server obtains the account login information by decrypting the second signature information based on a system private key of the server after verifying that the second signature information is legal based on a user public key of the client, and generates a login token corresponding to the account login information; the user public key of the client is generated based on the combination of the extension public key of the client and the identification public key of the client; receiving target token information sent by the server, wherein the target token information comprises encrypted token information and third signature information of the encrypted token information, the encrypted token information comprises information obtained by encrypting the login token based on a user public key of the client, and the third signature information comprises information obtained by signing the encrypted token based on a system private key of the server; and if the third signature information is verified to be legal based on the system public key of the server, decrypting the encrypted token information based on the user private key of the client to obtain and store the login token.
2. The method of claim 1, wherein the user identification information comprises a user phone number;
before the transmitting the user identification information and the target encryption key to the server, the method further includes:
transmitting the user mobile phone number and a short message verification request to the server so that the server transmits a short message verification code to the user mobile phone number;
acquiring a target short message verification code;
after the transmitting the user identification information and the target encryption key to the server, the method further includes:
and transmitting the target short message verification code to the server so that the server sends the target data after verifying that the target short message verification code is correct.
3. The method of claim 1, wherein obtaining the system public key of the server comprises:
acquiring identification information of the server;
acquiring the key base generated in advance by the server, wherein the key base comprises a key generation matrix of 8*8;
generating an identification public key of the server based on the identification information of the server and a public key base in the key base;
acquiring an extended public key of the server;
and combining the identification public key of the server and the extended public key of the server to generate a system public key of the server.
4. The method of claim 1, wherein after the marking the status of the user account as logged in, further comprising:
acquiring an account logout request;
encrypting the account logout request based on the system public key of the server to obtain a fourth encryption result;
signing the fourth encryption result based on a user private key of the client to obtain fourth signature information;
and transmitting the fourth encryption result and the fourth signature information to the server, so that the server obtains the account logout request and logs out the corresponding user account by decrypting the system private key based on the server after verifying that the fourth signature information is legal based on the user public key of the client.
5. An account management system, applied to a client, includes:
the first judgment module is used for judging whether a user key is stored or not; if the user key is not stored, marking the state of the user account as the lack of the key, and acquiring the user key for storage;
the second judgment module is used for judging whether the user account is logged in or not if the user key is stored; if the user account is not logged in, marking the state of the user account as not logged in, and logging in the account based on the user key;
the third judgment module is used for marking the state of the user account as logged-in if the user account is logged-in;
the user key comprises an expansion key of the client and an identification key of the client;
the first judging module is specifically configured to: acquiring a system public key of a server; acquiring user identification information; generating a first symmetric key, and encrypting the first symmetric key based on a system public key of the server to obtain a target encryption key; transmitting the user identification information and the target encryption key to the server so that the server decrypts the user identification information and the target encryption key based on a system private key of the server to obtain the first symmetric key; receiving target data sent by the server, wherein the target data comprises a data set and first signature information of the data set generated based on a system private key of the server, the data set comprises an extended key of the client and a first encryption result obtained by encrypting a generated identification key of the client based on the first symmetric key, and the identification key of the client is generated based on the user identification information and a key base; verifying the target data based on the system public key of the server, if the verification is successful, obtaining an extended key of the client, and decrypting the first encryption result based on the first symmetric key to obtain an identification key of the client; wherein the key base comprises a key generation matrix of 8*8;
the first judging module is specifically configured to: directly storing the expansion key of the client; acquiring a target secret password; generating a second symmetric key based on the target secret password; encrypting the identification key of the client based on the second symmetric key to obtain and store a second encryption result;
the client-side expanded key comprises an expanded private key of the client-side and an expanded public key of the client-side; the identification key of the client comprises an identification public key of the client and an identification private key of the client;
the second judgment module is specifically configured to: combining the expansion private key of the client and the identification private key of the client to generate a user private key of the client; acquiring account login information; encrypting the account login information based on the system public key of the server to obtain a third encryption result; signing the third encryption result based on a user private key of the client to obtain second signature information; transmitting the third encryption result and the second signature information to the server, so that the server obtains the account login information by decrypting the second signature information based on a system private key of the server after verifying that the second signature information is legal based on a user public key of the client, and generates a login token corresponding to the account login information; the user public key of the client is generated based on the combination of the extension public key of the client and the identification public key of the client; receiving target token information sent by the server, wherein the target token information comprises encrypted token information and third signature information of the encrypted token information, the encrypted token information comprises information obtained by encrypting the login token based on a user public key of the client, and the third signature information comprises information obtained by signing the encrypted token based on a system private key of the server; and if the third signature information is verified to be legal based on the system public key of the server, decrypting the encrypted token information based on the user private key of the client to obtain the login token and storing the login token.
6. An account management device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the account management method of any one of claims 1 to 4 when executing the computer program.
7. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the account management method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111645839.7A CN114297597B (en) | 2021-12-29 | 2021-12-29 | Account management method, system, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111645839.7A CN114297597B (en) | 2021-12-29 | 2021-12-29 | Account management method, system, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114297597A CN114297597A (en) | 2022-04-08 |
| CN114297597B true CN114297597B (en) | 2023-03-24 |
Family
ID=80972413
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111645839.7A Active CN114297597B (en) | 2021-12-29 | 2021-12-29 | Account management method, system, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114297597B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115086041A (en) * | 2022-06-16 | 2022-09-20 | 北京天融信网络安全技术有限公司 | Account management method and device, electronic equipment and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8312272B1 (en) * | 2009-06-26 | 2012-11-13 | Symantec Corporation | Secure authentication token management |
| CN104038486A (en) * | 2014-06-04 | 2014-09-10 | 武汉理工大学 | System and method for realizing user login identification based on identification type codes |
| CN110493785A (en) * | 2019-09-24 | 2019-11-22 | 东信和平科技股份有限公司 | A kind of login method of mobile client, SIM card and system |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3656688B2 (en) * | 1997-03-31 | 2005-06-08 | 栄司 岡本 | Cryptographic data recovery method and key registration system |
| GB2404126B (en) * | 2002-01-17 | 2005-04-06 | Toshiba Res Europ Ltd | Data transmission links |
| CN101039182B (en) * | 2007-03-07 | 2010-08-11 | 广东南方信息安全产业基地有限公司 | Authentication system and method for issuing user identification certificate |
| JP5350644B2 (en) * | 2008-02-13 | 2013-11-27 | 株式会社富士通ビー・エス・シー | Data management system, data management device, information processing device, and computer program |
| CN103067402B (en) * | 2013-01-10 | 2016-01-20 | 天地融科技股份有限公司 | The generation method and system of digital certificate |
| US9432358B2 (en) * | 2013-10-31 | 2016-08-30 | Tencent Technology (Shenzhen) Company Limited | System and method of authenticating user account login request messages |
| US11227284B2 (en) * | 2017-12-13 | 2022-01-18 | Mastercard International Incorporated | Method and system for consumer-initiated transactions using encrypted tokens |
| CN108111544B (en) * | 2018-02-27 | 2020-07-28 | 新华三信息安全技术有限公司 | User login authentication method and device |
| CN112532663A (en) * | 2019-09-18 | 2021-03-19 | 青岛海信宽带多媒体技术有限公司 | Gateway login method and device |
| CN111182169B (en) * | 2019-11-13 | 2022-02-25 | 腾讯科技(深圳)有限公司 | Image processing method, image processing device, computer readable medium and electronic equipment |
| CN113438086A (en) * | 2021-06-24 | 2021-09-24 | 深圳前海微众银行股份有限公司 | Data security protection method and system |
-
2021
- 2021-12-29 CN CN202111645839.7A patent/CN114297597B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8312272B1 (en) * | 2009-06-26 | 2012-11-13 | Symantec Corporation | Secure authentication token management |
| CN104038486A (en) * | 2014-06-04 | 2014-09-10 | 武汉理工大学 | System and method for realizing user login identification based on identification type codes |
| CN110493785A (en) * | 2019-09-24 | 2019-11-22 | 东信和平科技股份有限公司 | A kind of login method of mobile client, SIM card and system |
Non-Patent Citations (2)
| Title |
|---|
| LIVE: Lightweight Integrity Verification and Content Access Control for Named Data Networking;Qi Li 等;《 IEEE Transactions on Information Forensics and Security》;20141031;第308-320页 * |
| 区块链中的身份识别和访问控制技术研究;张青禾;《中国优秀硕士学位论文全文数据库 (信息科技辑)》;20190115(第1期);第I138-233页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114297597A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107294937B (en) | Data transmission method based on network communication, client and server | |
| CN108566381A (en) | A kind of security upgrading method, device, server, equipment and medium | |
| CN107743067B (en) | Method, system, terminal and storage medium for issuing digital certificate | |
| CN105471833A (en) | Safe communication method and device | |
| JP2012530311A5 (en) | ||
| CN102986161B (en) | For carrying out the method and system of cryptoguard to application | |
| CN111131300B (en) | Communication method, terminal and server | |
| CN110690956B (en) | Bidirectional authentication method and system, server and terminal | |
| CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
| CN112989426B (en) | Authorization authentication method and device, and resource access token acquisition method | |
| CN113268715A (en) | Software encryption method, device, equipment and storage medium | |
| CN111030814A (en) | Key negotiation method and device | |
| CN103888938A (en) | PKI private key protection method of dynamically generated key based on parameters | |
| CN110166489B (en) | Data transmission method, system, equipment and computer medium in Internet of things | |
| CN111178884A (en) | Information processing method, device, equipment and readable storage medium | |
| CN113612852A (en) | Communication method, device, equipment and storage medium based on vehicle-mounted terminal | |
| CN110611679A (en) | Data transmission method, device, equipment and system | |
| CN114297597B (en) | Account management method, system, equipment and computer readable storage medium | |
| CN104796262A (en) | Data encryption method and terminal system | |
| JP4998314B2 (en) | Communication control method and communication control program | |
| CN105188057A (en) | Method and system for enhancing network access authentication security | |
| CN111274570A (en) | Encryption authentication method and device, server, readable storage medium and air conditioner | |
| CN107343276B (en) | Method and system for protecting SIM card locking data of terminal | |
| CN110968878A (en) | Information transmission method, system, electronic device and readable medium | |
| CN114338173B (en) | Account registration method, system, equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |