CN114501441A - User authentication method and device - Google Patents
User authentication method and device Download PDFInfo
- Publication number
- CN114501441A CN114501441A CN202011154556.8A CN202011154556A CN114501441A CN 114501441 A CN114501441 A CN 114501441A CN 202011154556 A CN202011154556 A CN 202011154556A CN 114501441 A CN114501441 A CN 114501441A
- Authority
- CN
- China
- Prior art keywords
- terminal
- private
- sent
- authentication
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 70
- 238000004422 calculation algorithm Methods 0.000 claims description 32
- 238000004364 calculation method Methods 0.000 claims description 14
- 238000005336 cracking Methods 0.000 abstract 1
- 230000008569 process Effects 0.000 description 22
- 230000006870 function Effects 0.000 description 18
- 238000010586 diagram Methods 0.000 description 8
- 230000000694 effects Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/22—Processing or transfer of terminal data, e.g. status or physical capabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
技术领域technical field
本发明涉及网络安全及认证技术领域,具体而言,本发明涉及一种用户认证方法及设备。The present invention relates to the technical field of network security and authentication, and in particular, the present invention relates to a user authentication method and device.
背景技术Background technique
随着网络的迅速发展,网络安全问题越来越受到重视,例如,通过计算机设备上的客户端、接入点设备(Network Access Server,NAS)、认证授权计费(AuthenticationAuthorization Accounting,AAA)服务器相互配合实现对接入相应网络的计算机设备进行准入控制。RADIUS(Remote Authentication Dial In User Service)是一种客户端/服务器结构的远程用户拨号认证服务协议,其目的是为拨号用户进行认证、授权和计费(AAA),任何运行NAS软件的计算机设备都可以成为RADIUS的客户端。With the rapid development of the network, more and more attention has been paid to network security issues. It cooperates to realize the admission control of the computer equipment connected to the corresponding network. RADIUS (Remote Authentication Dial In User Service) is a remote user dial-in authentication service protocol with a client/server structure. Its purpose is to authenticate, authorize and account for dial-up users (AAA). Any computer equipment running NAS software can Can be a RADIUS client.
目前的一种用户认证方法包括以下步骤:RADIUS服务器将用户名和密码以明文形式存储在RADIUS服务器的配置文件或数据库中,当用户想要使用某一服务时,可以登录该服务的客户端,在登录时会触发该客户端向对应的接入点设备发送接入请求,当该接入点设备接收到该接入请求时,向RADIUS服务器发送认证请求,该认证请求携带用户标识和密码,RADIUS服务器根据该认证请求中携带的用户标识,从本地配置文件或数据库中获取相应的密码,并将该密码与认证请求中携带的密码进行对比。当该密码与认证请求中携带的密码一致时,则RADIUS服务器向该接入点设备发送认证通过通知,当该密码与认证请求中携带的密码不一致时,则RADIUS服务器向该接入点设备发送认证未通过通知。A current user authentication method includes the following steps: the RADIUS server stores the user name and password in clear text in the configuration file or database of the RADIUS server, when a user wants to use a service, he can log in to the client of the service, and then When logging in, the client will be triggered to send an access request to the corresponding access point device. When the access point device receives the access request, it will send an authentication request to the RADIUS server. The authentication request carries the user ID and password. RADIUS The server obtains the corresponding password from the local configuration file or database according to the user ID carried in the authentication request, and compares the password with the password carried in the authentication request. When the password is consistent with the password carried in the authentication request, the RADIUS server sends an authentication pass notification to the access point device; when the password is inconsistent with the password carried in the authentication request, the RADIUS server sends a notification to the access point device Certification failed notification.
以上认证方法中,由于RADIUS服务器中所存储的密码是明文形式,因此,密码容易暴露,且一旦该用户标识和密码暴露,其他用户在任何一台计算机设备上都可以使用该密码登录该客户端,造成该用户的信息泄露,对网络安全造成极大的威胁。单纯的仅依用户标识和密码方式进行认证,存在着较大的安全隐患。In the above authentication method, since the password stored in the RADIUS server is in plain text, the password is easily exposed, and once the user ID and password are exposed, other users can use the password to log in to the client on any computer device. , resulting in the leakage of the user's information, posing a great threat to network security. Simply relying on the user ID and password for authentication, there is a greater security risk.
另外,某些应用场景下的用户认证还有其他一些需求需要满足。例如,目前,汽车使用定制的车钥匙进行认证和管理。但在共享汽车或租车场景中,通常不可能为每个客户分配特定的钥匙,从而限制了客户只能在特定位置租车并归还汽车,这会带来了很多不便。In addition, there are other requirements that need to be met for user authentication in some application scenarios. For example, currently, cars are authenticated and managed using customized car keys. But in car sharing or car rental scenarios, it is usually impossible to assign a specific key to each customer, thus restricting customers to only rent a car at a specific location and return the car, which brings a lot of inconvenience.
发明内容SUMMARY OF THE INVENTION
本发明实施例要解决的技术问题是提供一种用户认证方法及设备,提高用户认证的安全性和便捷性。The technical problem to be solved by the embodiments of the present invention is to provide a user authentication method and device to improve the security and convenience of user authentication.
为解决上述技术问题,本发明实施例提供的一种用户认证方法,包括:In order to solve the above technical problems, a user authentication method provided by an embodiment of the present invention includes:
接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识;receiving an authentication request sent by a terminal, where the authentication request carries the device factor and private identifier of the terminal;
查找本地保存所述终端的设备标识和私有标识;Find the device identity and private identity of the terminal locally stored;
根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果;According to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal is authenticated, and the authentication is obtained. result;
向所述终端发送所述认证结果。Send the authentication result to the terminal.
可选的,在本地保存的所述终端的设备标识和私有标识,分别与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配时,得到所述终端认证通过的认证结果,否则,得到所述终端认证失败的认证结果。Optionally, when the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal authentication is obtained. If the authentication result is passed, otherwise, the authentication result of the terminal authentication failure is obtained.
可选的,所述根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,包括:Optionally, according to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal is Authenticate, including:
判断本地保存的私有标识与所述终端发送的私有标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则根据所述终端的设备因子计算得到所述终端的设备标识;Determine whether the locally stored private identifier is the same as the private identifier sent by the terminal: if they are different, obtain the authentication result of the terminal authentication failure; if they are the same, calculate the device identifier of the terminal according to the device factor of the terminal ;
判断本地保存的设备标识与计算得到的所述终端的设备标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则得到所述终端认证通过的认证结果。It is judged whether the locally stored device identification is the same as the calculated device identification of the terminal: if they are different, the authentication result of the terminal authentication failure is obtained; if they are the same, the authentication result of the terminal authentication is obtained.
可选的,在接收终端发送的设备因子和私有标识之前,所述方法还包括:Optionally, before receiving the device factor and private identifier sent by the terminal, the method further includes:
接收所述终端发送的携带有所述终端的设备因子的注册请求;receiving a registration request sent by the terminal and carrying the device factor of the terminal;
根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在本地。According to the device factor sent by the terminal, the private identifier and device identifier of the terminal are obtained by calculation, the generated private identifier of the terminal is sent to the terminal, and the user identity of the terminal and the terminal are established. The corresponding relationship between the private ID and the device ID is stored locally.
可选的,所述根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,包括:Optionally, calculating and obtaining the private identifier and device identifier of the terminal according to the device factor sent by the terminal, including:
利用第一加密算法,对所述终端发送的设备因子和第一预设参数进行计算,得到所述终端的私有标识;Using the first encryption algorithm, the device factor and the first preset parameter sent by the terminal are calculated to obtain the private identifier of the terminal;
利用第二加密算法,对所述终端发送的设备因子和第二预设参数进行计算,得到所述终端的设备标识;Using the second encryption algorithm, the device factor and the second preset parameter sent by the terminal are calculated to obtain the device identifier of the terminal;
其中,所述第一加密算法不同于第二加密算法,和/或,所述第一预设参数不同于所述第二预设参数。Wherein, the first encryption algorithm is different from the second encryption algorithm, and/or the first preset parameter is different from the second preset parameter.
本发明实施例还提供了另一种用户认证方法,应用于终端,包括:The embodiment of the present invention also provides another user authentication method, which is applied to a terminal, including:
收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的;Collect the device factor of the terminal itself and the private identifier stored locally, wherein the private identifier is calculated by the server based on the device factor sent by the terminal and sent to the terminal;
向服务器发送携带有所述终端的设备因子和私有标识的认证请求;sending an authentication request carrying the device factor and private identifier of the terminal to the server;
接收所述服务器返回的认证结果。Receive the authentication result returned by the server.
可选的,在收集终端自身的设备因子和本地保存的私有标识之前,所述方法还包括:Optionally, before collecting the device factor of the terminal itself and the private identifier stored locally, the method further includes:
收集终端自身的设备因子;Collect the device factor of the terminal itself;
向服务器发送携带有所述终端的设备因子的注册请求;sending a registration request carrying the device factor of the terminal to the server;
接收所述服务器发送的所述终端的私有标识并保存在终端本地。The private identifier of the terminal sent by the server is received and stored locally in the terminal.
本发明实施例还提供了一种服务器,包括:The embodiment of the present invention also provides a server, including:
第一接收模块,用于接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识;a first receiving module, configured to receive an authentication request sent by a terminal, where the authentication request carries the device factor and private identifier of the terminal;
查找模块,用于查找本地保存所述终端的设备标识和私有标识;a search module, used to search for the device identity and private identity of the terminal that are locally stored;
认证模块,用于根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果;The authentication module is configured to perform an authentication on the terminal according to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal. Certification, and obtain certification results;
第一发送模块,用于向所述终端发送所述认证结果。A first sending module, configured to send the authentication result to the terminal.
可选的,所述认证模块,还用于:Optionally, the authentication module is further used for:
判断本地保存的私有标识与所述终端发送的私有标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则根据所述终端的设备因子计算得到所述终端的设备标识;Determine whether the locally stored private identifier is the same as the private identifier sent by the terminal: if they are different, obtain the authentication result of the terminal authentication failure; if they are the same, calculate the device identifier of the terminal according to the device factor of the terminal ;
判断本地保存的设备标识与计算得到的所述终端的设备标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则得到所述终端认证通过的认证结果。It is judged whether the locally stored device identification is the same as the calculated device identification of the terminal: if they are different, the authentication result of the terminal authentication failure is obtained; if they are the same, the authentication result of the terminal authentication is obtained.
可选的,所述服务器还包括:Optionally, the server further includes:
第二接收模块,用于接收所述终端发送的携带有所述终端的设备因子的注册请求;a second receiving module, configured to receive a registration request sent by the terminal that carries the device factor of the terminal;
注册模块,用于根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在本地。The registration module is configured to calculate and obtain the private identifier and device identifier of the terminal according to the device factor sent by the terminal, send the generated private identifier of the terminal to the terminal, and establish a user of the terminal The correspondence between the identity and the private identifier of the terminal and the device identifier is stored locally.
可选的,所述注册模块,还用于:Optionally, the registration module is further used for:
利用第一加密算法,对所述终端发送的设备因子和第一预设参数进行计算,得到所述终端的私有标识;Using the first encryption algorithm, the device factor and the first preset parameter sent by the terminal are calculated to obtain the private identifier of the terminal;
利用第二加密算法,对所述终端发送的设备因子和第二预设参数进行计算,得到所述终端的设备标识;Using the second encryption algorithm, the device factor and the second preset parameter sent by the terminal are calculated to obtain the device identifier of the terminal;
其中,所述第一加密算法不同于第二加密算法,和/或,所述第一预设参数不同于所述第二预设参数。Wherein, the first encryption algorithm is different from the second encryption algorithm, and/or the first preset parameter is different from the second preset parameter.
本发明实施例还提供了一种一种终端,其特征在于,包括:An embodiment of the present invention also provides a terminal, which is characterized by comprising:
第一收集模块,用于收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的;a first collection module, configured to collect the device factor of the terminal itself and the private identifier stored locally, wherein the private identifier is calculated by the server based on the device factor sent by the terminal and sent to the terminal;
第一发送模块,用于向服务器发送携带有所述终端的设备因子和私有标识的认证请求;a first sending module, configured to send an authentication request carrying the device factor and private identifier of the terminal to the server;
第一接收模块,用于接收所述服务器返回的认证结果。The first receiving module is configured to receive the authentication result returned by the server.
可选的,所述终端还包括:Optionally, the terminal further includes:
第二收集模块,用于收集终端自身的设备因子;The second collection module is used to collect the device factor of the terminal itself;
第二发送模块,用于向服务器发送携带有所述终端的设备因子的注册请求;a second sending module, configured to send a registration request carrying the device factor of the terminal to the server;
第二接收模块,用于接收所述服务器发送的所述终端的私有标识并保存在终端本地。The second receiving module is configured to receive the private identifier of the terminal sent by the server and store it locally in the terminal.
本发明实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上所述的用户认证方法的步骤。Embodiments of the present invention further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, implements the steps of the user authentication method described above.
与现有技术相比,本发明实施例提供的用户认证方法及设备,本于用户的终端实现独立的硬件设备安全认证,可以消除运营方关键信息泄露后对全部设备的影响,还可以降低用户身份泄露、设备硬件被破解或盗用的风险。本发明实施例同时采用了设备标识和私有标识进行用户认证,而这两种标识是通过不同计算方式得到的不同标识,且认证请求中仅携带私有标识,设备标识则需要服务器临时生成,然后与服务器本地的两种标识进行对应匹配。由于私有标识是在线生成并写入终端的APP中,可以防止用户身份信息泄露而带来的安全风险。Compared with the prior art, the user authentication method and device provided by the embodiments of the present invention realize independent hardware device security authentication on the user's terminal, which can eliminate the impact on all devices after the operator's key information is leaked, and can also reduce the risk of users. Risk of identity compromise, compromised or theft of device hardware. In this embodiment of the present invention, both the device identification and the private identification are used for user authentication, and these two identifications are different identifications obtained by different calculation methods, and only the private identification is carried in the authentication request, while the device identification needs to be temporarily generated by the server, and then combined with The two local identifiers of the server are matched accordingly. Since the private identifier is generated online and written into the terminal's APP, it can prevent the security risk caused by the leakage of user identity information.
附图说明Description of drawings
为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例的描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the drawings that are used in the description of the embodiments of the present invention. Obviously, the drawings in the following description are only some embodiments of the present invention. , for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.
图1为本发明实施例提供的用户认证方法的应用系统示意图;1 is a schematic diagram of an application system of a user authentication method provided by an embodiment of the present invention;
图2为本发明实施例提供的用户认证方法的一种流程示意图;2 is a schematic flowchart of a user authentication method provided by an embodiment of the present invention;
图3为本发明实施例提供的用户认证方法的另一种流程示意图;3 is another schematic flowchart of a user authentication method provided by an embodiment of the present invention;
图4为本发明实施例提供的用户认证方法的一种示例图;FIG. 4 is an exemplary diagram of a user authentication method provided by an embodiment of the present invention;
图5为本发明实施例提供的服务器的一种结构示意图;FIG. 5 is a schematic structural diagram of a server provided by an embodiment of the present invention;
图6为本发明实施例提供的服务器的另一结构示意图;6 is another schematic structural diagram of a server provided by an embodiment of the present invention;
图7为本发明实施例提供的终端的一种结构示意图;FIG. 7 is a schematic structural diagram of a terminal provided by an embodiment of the present invention;
图8为本发明实施例提供的终端的另一结构示意图。FIG. 8 is another schematic structural diagram of a terminal provided by an embodiment of the present invention.
具体实施方式Detailed ways
为使本发明要解决的技术问题、技术方案和优点更加清楚,下面将结合附图及具体实施例进行详细描述。在下面的描述中,提供诸如具体的配置和组件的特定细节仅仅是为了帮助全面理解本发明的实施例。因此,本领域技术人员应该清楚,可以对这里描述的实施例进行各种改变和修改而不脱离本发明的范围和精神。另外,为了清楚和简洁,省略了对已知功能和构造的描述。In order to make the technical problems, technical solutions and advantages to be solved by the present invention clearer, detailed description will be given below with reference to the accompanying drawings and specific embodiments. In the following description, specific details such as specific configurations and components are provided merely to assist in a comprehensive understanding of embodiments of the present invention. Accordingly, it should be apparent to those skilled in the art that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted for clarity and conciseness.
应理解,说明书通篇中提到的“一个实施例”或“一实施例”意味着与实施例有关的特定特征、结构或特性包括在本发明的至少一个实施例中。因此,在整个说明书各处出现的“在一个实施例中”或“在一实施例中”未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。It is to be understood that reference throughout the specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic associated with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily necessarily referring to the same embodiment. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner in one or more embodiments.
在本发明的各种实施例中,应理解,下述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。In various embodiments of the present invention, it should be understood that the size of the sequence numbers of the following processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, rather than the implementation of the present invention The implementation of the examples constitutes no limitation.
如背景技术所述的,现有技术的一些用户认证方法存在着安全性较差的问题,另外,在租车等应用场景中希望提供一种不依赖车钥匙的独立认证方案。为解决以上问题中的至少一种,本发明实施例提供了一种用户认证方法,可以通过用户的终端,如智能手机、平板电脑(PAD)等设备实现用户的认证过程,从而可以摆脱对车钥匙的依赖,并能够提高用户认证的安全性。As described in the background art, some user authentication methods in the prior art have the problem of poor security. In addition, in application scenarios such as car rental, it is desirable to provide an independent authentication solution that does not rely on car keys. In order to solve at least one of the above problems, the embodiment of the present invention provides a user authentication method, which can realize the user authentication process through the user's terminal, such as a smart phone, a tablet computer (PAD) and other devices, so as to get rid of the need for a vehicle. Key dependence, and can improve the security of user authentication.
请参照图1,本发明实施例提供用户认证方法,可以应用于包括终端101、应用(APP)111和服务器121的系统中。这里,Referring to FIG. 1 , an embodiment of the present invention provides a user authentication method, which can be applied to a system including a terminal 101 , an application (APP) 111 and a
终端101,具体可以是各种移动设备,如智能手机、平板电脑(PAD)等移动设备。所述终端101包括:The terminal 101 may specifically be various mobile devices, such as a smart phone, a tablet computer (PAD) and other mobile devices. The terminal 101 includes:
设备属性102,设备属性可以分为唯一属性或非唯一属性。唯一属性是指可以用于唯一标识所述终端的属性,本文中也称之为设备因子103。非唯一属性是指多个终端共享或相同的属性。具体的,所述设备因子103可以包括每个终端的各类因子,如国际移动设备识别码(International Mobile Equipment Identity,IMEI)、国际移动用户识别码(International Mobile Subscriber Identity,IMSI)、物理地址(即MAC地址)、设备序列号、设备的安装ID等等。非唯一属性则可以是设备的类型、型号、操作系统类型等属性。Device attributes 102, device attributes can be classified as unique attributes or non-unique attributes. The unique attribute refers to an attribute that can be used to uniquely identify the terminal, which is also referred to as the
APP 111是终端101上安装的某个应用,例如可以是租车类的应用等。该APP111包含有以下功能:The
1)属性收集112,用于收集终端的设备属性,如设备因子(唯一属性),还可以收集非唯一属性。1)
2)报文生成与交互113,用于处理设备属性并将设备属性组织成报文,另外还负责APP与服务器121之间的发送和接收消息。2) Message generation and
3)私有标识存储114,用于存储APP相关的标识,防止APP伪造。具体的,在本发明实施例中,可以保存服务器基于终端的设备因子等信息生成的私有标识。3) The
服务器121则包括以下功能:The
标识生成122,根据终端的设备因子生成设备标识和私有标识。
报文生成与交互123,处理终端的APP(应用)和服务器之间的消息收发。The message generation and
属性接收124,接收终端发送的包括设备因子的设备属性。Attribute receiving 124, receiving the device attribute including the device factor sent by the terminal.
标识认证125,认证终端的设备标识和私有标识。
标识绑定与存储126,将终端的设备标识及私有标识与终端的用户身份信息绑定并存储。终端的用户身份信息具体可以是个人信息(如姓名、用户ID等。The identification binding and
外部信息获取127,可以从外部源获取要绑定的终端的用户身份信息。The
请参照图2,本发明实施例提供的用户认证方法,在应用于服务器侧时,包括:Referring to FIG. 2 , the user authentication method provided by the embodiment of the present invention, when applied to the server side, includes:
步骤21,接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识。Step 21: Receive an authentication request sent by the terminal, where the authentication request carries the device factor and private identifier of the terminal.
这里,本发明实施例可以在终端登录APP后,发起终端的用户认证过程,即要求终端发送认证请求,并携带终端的设备因子和私有标识。在用户认证通过后,终端才可以使用该APP的功能;而在认证失败时,将拒绝用户操作。当然,也可以在使用某些预定义的功能时,发起终端的用户认证过程,并在认证通过后,才允许终端使用该功能,而在认证失败时,将拒绝终端使用该功能。Here, in this embodiment of the present invention, after the terminal logs into the APP, a user authentication process of the terminal may be initiated, that is, the terminal is required to send an authentication request and carry the device factor and private identifier of the terminal. The terminal can use the functions of the APP only after the user's authentication is passed; when the authentication fails, the user's operation will be rejected. Of course, it is also possible to initiate a user authentication process of the terminal when using some predefined functions, and allow the terminal to use the function after the authentication is passed, and reject the terminal to use the function when the authentication fails.
具体的,所述设备因子是能够唯一标识所述终端的设备属性,包括但不限于终端的IMEI、IMSI、MAC地址、设备序列号以及设备安装ID等中的一个或多个。可选的,所述认证请求还可以携带所述终端的非唯一的设备属性,如设备的类型、型号、操作系统类型等属性。所述私有标识是服务器预先基于终端的设备因子计算得到并发送给终端保存的标识。可以通过终端的私有标识存储114功能,将服务器发送的私有标识保存在终端本地。Specifically, the device factor is a device attribute that can uniquely identify the terminal, including but not limited to one or more of the terminal's IMEI, IMSI, MAC address, device serial number, and device installation ID. Optionally, the authentication request may also carry non-unique device attributes of the terminal, such as attributes such as the type, model, and operating system type of the device. The private identifier is an identifier pre-calculated by the server based on the device factor of the terminal and sent to the terminal for storage. The private identifier sent by the server can be stored locally in the terminal through the
步骤22,查找本地保存所述终端的设备标识和私有标识。Step 22: Search for the device identifier and private identifier of the terminal that are locally stored.
这里,服务器在接收到终端发送的认证请求后,查找本地保存的所述终端的设备标识和私有标识。具体的,服务器可以预先建立各个终端的用户身份(如用户ID、姓名等)与上述标识(包括设备标识和私有标识)之间的绑定关系。通常,终端发送的消息(如认证请求、注册消息等)中都会携带终端的用户身份信息,如姓名或用户ID等。这样,在接收到上述认证请求后,服务器可以根据发送认证请求的终端的用户身份,在服务器本地查找与该用户身份绑定的设备标识和私有标识。Here, after receiving the authentication request sent by the terminal, the server searches for the device identifier and private identifier of the terminal stored locally. Specifically, the server may pre-establish a binding relationship between user identities (eg, user ID, name, etc.) of each terminal and the above-mentioned identifiers (including device identifiers and private identifiers). Usually, messages sent by a terminal (such as an authentication request, a registration message, etc.) carry user identity information of the terminal, such as a name or a user ID. In this way, after receiving the above authentication request, the server can locally search the server for the device identifier and private identifier bound to the user identity according to the user identity of the terminal sending the authentication request.
步骤23,根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果。Step 23: Authenticate the terminal according to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, And get the certification result.
这里,如果本地保存的所述终端的设备标识和私有标识,分别与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,则得到所述终端认证通过的认证结果;否则,得到所述终端认证失败的认证结果。Here, if the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal respectively, then the terminal authentication passed The authentication result; otherwise, the authentication result of the terminal authentication failure is obtained.
为了简化匹配处理,服务器可以先判断本地保存的私有标识与所述终端发送的私有标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,再根据所述终端的设备因子计算得到所述终端的设备标识。然后,再判断本地保存的设备标识与计算得到的所述终端的设备标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则得到所述终端认证通过的认证结果。In order to simplify the matching process, the server can first determine whether the locally stored private identifier is the same as the private identifier sent by the terminal: if they are different, obtain the authentication result of the terminal authentication failure; if they are the same, then according to the device factor of the terminal The device identification of the terminal is obtained by calculation. Then, it is judged whether the locally stored device identification is the same as the calculated device identification of the terminal: if they are different, the authentication result of the terminal authentication failure is obtained; if they are the same, the authentication result of the terminal authentication is obtained.
步骤24,向所述终端发送所述认证结果。Step 24: Send the authentication result to the terminal.
这里,服务器向终端发送用于指示认证失败或认证通过的认证结果,终端的APP在接收到上述认证结果后,在认证失败时,可以拒绝用户使用APP或拒绝使用APP的特定功能;在认证通过时,可以允许用户使用APP或允许使用APP的特定功能。Here, the server sends an authentication result indicating authentication failure or authentication pass to the terminal. After receiving the above authentication result, the APP of the terminal can refuse the user to use the APP or refuse to use the specific function of the APP when the authentication fails; , you can allow users to use the APP or allow the use of specific functions of the APP.
通过以上步骤,本发明实施例可以基于用户的终端实现独立的硬件设备安全认证,可以消除运营方关键信息泄露后对全部设备的影响,还可以降低用户身份泄露、设备硬件被破解或盗用的风险。本发明实施例同时采用了设备标识和私有标识进行用户认证,而这两种标识是通过不同计算方式得到的不同标识,且认证请求中仅携带私有标识,设备标识则需要服务器临时生成,然后与服务器本地的两种标识进行对应匹配。由于私有标识是在线生成并写入终端的APP中,从而可以防止用户身份信息泄露而带来的安全风险。Through the above steps, the embodiment of the present invention can realize independent hardware device security authentication based on the user's terminal, can eliminate the impact on all devices after the operator's key information is leaked, and can also reduce the risk of user identity leakage, device hardware being cracked or embezzled . In this embodiment of the present invention, both the device identification and the private identification are used for user authentication, and these two identifications are different identifications obtained by different calculation methods, and only the private identification is carried in the authentication request, while the device identification needs to be temporarily generated by the server, and then combined with The two local identifiers of the server are matched accordingly. Since the private identifier is generated online and written into the APP of the terminal, the security risk caused by the leakage of user identity information can be prevented.
在上述步骤21之前,所述服务器还可以在终端注册的过程中,将所述终端的用户身份与所述终端的私有标识及设备标识绑定。Before the
具体的,所述服务器可以接收所述终端发送的携带有所述终端的设备因子的注册请求。然后,根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在本地。Specifically, the server may receive a registration request sent by the terminal that carries the device factor of the terminal. Then, according to the device factor sent by the terminal, the private identifier and the device identifier of the terminal are obtained by calculation, the generated private identifier of the terminal is sent to the terminal, and the user identity of the terminal and the device identifier are established. The corresponding relationship between the private identifier of the terminal and the device identifier is stored locally.
由于设备因子有多种,为了保证服务器能够获得用于计算设备标识或私有标识的设备因子,以及,减少终端发送不必要的设备因子,提供信息传输效率,本发明实施例可以通过一个预定义的设备因子列表来指示终端收集并发送该列表中的设备因子。具体的,在终端注册的过程中,服务器收到终端未携带有设备因子的注册请求后,可以发送预定义的设备因子列表给终端,该列表用于指示终端需要收集和上传的设备因子。终端根据该列表收集相关的设备因子,重新发送携带有相关设备因子的注册请求,后续服务器可以在接收所述终端发送的携带有相关设备因子的注册请求后,可以根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在本地。类似的,在上述步骤21中,终端在发送认证请求时,可以根据该列表收集相关的设备因子,然后发送携带有所述终端的设备因子和私有标识的认证请求。表1给出了设备因子列表的一个示例。Since there are many kinds of device factors, in order to ensure that the server can obtain the device factor used for calculating the device ID or the private ID, and to reduce the unnecessary device factors sent by the terminal, and to improve the information transmission efficiency, the embodiment of the present invention may use a predefined device factor. Device factor list to instruct the terminal to collect and send the device factors in the list. Specifically, in the process of terminal registration, after receiving the registration request that the terminal does not carry the device factor, the server may send a predefined device factor list to the terminal, where the list is used to indicate the device factor that the terminal needs to collect and upload. The terminal collects the relevant equipment factors according to the list, and resends the registration request carrying the relevant equipment factors. The subsequent server may, after receiving the registration request carrying the relevant equipment factors sent by the terminal, , calculate and obtain the private identity and device identity of the terminal, send the generated private identity of the terminal to the terminal, and establish a relationship between the user identity of the terminal and the private identity and device identity of the terminal The corresponding relationship is saved locally. Similarly, in the
表1Table 1
本发明实施例在终端认证过程中,或者,在终端的注册过程中,服务器需要根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识。具体的,可以利用第一加密算法,对所述终端发送的设备因子和第一预设参数进行计算,得到所述终端的私有标识;利用第二加密算法,对所述终端发送的设备因子和第二预设参数进行计算,得到所述终端的设备标识。这里,为保证设备标识不同于私有标识,所述第一加密算法通常不同于第二加密算法,和/或,所述第一预设参数通常不同于所述第二预设参数。例如,第一加密算法可以采用与第二加密算法不同的算法或计算步骤来对设备因子和相关预设参数进行加密。具体加密算法可以是哈希算法等。第一预设参数和第二预设参数可以是服务器自行定义的信息比特。In the embodiment of the present invention, in the terminal authentication process, or in the terminal registration process, the server needs to obtain the private identifier and the device identifier of the terminal according to the device factor sent by the terminal. Specifically, the first encryption algorithm can be used to calculate the device factor and the first preset parameter sent by the terminal to obtain the private identifier of the terminal; the second encryption algorithm can be used to calculate the device factor and the first preset parameter sent by the terminal. The second preset parameter is calculated to obtain the device identifier of the terminal. Here, in order to ensure that the device identification is different from the private identification, the first encryption algorithm is usually different from the second encryption algorithm, and/or the first preset parameter is usually different from the second preset parameter. For example, the first encryption algorithm may use a different algorithm or calculation step than the second encryption algorithm to encrypt the device factor and related preset parameters. The specific encryption algorithm may be a hash algorithm or the like. The first preset parameter and the second preset parameter may be information bits defined by the server.
以上从服务器侧对本发明实施例的用户认证方法进行了说明。下面进一步从终端侧进行说明。The user authentication method according to the embodiment of the present invention has been described above from the server side. The following is further described from the terminal side.
请参照图3,本发明实施例提供的用户认证方法,在应用于终端侧时,包括:Referring to FIG. 3 , the user authentication method provided by the embodiment of the present invention, when applied to the terminal side, includes:
步骤31,收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的。Step 31: Collect the device factor of the terminal itself and the private identifier stored locally, wherein the private identifier is calculated by the server based on the device factor sent by the terminal and sent to the terminal.
这里,终端可以根据预先获得的设备因子列表,收集相关的设备因子,以及,收集本地保存的所述终端的私有标识。终端本地保存的私有标识,是服务器预先基于所述终端发送的设备因子计算得到并发送给所述终端的,例如,在终端注册过程中计算得到并发送给终端的。Here, the terminal may collect the relevant device factors according to the pre-obtained device factor list, and collect the locally stored private identifier of the terminal. The private identifier stored locally by the terminal is calculated by the server in advance based on the device factor sent by the terminal and sent to the terminal, for example, calculated during the terminal registration process and sent to the terminal.
步骤32,向服务器发送携带有所述终端的设备因子和私有标识的认证请求。Step 32: Send an authentication request carrying the device factor and private identifier of the terminal to the server.
这里,终端发送携带有所收集的所述终端的设备因子和私有标识的认证请求。服务器根据接收到的所述终端的设备因子和私有标识进行用户认证,具体认证方式可以参考上文中服务器侧的相关步骤的说明,此处不再赘述。Here, the terminal sends an authentication request carrying the collected device factor and private identifier of the terminal. The server performs user authentication according to the received device factor and private identifier of the terminal, and the specific authentication method can refer to the description of the relevant steps on the server side above, which will not be repeated here.
步骤33,接收所述服务器返回的认证结果。Step 33: Receive the authentication result returned by the server.
这里,接收服务器发送的用于指示认证是否通过的认证结果。上述步骤31具体可以是在用户登录特定APP后执行,也可以是在用户使用特定APP的特定功能执行。在步骤33之后,如果认证失败,则可以拒绝用户使用APP或拒绝使用APP的特定功能;而在认证通过时,则可以允许用户使用APP或允许使用APP的特定功能。Here, the authentication result sent by the server to indicate whether the authentication is passed is received. The above-mentioned
在上述步骤31之前,上述终端可以通过注册过程,获得私有标识。具体的,上述终端可以发起注册过程,并收集终端自身的设备因子。然后,向服务器发送携带有所述终端的设备因子的注册请求。然后,接收所述服务器发送的所述终端的私有标识并保存在终端本地。在注册过程中,终端可以根据服务器发送的设备因子列表,收集相关的设备因子,并携带在注册请求中发送给服务器。服务器则根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,并将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在服务器本地。所述终端接收并保存服务器发送的私有标识,具体可以由所述特定APP接收并存储,例如,写入APP的内部空间中。Before the above-mentioned
图4提供了一个服务器和终端之间的认证过程的交互流程示例图,具体的:Figure 4 provides an example diagram of the interaction flow of the authentication process between the server and the terminal, specifically:
在步骤401中,用户启动操作,具体可以是启动终端上的某个移动APP,或者,启动移动APP的某个特定功能。In
在步骤402~403中,移动APP采集终端的设备因子以及私有标识,并发送给服务器。In
在步骤404中,服务器查找终端绑定的设备标识和私有标识,并与终端发送的私有标识进行匹配。In
在步骤405中,如果两个私有标识相匹配,则进入步骤407,否则,进入步骤406。In
在步骤406中,得到用户认证失败的认证结果,然后进入步骤409。In
在步骤407~408中,服务器根据终端发送的设备因子,计算设备标识,并将计算得到的设备标识与终端发送的设备标识匹配,根据是否匹配成功,获得用户认证是否通过的认证结果,然后进入步骤409。In
在步骤409中,服务器向终端的移动APP返回认证结果。In
在步骤410中,终端的移动APP在认证结果指示认证通过时,进入步骤411,否则进入步骤412。In
在步骤411中,移动APP运行用户的本次操作。In
在步骤412中,移动APP拒绝用户的本次操作。In
另外,本发明实施例中,还可以获得多种权重集合,每个权重集合中包括有针对设备因子列表中每个设备因子的权重,这些权重集合可以是多个专家独立提供的。然后,按照预设的指标权重的确定算法,对所述多种权重集合进行计算,得到一个最终权重集合。然后,根据设备因子以及所述最终权重集合,利用第一/第二加密算法计算得到私有标识/设备标识。下面提供一个计算私有标识/设备标识的具体示例,需要说明的是,以下仅为本发明可以采用的一种计算方式,并不用于限定本发明。In addition, in this embodiment of the present invention, multiple weight sets may also be obtained, each weight set includes a weight for each device factor in the device factor list, and these weight sets may be independently provided by multiple experts. Then, according to the preset determination algorithm of the index weight, the multiple weight sets are calculated to obtain a final weight set. Then, according to the device factor and the final weight set, the first/second encryption algorithm is used to obtain the private identifier/device identifier. The following provides a specific example of calculating the private identifier/device identifier. It should be noted that the following is only a calculation method that can be used in the present invention, and is not intended to limit the present invention.
首先,设置设备因子集合U={u1,u2,u3,…,un},同时假设存在K个专家设置,给出独立的对应每个设备因子的权重{ai1,ai2,ai3,…,ain}(i=1,2,3,…k)。对于每个专家,设置集合如下:First, set the equipment factor set U={u 1 , u 2 , u 3 ,..., u n }, and assuming that there are K expert settings, give the independent weights {a i1 ,a i2 , a i3 ,...,a in }(i=1,2,3,...k). For each expert, the set of settings is as follows:
分别找出每个集合中最大的权重值Mj和最小的权重值mj(j=1,2,3,…,n)。设置一个正整数P作为间距划分,使用公式将权重值从小到大划分为P个间距组。可以得到每个集合对应的权值Xi,设置频率值为Ni,同时计算基于以上的结果,得到平均的权重j=(1,2,3,…,n)。最终,得到权重集合A={a1,a2,a3,…,an}。Find the largest weight value M j and the smallest weight value m j (j=1,2,3,...,n) in each set respectively. To set a positive integer P as the spacing division, use the formula Divide the weight values into P spacing groups from small to large. The weight X i corresponding to each set can be obtained, set the frequency value to N i , and calculate at the same time Based on the above results, get the average weight j=(1,2,3,...,n). Finally, the weight set A={a 1 , a 2 , a 3 , . . . , a n } is obtained.
假设设备因子集合U={Imei,Mac,Network_address,Device_ID}。假设有两个专家给出权重集合{0.5,0.1,0.2,0.2}and{0.4,0.2,0.3,0.1},同时设置P=2作为间距划分。经过计算,得到每种的因子的权重结果如表2所示:Suppose the device factor set U={Imei, Mac, Network_address, Device_ID}. Suppose two experts give weight sets {0.5, 0.1, 0.2, 0.2} and {0.4, 0.2, 0.3, 0.1}, and set P=2 as the spacing division. After calculation, the weights of each factor are obtained as shown in Table 2:
表2Table 2
更进一步的,结合实际情况,还可以针对在不同的设备的实际比例,将因子权重乘以比例系数,得到针对不同设备的各类因子权重,如表3所示:Further, combined with the actual situation, the factor weights can be multiplied by the scale coefficient according to the actual proportions of different devices to obtain various factor weights for different devices, as shown in Table 3:
表3table 3
将设备因子集合u={100,200,150,300}作为示例,假设有两个专家给出权重集合A1={0.5,0.1,0.2,0.2},A2={0.4,0.2,0.3,0.1}。经过计算得到了对应的集合U={90,60,75,120}:Taking the equipment factor set u={100, 200, 150, 300} as an example, suppose there are two experts who give the weight set A 1 ={0.5, 0.1, 0.2, 0.2}, A 2 ={0.4, 0.2, 0.3, 0.1}. After calculation, the corresponding set U={90, 60, 75, 120} is obtained:
其中A1的最大值为0.5,最小值为0.1,对应每个集合中最大的权重值Mj和最小的权重值mj(j=1,2,3,…,n).设置p=2,使用公式得到A1对应的X1为{0.125,0.075,0.15,0.15},相应的,A2对应的X2为{0.2,0.1,0.15,0.05}The maximum value of A 1 is 0.5 and the minimum value is 0.1, corresponding to the maximum weight value M j and the minimum weight value m j (j=1,2,3,...,n) in each set. Set p=2 , using the formula The X 1 corresponding to A 1 is {0.125, 0.075, 0.15, 0.15}, and correspondingly, the X 2 corresponding to A 2 is {0.2, 0.1, 0.15, 0.05}
对应的W1为{0.25,0.75,0.75,0.75},对应的W2为{0.5,0.5,0.5,0.5};The corresponding W 1 is {0.25, 0.75, 0.75, 0.75}, and the corresponding W 2 is {0.5, 0.5, 0.5, 0.5};
最终根据平均的系数j=(1,2,3,…,n)。Finally, according to the average coefficient j=(1,2,3,...,n).
得到a1=21/160,a2=17/160,a3=3/16,a4=22/160。We get a1=21/160, a2=17/160, a3=3/16, a4=22/160.
对应的硬件信息字符串为:d.2+15.4+1c.2+29.4。The corresponding hardware information string is: d.2+15.4+1c.2+29.4.
拼接为:d.215.41c.229.4。The splice is: d.215.41c.229.4.
这样,加密后的对应密文用(MD5 32位大写表示为:40935C33AB5A7E4948D27F1795958465。上述密文可以作为设备标识。另外还可以在上述密文后拼接上某些预设字符串或预设的ASCII,得到新的密文,作为私有标识。In this way, the encrypted corresponding ciphertext is represented by (MD5 32-bit uppercase: 40935C33AB5A7E4948D27F1795958465. The above ciphertext can be used as a device identification. In addition, some preset character strings or preset ASCII can be spliced after the above ciphertext to obtain The new ciphertext, as a private identifier.
基于以上的用户认证方法,本发明实施例还提供了实施上述方法的装置。Based on the above user authentication method, an embodiment of the present invention further provides an apparatus for implementing the above method.
请参照图5,本发明实施例提供的一种服务器50,包括:Referring to FIG. 5 , a
第一接收模块51,用于接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识;The
查找模块52,用于查找本地保存所述终端的设备标识和私有标识;A
认证模块53,用于根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果;The
第一发送模块54,用于向所述终端发送所述认证结果。The
通过以上模块,本发明实施例的服务器可以实现独立的硬件设备安全认证,消除运营方关键信息泄露后对全部设备的影响,还可以降低用户身份泄露、设备硬件被破解或盗用的风险。Through the above modules, the server of the embodiment of the present invention can implement independent hardware device security authentication, eliminate the impact on all devices after the operator's key information is leaked, and can also reduce the risk of user identity leakage and device hardware being cracked or stolen.
可选的,在本地保存的所述终端的设备标识和私有标识,分别与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配时,得到所述终端认证通过的认证结果,否则,得到所述终端认证失败的认证结果。Optionally, when the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal authentication is obtained. If the authentication result is passed, otherwise, the authentication result of the terminal authentication failure is obtained.
可选的,所述认证模块,还用于:Optionally, the authentication module is further used for:
判断本地保存的私有标识与所述终端发送的私有标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则根据所述终端的设备因子计算得到所述终端的设备标识;Determine whether the locally stored private identifier is the same as the private identifier sent by the terminal: if they are different, obtain the authentication result of the terminal authentication failure; if they are the same, calculate the device identifier of the terminal according to the device factor of the terminal ;
判断本地保存的设备标识与计算得到的所述终端的设备标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则得到所述终端认证通过的认证结果。It is judged whether the locally stored device identification is the same as the calculated device identification of the terminal: if they are different, the authentication result of the terminal authentication failure is obtained; if they are the same, the authentication result of the terminal authentication is obtained.
可选的,所述的服务器还包括:Optionally, the server further includes:
第二接收模块,用于接收所述终端发送的携带有所述终端的设备因子的注册请求;a second receiving module, configured to receive a registration request sent by the terminal that carries the device factor of the terminal;
注册模块,用于根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在本地。The registration module is configured to calculate and obtain the private identifier and device identifier of the terminal according to the device factor sent by the terminal, send the generated private identifier of the terminal to the terminal, and establish a user of the terminal The correspondence between the identity and the private identifier of the terminal and the device identifier is stored locally.
可选的,所述注册模块,还用于:Optionally, the registration module is further used for:
利用第一加密算法,对所述终端发送的设备因子和第一预设参数进行计算,得到所述终端的私有标识;Using the first encryption algorithm, the device factor and the first preset parameter sent by the terminal are calculated to obtain the private identifier of the terminal;
利用第二加密算法,对所述终端发送的设备因子和第二预设参数进行计算,得到所述终端的设备标识;Using the second encryption algorithm, the device factor and the second preset parameter sent by the terminal are calculated to obtain the device identifier of the terminal;
其中,所述第一加密算法不同于第二加密算法,和/或,所述第一预设参数不同于所述第二预设参数。Wherein, the first encryption algorithm is different from the second encryption algorithm, and/or the first preset parameter is different from the second preset parameter.
如图6所示,本发明实施例还提供了另一种结构的服务器60,该服务器60具体包括处理器61、存储器62、总线系统63、接收器64和发送器65。其中,处理器61、存储器62、接收器64和发送器65通过总线系统63相连,该存储器62用于存储指令,该处理器61用于执行该存储器62存储的指令,以控制接收器64接收信号,并控制发送器65发送信号;As shown in FIG. 6 , an embodiment of the present invention further provides a
其中,该处理器61,用于读取存储器中的程序,执行下列过程:Wherein, the
接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识;receiving an authentication request sent by a terminal, where the authentication request carries the device factor and private identifier of the terminal;
查找本地保存所述终端的设备标识和私有标识;Find the device identity and private identity of the terminal locally stored;
根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果;According to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal is authenticated, and the authentication is obtained. result;
向所述终端发送所述认证结果。Send the authentication result to the terminal.
应理解,在本发明实施例中,该处理器61可以是中央处理单元(CentralProcessing Unit,简称为“CPU”),该处理器61还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in this embodiment of the present invention, the
该存储器62可以包括只读存储器和随机存取存储器,并向处理器61提供指令和数据。存储器62的一部分还可以包括非易失性随机存取存储器。例如,存储器62还可以存储设备类型的信息。The
该总线系统63除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统63。In addition to the data bus, the
在实现过程中,上述方法的各步骤可以通过处理器61中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器62,处理器61读取存储器62中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above-mentioned method can be completed by a hardware integrated logic circuit in the
该程序被处理器执行时能实现图2所示的用户认证方法中的所有实现方式,且能达到相同的技术效果,为避免重复,此处不再赘述。When the program is executed by the processor, all the implementation manners in the user authentication method shown in FIG. 2 can be implemented, and the same technical effect can be achieved. In order to avoid repetition, details are not repeated here.
在本发明的一些实施例中,还提供了一种计算机可读存储介质,其上存储有程序,该程序被处理器执行时实现以下步骤:In some embodiments of the present invention, a computer-readable storage medium is also provided, on which a program is stored, and when the program is executed by a processor, the following steps are implemented:
接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识;receiving an authentication request sent by a terminal, where the authentication request carries the device factor and private identifier of the terminal;
查找本地保存所述终端的设备标识和私有标识;Find the device identity and private identity of the terminal locally stored;
根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果;According to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal is authenticated, and the authentication is obtained. result;
向所述终端发送所述认证结果。Send the authentication result to the terminal.
该程序被处理器执行时能实现上述应用于服务器侧的方法中的所有实现方式,且能达到相同的技术效果,为避免重复,此处不再赘述。When the program is executed by the processor, it can implement all the implementation manners in the above-mentioned method applied to the server side, and can achieve the same technical effect. To avoid repetition, details are not repeated here.
请参照图7,本发明实施例还提供了一种终端70,包括:Referring to FIG. 7, an embodiment of the present invention further provides a terminal 70, including:
第一收集模块71,用于收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的;The
第一发送模块72,用于向服务器发送携带有所述终端的设备因子和私有标识的认证请求;a
第一接收模块73,用于接收所述服务器返回的认证结果。The
可选的,所述终端还包括:Optionally, the terminal further includes:
第二收集模块,用于收集终端自身的设备因子;The second collection module is used to collect the device factor of the terminal itself;
第二发送模块,用于向服务器发送携带有所述终端的设备因子的注册请求;a second sending module, configured to send a registration request carrying the device factor of the terminal to the server;
第二接收模块,用于接收所述服务器发送的所述终端的私有标识并保存在终端本地。The second receiving module is configured to receive the private identifier of the terminal sent by the server and store it locally in the terminal.
请参照图8,本发明实施例提供的终端的一种结构示意图,该终端800包括:处理器801、收发机802、存储器803、用户接口804和总线接口。Please refer to FIG. 8 , which is a schematic structural diagram of a terminal provided by an embodiment of the present invention. The terminal 800 includes: a
在本发明实施例中,终端800还包括:存储在存储器上803并可在处理器801上运行的程序。In this embodiment of the present invention, the terminal 800 further includes: a program stored on the
所述处理器801执行所述程序时实现以下步骤:‘When the
收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的;Collecting the device factor of the terminal itself and the private identifier stored locally, wherein the private identifier is calculated by the server based on the device factor sent by the terminal and sent to the terminal;
向服务器发送携带有所述终端的设备因子和私有标识的认证请求;sending an authentication request carrying the device factor and private identifier of the terminal to the server;
接收所述服务器返回的认证结果。Receive the authentication result returned by the server.
可理解的,本发明实施例中,所述计算机程序被处理器801执行时可实现上述图3所示的方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。Understandably, in this embodiment of the present invention, when the computer program is executed by the
在图8中,总线架构可以包括任意数量的互联的总线和桥,具体由处理器801代表的一个或多个处理器和存储器803代表的存储器的各种电路链接在一起。总线架构还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路链接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口提供接口。收发机802可以是多个元件,即包括发送机和接收机,提供用于在传输介质上与各种其他装置通信的单元。针对不同的用户设备,用户接口804还可以是能够外接内接需要设备的接口,连接的设备包括但不限于小键盘、显示器、扬声器、麦克风、操纵杆等。In FIG. 8, the bus architecture may include any number of interconnected buses and bridges, in particular one or more processors represented by
处理器801负责管理总线架构和通常的处理,存储器803可以存储处理器801在执行操作时所使用的数据。The
在本发明的一些实施例中,还提供了一种计算机可读存储介质,其上存储有程序,该程序被处理器执行时实现以下步骤:In some embodiments of the present invention, a computer-readable storage medium is also provided, on which a program is stored, and when the program is executed by a processor, the following steps are implemented:
收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的;Collecting the device factor of the terminal itself and the private identifier stored locally, wherein the private identifier is calculated by the server based on the device factor sent by the terminal and sent to the terminal;
向服务器发送携带有所述终端的设备因子和私有标识的认证请求;sending an authentication request carrying the device factor and private identifier of the terminal to the server;
接收所述服务器返回的认证结果。Receive the authentication result returned by the server.
该程序被处理器执行时能实现上述应用于终端的方法中的所有实现方式,且能达到相同的技术效果,为避免重复,此处不再赘述。When the program is executed by the processor, all the implementation manners in the above-mentioned method applied to the terminal can be realized, and the same technical effect can be achieved. In order to avoid repetition, details are not repeated here.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of the present invention.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here.
在本申请所提供的实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本发明实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solutions in the embodiments of the present invention.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited to this. Any person skilled in the art can easily think of various equivalents within the technical scope disclosed by the present invention. Modifications or substitutions should be included within the protection scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.
Claims (13)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011154556.8A CN114501441A (en) | 2020-10-26 | 2020-10-26 | User authentication method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011154556.8A CN114501441A (en) | 2020-10-26 | 2020-10-26 | User authentication method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114501441A true CN114501441A (en) | 2022-05-13 |
Family
ID=81470394
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011154556.8A Pending CN114501441A (en) | 2020-10-26 | 2020-10-26 | User authentication method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114501441A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115859337A (en) * | 2023-02-14 | 2023-03-28 | 杭州大晚成信息科技有限公司 | Kernel-based method, device, server and medium for preventing device cracking |
-
2020
- 2020-10-26 CN CN202011154556.8A patent/CN114501441A/en active Pending
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115859337A (en) * | 2023-02-14 | 2023-03-28 | 杭州大晚成信息科技有限公司 | Kernel-based method, device, server and medium for preventing device cracking |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110555029B (en) | Ticket management method, device and storage medium based on block chain | |
CN110958110B (en) | Block chain private data management method and system based on zero knowledge proof | |
CN111835520B (en) | Method for device authentication, method for service access control, device and storage medium | |
CN110958118B (en) | Certificate authentication management method, device, equipment and computer readable storage medium | |
CN109286932B (en) | Network access authentication method, device and system | |
CN108900484B (en) | Access right information generation method and device | |
US11546173B2 (en) | Methods, application server, IoT device and media for implementing IoT services | |
CN111769939B (en) | Business system access method and device, storage medium and electronic equipment | |
CN101867929A (en) | Authentication method, system, authentication server and terminal device | |
KR20160127167A (en) | Multi-factor certificate authority | |
CN108197913A (en) | Method of payment, system and computer readable storage medium based on block chain | |
CN101527714B (en) | Method, device and system for accreditation | |
CN106302332B (en) | User data access control method, device and system | |
CN107612949B (en) | Wireless intelligent terminal access authentication method and system based on radio frequency fingerprint | |
WO2017076216A1 (en) | Server, mobile terminal, and internet real name authentication system and method | |
WO2019056971A1 (en) | Authentication method and device | |
WO2020025056A1 (en) | Method, device, system, and mobile terminal for security authorization | |
TW202211047A (en) | Data acquisition method, apparatus and device, and medium | |
CN105338000B (en) | A kind of verification method, verification system | |
CN104796255A (en) | A safety certification method, device and system for a client end | |
CN108075895B (en) | Node permission method and system based on block chain | |
CN112950201A (en) | Node management method and related device applied to block chain system | |
CN114697963B (en) | Identity authentication method and device of terminal, computer equipment and storage medium | |
CN116323304B (en) | Identification method for an electric vehicle charging station | |
KR101133167B1 (en) | Method and apparatus for user verifing process with enhanced security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20220513 |
|
WD01 | Invention patent application deemed withdrawn after publication |