CN114501441A - User authentication method and device - Google Patents

User authentication method and device Download PDF

Info

Publication number
CN114501441A
CN114501441A CN202011154556.8A CN202011154556A CN114501441A CN 114501441 A CN114501441 A CN 114501441A CN 202011154556 A CN202011154556 A CN 202011154556A CN 114501441 A CN114501441 A CN 114501441A
Authority
CN
China
Prior art keywords
terminal
private
sent
authentication
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011154556.8A
Other languages
Chinese (zh)
Inventor
孟祥雨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Priority to CN202011154556.8A priority Critical patent/CN114501441A/en
Publication of CN114501441A publication Critical patent/CN114501441A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a user authentication method and device, wherein the method comprises the following steps: receiving an authentication request sent by a terminal, wherein the authentication request carries a device factor and a private identification of the terminal; searching for a device identifier and a private identifier of the terminal which are locally stored; according to whether the locally stored equipment identifier and the private identifier of the terminal are matched with the equipment identifier sent by the terminal and the private identifier obtained by calculating based on the equipment factor sent by the terminal, authenticating the terminal and obtaining an authentication result; and sending the authentication result to the terminal. The invention can realize the safety certification of the independent hardware equipment, eliminate the influence on all equipment after the key information of the operator is leaked, and reduce the risk of user identity leakage and equipment hardware cracking or embezzlement.

Description

用户认证方法及设备User authentication method and device

技术领域technical field

本发明涉及网络安全及认证技术领域,具体而言,本发明涉及一种用户认证方法及设备。The present invention relates to the technical field of network security and authentication, and in particular, the present invention relates to a user authentication method and device.

背景技术Background technique

随着网络的迅速发展,网络安全问题越来越受到重视,例如,通过计算机设备上的客户端、接入点设备(Network Access Server,NAS)、认证授权计费(AuthenticationAuthorization Accounting,AAA)服务器相互配合实现对接入相应网络的计算机设备进行准入控制。RADIUS(Remote Authentication Dial In User Service)是一种客户端/服务器结构的远程用户拨号认证服务协议,其目的是为拨号用户进行认证、授权和计费(AAA),任何运行NAS软件的计算机设备都可以成为RADIUS的客户端。With the rapid development of the network, more and more attention has been paid to network security issues. It cooperates to realize the admission control of the computer equipment connected to the corresponding network. RADIUS (Remote Authentication Dial In User Service) is a remote user dial-in authentication service protocol with a client/server structure. Its purpose is to authenticate, authorize and account for dial-up users (AAA). Any computer equipment running NAS software can Can be a RADIUS client.

目前的一种用户认证方法包括以下步骤:RADIUS服务器将用户名和密码以明文形式存储在RADIUS服务器的配置文件或数据库中,当用户想要使用某一服务时,可以登录该服务的客户端,在登录时会触发该客户端向对应的接入点设备发送接入请求,当该接入点设备接收到该接入请求时,向RADIUS服务器发送认证请求,该认证请求携带用户标识和密码,RADIUS服务器根据该认证请求中携带的用户标识,从本地配置文件或数据库中获取相应的密码,并将该密码与认证请求中携带的密码进行对比。当该密码与认证请求中携带的密码一致时,则RADIUS服务器向该接入点设备发送认证通过通知,当该密码与认证请求中携带的密码不一致时,则RADIUS服务器向该接入点设备发送认证未通过通知。A current user authentication method includes the following steps: the RADIUS server stores the user name and password in clear text in the configuration file or database of the RADIUS server, when a user wants to use a service, he can log in to the client of the service, and then When logging in, the client will be triggered to send an access request to the corresponding access point device. When the access point device receives the access request, it will send an authentication request to the RADIUS server. The authentication request carries the user ID and password. RADIUS The server obtains the corresponding password from the local configuration file or database according to the user ID carried in the authentication request, and compares the password with the password carried in the authentication request. When the password is consistent with the password carried in the authentication request, the RADIUS server sends an authentication pass notification to the access point device; when the password is inconsistent with the password carried in the authentication request, the RADIUS server sends a notification to the access point device Certification failed notification.

以上认证方法中,由于RADIUS服务器中所存储的密码是明文形式,因此,密码容易暴露,且一旦该用户标识和密码暴露,其他用户在任何一台计算机设备上都可以使用该密码登录该客户端,造成该用户的信息泄露,对网络安全造成极大的威胁。单纯的仅依用户标识和密码方式进行认证,存在着较大的安全隐患。In the above authentication method, since the password stored in the RADIUS server is in plain text, the password is easily exposed, and once the user ID and password are exposed, other users can use the password to log in to the client on any computer device. , resulting in the leakage of the user's information, posing a great threat to network security. Simply relying on the user ID and password for authentication, there is a greater security risk.

另外,某些应用场景下的用户认证还有其他一些需求需要满足。例如,目前,汽车使用定制的车钥匙进行认证和管理。但在共享汽车或租车场景中,通常不可能为每个客户分配特定的钥匙,从而限制了客户只能在特定位置租车并归还汽车,这会带来了很多不便。In addition, there are other requirements that need to be met for user authentication in some application scenarios. For example, currently, cars are authenticated and managed using customized car keys. But in car sharing or car rental scenarios, it is usually impossible to assign a specific key to each customer, thus restricting customers to only rent a car at a specific location and return the car, which brings a lot of inconvenience.

发明内容SUMMARY OF THE INVENTION

本发明实施例要解决的技术问题是提供一种用户认证方法及设备,提高用户认证的安全性和便捷性。The technical problem to be solved by the embodiments of the present invention is to provide a user authentication method and device to improve the security and convenience of user authentication.

为解决上述技术问题,本发明实施例提供的一种用户认证方法,包括:In order to solve the above technical problems, a user authentication method provided by an embodiment of the present invention includes:

接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识;receiving an authentication request sent by a terminal, where the authentication request carries the device factor and private identifier of the terminal;

查找本地保存所述终端的设备标识和私有标识;Find the device identity and private identity of the terminal locally stored;

根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果;According to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal is authenticated, and the authentication is obtained. result;

向所述终端发送所述认证结果。Send the authentication result to the terminal.

可选的,在本地保存的所述终端的设备标识和私有标识,分别与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配时,得到所述终端认证通过的认证结果,否则,得到所述终端认证失败的认证结果。Optionally, when the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal authentication is obtained. If the authentication result is passed, otherwise, the authentication result of the terminal authentication failure is obtained.

可选的,所述根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,包括:Optionally, according to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal is Authenticate, including:

判断本地保存的私有标识与所述终端发送的私有标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则根据所述终端的设备因子计算得到所述终端的设备标识;Determine whether the locally stored private identifier is the same as the private identifier sent by the terminal: if they are different, obtain the authentication result of the terminal authentication failure; if they are the same, calculate the device identifier of the terminal according to the device factor of the terminal ;

判断本地保存的设备标识与计算得到的所述终端的设备标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则得到所述终端认证通过的认证结果。It is judged whether the locally stored device identification is the same as the calculated device identification of the terminal: if they are different, the authentication result of the terminal authentication failure is obtained; if they are the same, the authentication result of the terminal authentication is obtained.

可选的,在接收终端发送的设备因子和私有标识之前,所述方法还包括:Optionally, before receiving the device factor and private identifier sent by the terminal, the method further includes:

接收所述终端发送的携带有所述终端的设备因子的注册请求;receiving a registration request sent by the terminal and carrying the device factor of the terminal;

根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在本地。According to the device factor sent by the terminal, the private identifier and device identifier of the terminal are obtained by calculation, the generated private identifier of the terminal is sent to the terminal, and the user identity of the terminal and the terminal are established. The corresponding relationship between the private ID and the device ID is stored locally.

可选的,所述根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,包括:Optionally, calculating and obtaining the private identifier and device identifier of the terminal according to the device factor sent by the terminal, including:

利用第一加密算法,对所述终端发送的设备因子和第一预设参数进行计算,得到所述终端的私有标识;Using the first encryption algorithm, the device factor and the first preset parameter sent by the terminal are calculated to obtain the private identifier of the terminal;

利用第二加密算法,对所述终端发送的设备因子和第二预设参数进行计算,得到所述终端的设备标识;Using the second encryption algorithm, the device factor and the second preset parameter sent by the terminal are calculated to obtain the device identifier of the terminal;

其中,所述第一加密算法不同于第二加密算法,和/或,所述第一预设参数不同于所述第二预设参数。Wherein, the first encryption algorithm is different from the second encryption algorithm, and/or the first preset parameter is different from the second preset parameter.

本发明实施例还提供了另一种用户认证方法,应用于终端,包括:The embodiment of the present invention also provides another user authentication method, which is applied to a terminal, including:

收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的;Collect the device factor of the terminal itself and the private identifier stored locally, wherein the private identifier is calculated by the server based on the device factor sent by the terminal and sent to the terminal;

向服务器发送携带有所述终端的设备因子和私有标识的认证请求;sending an authentication request carrying the device factor and private identifier of the terminal to the server;

接收所述服务器返回的认证结果。Receive the authentication result returned by the server.

可选的,在收集终端自身的设备因子和本地保存的私有标识之前,所述方法还包括:Optionally, before collecting the device factor of the terminal itself and the private identifier stored locally, the method further includes:

收集终端自身的设备因子;Collect the device factor of the terminal itself;

向服务器发送携带有所述终端的设备因子的注册请求;sending a registration request carrying the device factor of the terminal to the server;

接收所述服务器发送的所述终端的私有标识并保存在终端本地。The private identifier of the terminal sent by the server is received and stored locally in the terminal.

本发明实施例还提供了一种服务器,包括:The embodiment of the present invention also provides a server, including:

第一接收模块,用于接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识;a first receiving module, configured to receive an authentication request sent by a terminal, where the authentication request carries the device factor and private identifier of the terminal;

查找模块,用于查找本地保存所述终端的设备标识和私有标识;a search module, used to search for the device identity and private identity of the terminal that are locally stored;

认证模块,用于根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果;The authentication module is configured to perform an authentication on the terminal according to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal. Certification, and obtain certification results;

第一发送模块,用于向所述终端发送所述认证结果。A first sending module, configured to send the authentication result to the terminal.

可选的,所述认证模块,还用于:Optionally, the authentication module is further used for:

判断本地保存的私有标识与所述终端发送的私有标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则根据所述终端的设备因子计算得到所述终端的设备标识;Determine whether the locally stored private identifier is the same as the private identifier sent by the terminal: if they are different, obtain the authentication result of the terminal authentication failure; if they are the same, calculate the device identifier of the terminal according to the device factor of the terminal ;

判断本地保存的设备标识与计算得到的所述终端的设备标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则得到所述终端认证通过的认证结果。It is judged whether the locally stored device identification is the same as the calculated device identification of the terminal: if they are different, the authentication result of the terminal authentication failure is obtained; if they are the same, the authentication result of the terminal authentication is obtained.

可选的,所述服务器还包括:Optionally, the server further includes:

第二接收模块,用于接收所述终端发送的携带有所述终端的设备因子的注册请求;a second receiving module, configured to receive a registration request sent by the terminal that carries the device factor of the terminal;

注册模块,用于根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在本地。The registration module is configured to calculate and obtain the private identifier and device identifier of the terminal according to the device factor sent by the terminal, send the generated private identifier of the terminal to the terminal, and establish a user of the terminal The correspondence between the identity and the private identifier of the terminal and the device identifier is stored locally.

可选的,所述注册模块,还用于:Optionally, the registration module is further used for:

利用第一加密算法,对所述终端发送的设备因子和第一预设参数进行计算,得到所述终端的私有标识;Using the first encryption algorithm, the device factor and the first preset parameter sent by the terminal are calculated to obtain the private identifier of the terminal;

利用第二加密算法,对所述终端发送的设备因子和第二预设参数进行计算,得到所述终端的设备标识;Using the second encryption algorithm, the device factor and the second preset parameter sent by the terminal are calculated to obtain the device identifier of the terminal;

其中,所述第一加密算法不同于第二加密算法,和/或,所述第一预设参数不同于所述第二预设参数。Wherein, the first encryption algorithm is different from the second encryption algorithm, and/or the first preset parameter is different from the second preset parameter.

本发明实施例还提供了一种一种终端,其特征在于,包括:An embodiment of the present invention also provides a terminal, which is characterized by comprising:

第一收集模块,用于收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的;a first collection module, configured to collect the device factor of the terminal itself and the private identifier stored locally, wherein the private identifier is calculated by the server based on the device factor sent by the terminal and sent to the terminal;

第一发送模块,用于向服务器发送携带有所述终端的设备因子和私有标识的认证请求;a first sending module, configured to send an authentication request carrying the device factor and private identifier of the terminal to the server;

第一接收模块,用于接收所述服务器返回的认证结果。The first receiving module is configured to receive the authentication result returned by the server.

可选的,所述终端还包括:Optionally, the terminal further includes:

第二收集模块,用于收集终端自身的设备因子;The second collection module is used to collect the device factor of the terminal itself;

第二发送模块,用于向服务器发送携带有所述终端的设备因子的注册请求;a second sending module, configured to send a registration request carrying the device factor of the terminal to the server;

第二接收模块,用于接收所述服务器发送的所述终端的私有标识并保存在终端本地。The second receiving module is configured to receive the private identifier of the terminal sent by the server and store it locally in the terminal.

本发明实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上所述的用户认证方法的步骤。Embodiments of the present invention further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, implements the steps of the user authentication method described above.

与现有技术相比,本发明实施例提供的用户认证方法及设备,本于用户的终端实现独立的硬件设备安全认证,可以消除运营方关键信息泄露后对全部设备的影响,还可以降低用户身份泄露、设备硬件被破解或盗用的风险。本发明实施例同时采用了设备标识和私有标识进行用户认证,而这两种标识是通过不同计算方式得到的不同标识,且认证请求中仅携带私有标识,设备标识则需要服务器临时生成,然后与服务器本地的两种标识进行对应匹配。由于私有标识是在线生成并写入终端的APP中,可以防止用户身份信息泄露而带来的安全风险。Compared with the prior art, the user authentication method and device provided by the embodiments of the present invention realize independent hardware device security authentication on the user's terminal, which can eliminate the impact on all devices after the operator's key information is leaked, and can also reduce the risk of users. Risk of identity compromise, compromised or theft of device hardware. In this embodiment of the present invention, both the device identification and the private identification are used for user authentication, and these two identifications are different identifications obtained by different calculation methods, and only the private identification is carried in the authentication request, while the device identification needs to be temporarily generated by the server, and then combined with The two local identifiers of the server are matched accordingly. Since the private identifier is generated online and written into the terminal's APP, it can prevent the security risk caused by the leakage of user identity information.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例的描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the drawings that are used in the description of the embodiments of the present invention. Obviously, the drawings in the following description are only some embodiments of the present invention. , for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

图1为本发明实施例提供的用户认证方法的应用系统示意图;1 is a schematic diagram of an application system of a user authentication method provided by an embodiment of the present invention;

图2为本发明实施例提供的用户认证方法的一种流程示意图;2 is a schematic flowchart of a user authentication method provided by an embodiment of the present invention;

图3为本发明实施例提供的用户认证方法的另一种流程示意图;3 is another schematic flowchart of a user authentication method provided by an embodiment of the present invention;

图4为本发明实施例提供的用户认证方法的一种示例图;FIG. 4 is an exemplary diagram of a user authentication method provided by an embodiment of the present invention;

图5为本发明实施例提供的服务器的一种结构示意图;FIG. 5 is a schematic structural diagram of a server provided by an embodiment of the present invention;

图6为本发明实施例提供的服务器的另一结构示意图;6 is another schematic structural diagram of a server provided by an embodiment of the present invention;

图7为本发明实施例提供的终端的一种结构示意图;FIG. 7 is a schematic structural diagram of a terminal provided by an embodiment of the present invention;

图8为本发明实施例提供的终端的另一结构示意图。FIG. 8 is another schematic structural diagram of a terminal provided by an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明要解决的技术问题、技术方案和优点更加清楚,下面将结合附图及具体实施例进行详细描述。在下面的描述中,提供诸如具体的配置和组件的特定细节仅仅是为了帮助全面理解本发明的实施例。因此,本领域技术人员应该清楚,可以对这里描述的实施例进行各种改变和修改而不脱离本发明的范围和精神。另外,为了清楚和简洁,省略了对已知功能和构造的描述。In order to make the technical problems, technical solutions and advantages to be solved by the present invention clearer, detailed description will be given below with reference to the accompanying drawings and specific embodiments. In the following description, specific details such as specific configurations and components are provided merely to assist in a comprehensive understanding of embodiments of the present invention. Accordingly, it should be apparent to those skilled in the art that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted for clarity and conciseness.

应理解,说明书通篇中提到的“一个实施例”或“一实施例”意味着与实施例有关的特定特征、结构或特性包括在本发明的至少一个实施例中。因此,在整个说明书各处出现的“在一个实施例中”或“在一实施例中”未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。It is to be understood that reference throughout the specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic associated with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily necessarily referring to the same embodiment. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner in one or more embodiments.

在本发明的各种实施例中,应理解,下述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。In various embodiments of the present invention, it should be understood that the size of the sequence numbers of the following processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, rather than the implementation of the present invention The implementation of the examples constitutes no limitation.

如背景技术所述的,现有技术的一些用户认证方法存在着安全性较差的问题,另外,在租车等应用场景中希望提供一种不依赖车钥匙的独立认证方案。为解决以上问题中的至少一种,本发明实施例提供了一种用户认证方法,可以通过用户的终端,如智能手机、平板电脑(PAD)等设备实现用户的认证过程,从而可以摆脱对车钥匙的依赖,并能够提高用户认证的安全性。As described in the background art, some user authentication methods in the prior art have the problem of poor security. In addition, in application scenarios such as car rental, it is desirable to provide an independent authentication solution that does not rely on car keys. In order to solve at least one of the above problems, the embodiment of the present invention provides a user authentication method, which can realize the user authentication process through the user's terminal, such as a smart phone, a tablet computer (PAD) and other devices, so as to get rid of the need for a vehicle. Key dependence, and can improve the security of user authentication.

请参照图1,本发明实施例提供用户认证方法,可以应用于包括终端101、应用(APP)111和服务器121的系统中。这里,Referring to FIG. 1 , an embodiment of the present invention provides a user authentication method, which can be applied to a system including a terminal 101 , an application (APP) 111 and a server 121 . here,

终端101,具体可以是各种移动设备,如智能手机、平板电脑(PAD)等移动设备。所述终端101包括:The terminal 101 may specifically be various mobile devices, such as a smart phone, a tablet computer (PAD) and other mobile devices. The terminal 101 includes:

设备属性102,设备属性可以分为唯一属性或非唯一属性。唯一属性是指可以用于唯一标识所述终端的属性,本文中也称之为设备因子103。非唯一属性是指多个终端共享或相同的属性。具体的,所述设备因子103可以包括每个终端的各类因子,如国际移动设备识别码(International Mobile Equipment Identity,IMEI)、国际移动用户识别码(International Mobile Subscriber Identity,IMSI)、物理地址(即MAC地址)、设备序列号、设备的安装ID等等。非唯一属性则可以是设备的类型、型号、操作系统类型等属性。Device attributes 102, device attributes can be classified as unique attributes or non-unique attributes. The unique attribute refers to an attribute that can be used to uniquely identify the terminal, which is also referred to as the device factor 103 herein. Non-unique attributes refer to attributes that are shared or the same by multiple endpoints. Specifically, the equipment factor 103 may include various factors of each terminal, such as International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), physical address ( i.e. MAC address), device serial number, device installation ID, etc. Non-unique attributes can be attributes such as device type, model, operating system type, etc.

APP 111是终端101上安装的某个应用,例如可以是租车类的应用等。该APP111包含有以下功能:The APP 111 is a certain application installed on the terminal 101, and may be, for example, a car rental application or the like. The APP111 includes the following functions:

1)属性收集112,用于收集终端的设备属性,如设备因子(唯一属性),还可以收集非唯一属性。1) Attribute collection 112, which is used to collect the equipment attributes of the terminal, such as equipment factors (unique attributes), and can also collect non-unique attributes.

2)报文生成与交互113,用于处理设备属性并将设备属性组织成报文,另外还负责APP与服务器121之间的发送和接收消息。2) Message generation and interaction 113 , which is used to process device attributes and organize device attributes into messages, and is also responsible for sending and receiving messages between the APP and the server 121 .

3)私有标识存储114,用于存储APP相关的标识,防止APP伪造。具体的,在本发明实施例中,可以保存服务器基于终端的设备因子等信息生成的私有标识。3) The private identification storage 114 is used to store the identification related to the APP to prevent the forgery of the APP. Specifically, in this embodiment of the present invention, a private identifier generated by the server based on information such as the device factor of the terminal may be stored.

服务器121则包括以下功能:The server 121 includes the following functions:

标识生成122,根据终端的设备因子生成设备标识和私有标识。Identification generation 122, generating a device identification and a private identification according to the device factor of the terminal.

报文生成与交互123,处理终端的APP(应用)和服务器之间的消息收发。The message generation and interaction 123 processes the message sending and receiving between the APP (application) of the terminal and the server.

属性接收124,接收终端发送的包括设备因子的设备属性。Attribute receiving 124, receiving the device attribute including the device factor sent by the terminal.

标识认证125,认证终端的设备标识和私有标识。Identity authentication 125 , which authenticates the device identity and private identity of the terminal.

标识绑定与存储126,将终端的设备标识及私有标识与终端的用户身份信息绑定并存储。终端的用户身份信息具体可以是个人信息(如姓名、用户ID等。The identification binding and storage 126 binds and stores the device identification and private identification of the terminal and the user identity information of the terminal. The user identity information of the terminal may specifically be personal information (such as name, user ID, etc.).

外部信息获取127,可以从外部源获取要绑定的终端的用户身份信息。The external information acquisition 127 may acquire the user identity information of the terminal to be bound from an external source.

请参照图2,本发明实施例提供的用户认证方法,在应用于服务器侧时,包括:Referring to FIG. 2 , the user authentication method provided by the embodiment of the present invention, when applied to the server side, includes:

步骤21,接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识。Step 21: Receive an authentication request sent by the terminal, where the authentication request carries the device factor and private identifier of the terminal.

这里,本发明实施例可以在终端登录APP后,发起终端的用户认证过程,即要求终端发送认证请求,并携带终端的设备因子和私有标识。在用户认证通过后,终端才可以使用该APP的功能;而在认证失败时,将拒绝用户操作。当然,也可以在使用某些预定义的功能时,发起终端的用户认证过程,并在认证通过后,才允许终端使用该功能,而在认证失败时,将拒绝终端使用该功能。Here, in this embodiment of the present invention, after the terminal logs into the APP, a user authentication process of the terminal may be initiated, that is, the terminal is required to send an authentication request and carry the device factor and private identifier of the terminal. The terminal can use the functions of the APP only after the user's authentication is passed; when the authentication fails, the user's operation will be rejected. Of course, it is also possible to initiate a user authentication process of the terminal when using some predefined functions, and allow the terminal to use the function after the authentication is passed, and reject the terminal to use the function when the authentication fails.

具体的,所述设备因子是能够唯一标识所述终端的设备属性,包括但不限于终端的IMEI、IMSI、MAC地址、设备序列号以及设备安装ID等中的一个或多个。可选的,所述认证请求还可以携带所述终端的非唯一的设备属性,如设备的类型、型号、操作系统类型等属性。所述私有标识是服务器预先基于终端的设备因子计算得到并发送给终端保存的标识。可以通过终端的私有标识存储114功能,将服务器发送的私有标识保存在终端本地。Specifically, the device factor is a device attribute that can uniquely identify the terminal, including but not limited to one or more of the terminal's IMEI, IMSI, MAC address, device serial number, and device installation ID. Optionally, the authentication request may also carry non-unique device attributes of the terminal, such as attributes such as the type, model, and operating system type of the device. The private identifier is an identifier pre-calculated by the server based on the device factor of the terminal and sent to the terminal for storage. The private identifier sent by the server can be stored locally in the terminal through the private identifier storage 114 function of the terminal.

步骤22,查找本地保存所述终端的设备标识和私有标识。Step 22: Search for the device identifier and private identifier of the terminal that are locally stored.

这里,服务器在接收到终端发送的认证请求后,查找本地保存的所述终端的设备标识和私有标识。具体的,服务器可以预先建立各个终端的用户身份(如用户ID、姓名等)与上述标识(包括设备标识和私有标识)之间的绑定关系。通常,终端发送的消息(如认证请求、注册消息等)中都会携带终端的用户身份信息,如姓名或用户ID等。这样,在接收到上述认证请求后,服务器可以根据发送认证请求的终端的用户身份,在服务器本地查找与该用户身份绑定的设备标识和私有标识。Here, after receiving the authentication request sent by the terminal, the server searches for the device identifier and private identifier of the terminal stored locally. Specifically, the server may pre-establish a binding relationship between user identities (eg, user ID, name, etc.) of each terminal and the above-mentioned identifiers (including device identifiers and private identifiers). Usually, messages sent by a terminal (such as an authentication request, a registration message, etc.) carry user identity information of the terminal, such as a name or a user ID. In this way, after receiving the above authentication request, the server can locally search the server for the device identifier and private identifier bound to the user identity according to the user identity of the terminal sending the authentication request.

步骤23,根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果。Step 23: Authenticate the terminal according to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, And get the certification result.

这里,如果本地保存的所述终端的设备标识和私有标识,分别与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,则得到所述终端认证通过的认证结果;否则,得到所述终端认证失败的认证结果。Here, if the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal respectively, then the terminal authentication passed The authentication result; otherwise, the authentication result of the terminal authentication failure is obtained.

为了简化匹配处理,服务器可以先判断本地保存的私有标识与所述终端发送的私有标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,再根据所述终端的设备因子计算得到所述终端的设备标识。然后,再判断本地保存的设备标识与计算得到的所述终端的设备标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则得到所述终端认证通过的认证结果。In order to simplify the matching process, the server can first determine whether the locally stored private identifier is the same as the private identifier sent by the terminal: if they are different, obtain the authentication result of the terminal authentication failure; if they are the same, then according to the device factor of the terminal The device identification of the terminal is obtained by calculation. Then, it is judged whether the locally stored device identification is the same as the calculated device identification of the terminal: if they are different, the authentication result of the terminal authentication failure is obtained; if they are the same, the authentication result of the terminal authentication is obtained.

步骤24,向所述终端发送所述认证结果。Step 24: Send the authentication result to the terminal.

这里,服务器向终端发送用于指示认证失败或认证通过的认证结果,终端的APP在接收到上述认证结果后,在认证失败时,可以拒绝用户使用APP或拒绝使用APP的特定功能;在认证通过时,可以允许用户使用APP或允许使用APP的特定功能。Here, the server sends an authentication result indicating authentication failure or authentication pass to the terminal. After receiving the above authentication result, the APP of the terminal can refuse the user to use the APP or refuse to use the specific function of the APP when the authentication fails; , you can allow users to use the APP or allow the use of specific functions of the APP.

通过以上步骤,本发明实施例可以基于用户的终端实现独立的硬件设备安全认证,可以消除运营方关键信息泄露后对全部设备的影响,还可以降低用户身份泄露、设备硬件被破解或盗用的风险。本发明实施例同时采用了设备标识和私有标识进行用户认证,而这两种标识是通过不同计算方式得到的不同标识,且认证请求中仅携带私有标识,设备标识则需要服务器临时生成,然后与服务器本地的两种标识进行对应匹配。由于私有标识是在线生成并写入终端的APP中,从而可以防止用户身份信息泄露而带来的安全风险。Through the above steps, the embodiment of the present invention can realize independent hardware device security authentication based on the user's terminal, can eliminate the impact on all devices after the operator's key information is leaked, and can also reduce the risk of user identity leakage, device hardware being cracked or embezzled . In this embodiment of the present invention, both the device identification and the private identification are used for user authentication, and these two identifications are different identifications obtained by different calculation methods, and only the private identification is carried in the authentication request, while the device identification needs to be temporarily generated by the server, and then combined with The two local identifiers of the server are matched accordingly. Since the private identifier is generated online and written into the APP of the terminal, the security risk caused by the leakage of user identity information can be prevented.

在上述步骤21之前,所述服务器还可以在终端注册的过程中,将所述终端的用户身份与所述终端的私有标识及设备标识绑定。Before the above step 21, the server may also bind the user identity of the terminal with the private identifier and device identifier of the terminal during the terminal registration process.

具体的,所述服务器可以接收所述终端发送的携带有所述终端的设备因子的注册请求。然后,根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在本地。Specifically, the server may receive a registration request sent by the terminal that carries the device factor of the terminal. Then, according to the device factor sent by the terminal, the private identifier and the device identifier of the terminal are obtained by calculation, the generated private identifier of the terminal is sent to the terminal, and the user identity of the terminal and the device identifier are established. The corresponding relationship between the private identifier of the terminal and the device identifier is stored locally.

由于设备因子有多种,为了保证服务器能够获得用于计算设备标识或私有标识的设备因子,以及,减少终端发送不必要的设备因子,提供信息传输效率,本发明实施例可以通过一个预定义的设备因子列表来指示终端收集并发送该列表中的设备因子。具体的,在终端注册的过程中,服务器收到终端未携带有设备因子的注册请求后,可以发送预定义的设备因子列表给终端,该列表用于指示终端需要收集和上传的设备因子。终端根据该列表收集相关的设备因子,重新发送携带有相关设备因子的注册请求,后续服务器可以在接收所述终端发送的携带有相关设备因子的注册请求后,可以根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在本地。类似的,在上述步骤21中,终端在发送认证请求时,可以根据该列表收集相关的设备因子,然后发送携带有所述终端的设备因子和私有标识的认证请求。表1给出了设备因子列表的一个示例。Since there are many kinds of device factors, in order to ensure that the server can obtain the device factor used for calculating the device ID or the private ID, and to reduce the unnecessary device factors sent by the terminal, and to improve the information transmission efficiency, the embodiment of the present invention may use a predefined device factor. Device factor list to instruct the terminal to collect and send the device factors in the list. Specifically, in the process of terminal registration, after receiving the registration request that the terminal does not carry the device factor, the server may send a predefined device factor list to the terminal, where the list is used to indicate the device factor that the terminal needs to collect and upload. The terminal collects the relevant equipment factors according to the list, and resends the registration request carrying the relevant equipment factors. The subsequent server may, after receiving the registration request carrying the relevant equipment factors sent by the terminal, , calculate and obtain the private identity and device identity of the terminal, send the generated private identity of the terminal to the terminal, and establish a relationship between the user identity of the terminal and the private identity and device identity of the terminal The corresponding relationship is saved locally. Similarly, in the above step 21, when sending the authentication request, the terminal may collect the relevant device factors according to the list, and then send the authentication request carrying the device factor and private identifier of the terminal. An example of a list of device factors is given in Table 1.

Figure BDA0002742266310000101
Figure BDA0002742266310000101

表1Table 1

本发明实施例在终端认证过程中,或者,在终端的注册过程中,服务器需要根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识。具体的,可以利用第一加密算法,对所述终端发送的设备因子和第一预设参数进行计算,得到所述终端的私有标识;利用第二加密算法,对所述终端发送的设备因子和第二预设参数进行计算,得到所述终端的设备标识。这里,为保证设备标识不同于私有标识,所述第一加密算法通常不同于第二加密算法,和/或,所述第一预设参数通常不同于所述第二预设参数。例如,第一加密算法可以采用与第二加密算法不同的算法或计算步骤来对设备因子和相关预设参数进行加密。具体加密算法可以是哈希算法等。第一预设参数和第二预设参数可以是服务器自行定义的信息比特。In the embodiment of the present invention, in the terminal authentication process, or in the terminal registration process, the server needs to obtain the private identifier and the device identifier of the terminal according to the device factor sent by the terminal. Specifically, the first encryption algorithm can be used to calculate the device factor and the first preset parameter sent by the terminal to obtain the private identifier of the terminal; the second encryption algorithm can be used to calculate the device factor and the first preset parameter sent by the terminal. The second preset parameter is calculated to obtain the device identifier of the terminal. Here, in order to ensure that the device identification is different from the private identification, the first encryption algorithm is usually different from the second encryption algorithm, and/or the first preset parameter is usually different from the second preset parameter. For example, the first encryption algorithm may use a different algorithm or calculation step than the second encryption algorithm to encrypt the device factor and related preset parameters. The specific encryption algorithm may be a hash algorithm or the like. The first preset parameter and the second preset parameter may be information bits defined by the server.

以上从服务器侧对本发明实施例的用户认证方法进行了说明。下面进一步从终端侧进行说明。The user authentication method according to the embodiment of the present invention has been described above from the server side. The following is further described from the terminal side.

请参照图3,本发明实施例提供的用户认证方法,在应用于终端侧时,包括:Referring to FIG. 3 , the user authentication method provided by the embodiment of the present invention, when applied to the terminal side, includes:

步骤31,收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的。Step 31: Collect the device factor of the terminal itself and the private identifier stored locally, wherein the private identifier is calculated by the server based on the device factor sent by the terminal and sent to the terminal.

这里,终端可以根据预先获得的设备因子列表,收集相关的设备因子,以及,收集本地保存的所述终端的私有标识。终端本地保存的私有标识,是服务器预先基于所述终端发送的设备因子计算得到并发送给所述终端的,例如,在终端注册过程中计算得到并发送给终端的。Here, the terminal may collect the relevant device factors according to the pre-obtained device factor list, and collect the locally stored private identifier of the terminal. The private identifier stored locally by the terminal is calculated by the server in advance based on the device factor sent by the terminal and sent to the terminal, for example, calculated during the terminal registration process and sent to the terminal.

步骤32,向服务器发送携带有所述终端的设备因子和私有标识的认证请求。Step 32: Send an authentication request carrying the device factor and private identifier of the terminal to the server.

这里,终端发送携带有所收集的所述终端的设备因子和私有标识的认证请求。服务器根据接收到的所述终端的设备因子和私有标识进行用户认证,具体认证方式可以参考上文中服务器侧的相关步骤的说明,此处不再赘述。Here, the terminal sends an authentication request carrying the collected device factor and private identifier of the terminal. The server performs user authentication according to the received device factor and private identifier of the terminal, and the specific authentication method can refer to the description of the relevant steps on the server side above, which will not be repeated here.

步骤33,接收所述服务器返回的认证结果。Step 33: Receive the authentication result returned by the server.

这里,接收服务器发送的用于指示认证是否通过的认证结果。上述步骤31具体可以是在用户登录特定APP后执行,也可以是在用户使用特定APP的特定功能执行。在步骤33之后,如果认证失败,则可以拒绝用户使用APP或拒绝使用APP的特定功能;而在认证通过时,则可以允许用户使用APP或允许使用APP的特定功能。Here, the authentication result sent by the server to indicate whether the authentication is passed is received. The above-mentioned step 31 may specifically be executed after the user logs in the specific APP, or may be executed when the user uses a specific function of the specific APP. After step 33, if the authentication fails, the user can be refused to use the APP or the specific function of the APP; and when the authentication is passed, the user can be allowed to use the APP or allowed to use the specific function of the APP.

在上述步骤31之前,上述终端可以通过注册过程,获得私有标识。具体的,上述终端可以发起注册过程,并收集终端自身的设备因子。然后,向服务器发送携带有所述终端的设备因子的注册请求。然后,接收所述服务器发送的所述终端的私有标识并保存在终端本地。在注册过程中,终端可以根据服务器发送的设备因子列表,收集相关的设备因子,并携带在注册请求中发送给服务器。服务器则根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,并将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在服务器本地。所述终端接收并保存服务器发送的私有标识,具体可以由所述特定APP接收并存储,例如,写入APP的内部空间中。Before the above-mentioned step 31, the above-mentioned terminal may obtain the private identifier through the registration process. Specifically, the above-mentioned terminal may initiate a registration process, and collect the device factor of the terminal itself. Then, a registration request carrying the device factor of the terminal is sent to the server. Then, the private identifier of the terminal sent by the server is received and stored locally in the terminal. During the registration process, the terminal can collect the relevant device factors according to the device factor list sent by the server, and send them to the server in the registration request. The server calculates and obtains the private identifier and device identifier of the terminal according to the device factor sent by the terminal, sends the generated private identifier of the terminal to the terminal, and establishes the user identity of the terminal and the device identifier. The correspondence between the private identifier of the terminal and the device identifier is stored locally on the server. The terminal receives and saves the private identifier sent by the server, which may be specifically received and stored by the specific APP, for example, written into the internal space of the APP.

图4提供了一个服务器和终端之间的认证过程的交互流程示例图,具体的:Figure 4 provides an example diagram of the interaction flow of the authentication process between the server and the terminal, specifically:

在步骤401中,用户启动操作,具体可以是启动终端上的某个移动APP,或者,启动移动APP的某个特定功能。In step 401, the user starts an operation, which may specifically be starting a mobile APP on the terminal, or starting a specific function of the mobile APP.

在步骤402~403中,移动APP采集终端的设备因子以及私有标识,并发送给服务器。In steps 402 to 403, the mobile APP collects the device factor and private identifier of the terminal, and sends them to the server.

在步骤404中,服务器查找终端绑定的设备标识和私有标识,并与终端发送的私有标识进行匹配。In step 404, the server searches for the device identifier and private identifier bound to the terminal, and matches with the private identifier sent by the terminal.

在步骤405中,如果两个私有标识相匹配,则进入步骤407,否则,进入步骤406。In step 405, if the two private identifiers match, go to step 407; otherwise, go to step 406.

在步骤406中,得到用户认证失败的认证结果,然后进入步骤409。In step 406, the authentication result of user authentication failure is obtained, and then step 409 is entered.

在步骤407~408中,服务器根据终端发送的设备因子,计算设备标识,并将计算得到的设备标识与终端发送的设备标识匹配,根据是否匹配成功,获得用户认证是否通过的认证结果,然后进入步骤409。In steps 407 to 408, the server calculates the device ID according to the device factor sent by the terminal, matches the calculated device ID with the device ID sent by the terminal, and obtains the authentication result of whether the user authentication is passed according to whether the match is successful, and then enters the Step 409.

在步骤409中,服务器向终端的移动APP返回认证结果。In step 409, the server returns the authentication result to the mobile APP of the terminal.

在步骤410中,终端的移动APP在认证结果指示认证通过时,进入步骤411,否则进入步骤412。In step 410, when the authentication result indicates that the authentication is passed, the mobile APP of the terminal goes to step 411, otherwise, goes to step 412.

在步骤411中,移动APP运行用户的本次操作。In step 411, the mobile APP executes the current operation of the user.

在步骤412中,移动APP拒绝用户的本次操作。In step 412, the mobile APP rejects the user's current operation.

另外,本发明实施例中,还可以获得多种权重集合,每个权重集合中包括有针对设备因子列表中每个设备因子的权重,这些权重集合可以是多个专家独立提供的。然后,按照预设的指标权重的确定算法,对所述多种权重集合进行计算,得到一个最终权重集合。然后,根据设备因子以及所述最终权重集合,利用第一/第二加密算法计算得到私有标识/设备标识。下面提供一个计算私有标识/设备标识的具体示例,需要说明的是,以下仅为本发明可以采用的一种计算方式,并不用于限定本发明。In addition, in this embodiment of the present invention, multiple weight sets may also be obtained, each weight set includes a weight for each device factor in the device factor list, and these weight sets may be independently provided by multiple experts. Then, according to the preset determination algorithm of the index weight, the multiple weight sets are calculated to obtain a final weight set. Then, according to the device factor and the final weight set, the first/second encryption algorithm is used to obtain the private identifier/device identifier. The following provides a specific example of calculating the private identifier/device identifier. It should be noted that the following is only a calculation method that can be used in the present invention, and is not intended to limit the present invention.

首先,设置设备因子集合U={u1,u2,u3,…,un},同时假设存在K个专家设置,给出独立的对应每个设备因子的权重{ai1,ai2,ai3,…,ain}(i=1,2,3,…k)。对于每个专家,设置集合如下:First, set the equipment factor set U={u 1 , u 2 , u 3 ,..., u n }, and assuming that there are K expert settings, give the independent weights {a i1 ,a i2 , a i3 ,...,a in }(i=1,2,3,...k). For each expert, the set of settings is as follows:

Figure BDA0002742266310000121
Figure BDA0002742266310000121

分别找出每个集合中最大的权重值Mj和最小的权重值mj(j=1,2,3,…,n)。设置一个正整数P作为间距划分,使用公式

Figure BDA0002742266310000131
将权重值从小到大划分为P个间距组。可以得到每个集合对应的权值Xi,设置频率值为Ni,同时计算
Figure BDA0002742266310000132
基于以上的结果,得到平均的权重
Figure BDA0002742266310000133
j=(1,2,3,…,n)。最终,得到权重集合A={a1,a2,a3,…,an}。Find the largest weight value M j and the smallest weight value m j (j=1,2,3,...,n) in each set respectively. To set a positive integer P as the spacing division, use the formula
Figure BDA0002742266310000131
Divide the weight values into P spacing groups from small to large. The weight X i corresponding to each set can be obtained, set the frequency value to N i , and calculate at the same time
Figure BDA0002742266310000132
Based on the above results, get the average weight
Figure BDA0002742266310000133
j=(1,2,3,...,n). Finally, the weight set A={a 1 , a 2 , a 3 , . . . , a n } is obtained.

假设设备因子集合U={Imei,Mac,Network_address,Device_ID}。假设有两个专家给出权重集合{0.5,0.1,0.2,0.2}and{0.4,0.2,0.3,0.1},同时设置P=2作为间距划分。经过计算,得到每种的因子的权重结果如表2所示:Suppose the device factor set U={Imei, Mac, Network_address, Device_ID}. Suppose two experts give weight sets {0.5, 0.1, 0.2, 0.2} and {0.4, 0.2, 0.3, 0.1}, and set P=2 as the spacing division. After calculation, the weights of each factor are obtained as shown in Table 2:

设备因子equipment factor 权重Weights IMEIIMEI 0.3250.325 MAC地址(MAC)MAC address (MAC) 0.30.3 网络地址(Network_address)Network address (Network_address) 0.20.2 设备ID(Device_ID)Device ID (Device_ID) 0.1750.175

表2Table 2

更进一步的,结合实际情况,还可以针对在不同的设备的实际比例,将因子权重乘以比例系数,得到针对不同设备的各类因子权重,如表3所示:Further, combined with the actual situation, the factor weights can be multiplied by the scale coefficient according to the actual proportions of different devices to obtain various factor weights for different devices, as shown in Table 3:

设备因子equipment factor 权重Weights 设备1(75%)Device 1 (75%) 设备2(25%)Device 2 (25%) ImeiImei 0.3250.325 0.243750.24375 0.081250.08125 MacMac 0.30.3 0.2250.225 0.0750.075 Network_addressNetwork_address 0.20.2 0.150.15 0.050.05 Device_IDDevice_ID 0.1750.175 0.131250.13125 0.043750.04375

表3table 3

将设备因子集合u={100,200,150,300}作为示例,假设有两个专家给出权重集合A1={0.5,0.1,0.2,0.2},A2={0.4,0.2,0.3,0.1}。经过计算得到了对应的集合U={90,60,75,120}:Taking the equipment factor set u={100, 200, 150, 300} as an example, suppose there are two experts who give the weight set A 1 ={0.5, 0.1, 0.2, 0.2}, A 2 ={0.4, 0.2, 0.3, 0.1}. After calculation, the corresponding set U={90, 60, 75, 120} is obtained:

其中A1的最大值为0.5,最小值为0.1,对应每个集合中最大的权重值Mj和最小的权重值mj(j=1,2,3,…,n).设置p=2,使用公式

Figure BDA0002742266310000141
得到A1对应的X1为{0.125,0.075,0.15,0.15},相应的,A2对应的X2为{0.2,0.1,0.15,0.05}The maximum value of A 1 is 0.5 and the minimum value is 0.1, corresponding to the maximum weight value M j and the minimum weight value m j (j=1,2,3,...,n) in each set. Set p=2 , using the formula
Figure BDA0002742266310000141
The X 1 corresponding to A 1 is {0.125, 0.075, 0.15, 0.15}, and correspondingly, the X 2 corresponding to A 2 is {0.2, 0.1, 0.15, 0.05}

对应的W1为{0.25,0.75,0.75,0.75},对应的W2为{0.5,0.5,0.5,0.5};The corresponding W 1 is {0.25, 0.75, 0.75, 0.75}, and the corresponding W 2 is {0.5, 0.5, 0.5, 0.5};

最终根据平均的系数

Figure BDA0002742266310000142
j=(1,2,3,…,n)。Finally, according to the average coefficient
Figure BDA0002742266310000142
j=(1,2,3,...,n).

得到a1=21/160,a2=17/160,a3=3/16,a4=22/160。We get a1=21/160, a2=17/160, a3=3/16, a4=22/160.

对应的硬件信息字符串为:d.2+15.4+1c.2+29.4。The corresponding hardware information string is: d.2+15.4+1c.2+29.4.

拼接为:d.215.41c.229.4。The splice is: d.215.41c.229.4.

这样,加密后的对应密文用(MD5 32位大写表示为:40935C33AB5A7E4948D27F1795958465。上述密文可以作为设备标识。另外还可以在上述密文后拼接上某些预设字符串或预设的ASCII,得到新的密文,作为私有标识。In this way, the encrypted corresponding ciphertext is represented by (MD5 32-bit uppercase: 40935C33AB5A7E4948D27F1795958465. The above ciphertext can be used as a device identification. In addition, some preset character strings or preset ASCII can be spliced after the above ciphertext to obtain The new ciphertext, as a private identifier.

基于以上的用户认证方法,本发明实施例还提供了实施上述方法的装置。Based on the above user authentication method, an embodiment of the present invention further provides an apparatus for implementing the above method.

请参照图5,本发明实施例提供的一种服务器50,包括:Referring to FIG. 5 , a server 50 provided by an embodiment of the present invention includes:

第一接收模块51,用于接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识;The first receiving module 51 is configured to receive an authentication request sent by a terminal, where the authentication request carries the device factor and private identifier of the terminal;

查找模块52,用于查找本地保存所述终端的设备标识和私有标识;A search module 52 is used to search for the device identity and private identity of the terminal that are stored locally;

认证模块53,用于根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果;The authentication module 53 is used for determining whether the device identification and private identification of the terminal stored locally match the device identification sent by the terminal and the private identification calculated based on the device factor sent by the terminal. Carry out certification and obtain certification results;

第一发送模块54,用于向所述终端发送所述认证结果。The first sending module 54 is configured to send the authentication result to the terminal.

通过以上模块,本发明实施例的服务器可以实现独立的硬件设备安全认证,消除运营方关键信息泄露后对全部设备的影响,还可以降低用户身份泄露、设备硬件被破解或盗用的风险。Through the above modules, the server of the embodiment of the present invention can implement independent hardware device security authentication, eliminate the impact on all devices after the operator's key information is leaked, and can also reduce the risk of user identity leakage and device hardware being cracked or stolen.

可选的,在本地保存的所述终端的设备标识和私有标识,分别与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配时,得到所述终端认证通过的认证结果,否则,得到所述终端认证失败的认证结果。Optionally, when the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal authentication is obtained. If the authentication result is passed, otherwise, the authentication result of the terminal authentication failure is obtained.

可选的,所述认证模块,还用于:Optionally, the authentication module is further used for:

判断本地保存的私有标识与所述终端发送的私有标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则根据所述终端的设备因子计算得到所述终端的设备标识;Determine whether the locally stored private identifier is the same as the private identifier sent by the terminal: if they are different, obtain the authentication result of the terminal authentication failure; if they are the same, calculate the device identifier of the terminal according to the device factor of the terminal ;

判断本地保存的设备标识与计算得到的所述终端的设备标识是否相同:若不同,则得到所述终端认证失败的认证结果;若相同,则得到所述终端认证通过的认证结果。It is judged whether the locally stored device identification is the same as the calculated device identification of the terminal: if they are different, the authentication result of the terminal authentication failure is obtained; if they are the same, the authentication result of the terminal authentication is obtained.

可选的,所述的服务器还包括:Optionally, the server further includes:

第二接收模块,用于接收所述终端发送的携带有所述终端的设备因子的注册请求;a second receiving module, configured to receive a registration request sent by the terminal that carries the device factor of the terminal;

注册模块,用于根据所述终端发送的设备因子,计算得到所述终端的私有标识及设备标识,将所生成的所述终端的私有标识发送给所述终端,以及,建立所述终端的用户身份与所述终端的私有标识及设备标识之间的对应关系,并保存在本地。The registration module is configured to calculate and obtain the private identifier and device identifier of the terminal according to the device factor sent by the terminal, send the generated private identifier of the terminal to the terminal, and establish a user of the terminal The correspondence between the identity and the private identifier of the terminal and the device identifier is stored locally.

可选的,所述注册模块,还用于:Optionally, the registration module is further used for:

利用第一加密算法,对所述终端发送的设备因子和第一预设参数进行计算,得到所述终端的私有标识;Using the first encryption algorithm, the device factor and the first preset parameter sent by the terminal are calculated to obtain the private identifier of the terminal;

利用第二加密算法,对所述终端发送的设备因子和第二预设参数进行计算,得到所述终端的设备标识;Using the second encryption algorithm, the device factor and the second preset parameter sent by the terminal are calculated to obtain the device identifier of the terminal;

其中,所述第一加密算法不同于第二加密算法,和/或,所述第一预设参数不同于所述第二预设参数。Wherein, the first encryption algorithm is different from the second encryption algorithm, and/or the first preset parameter is different from the second preset parameter.

如图6所示,本发明实施例还提供了另一种结构的服务器60,该服务器60具体包括处理器61、存储器62、总线系统63、接收器64和发送器65。其中,处理器61、存储器62、接收器64和发送器65通过总线系统63相连,该存储器62用于存储指令,该处理器61用于执行该存储器62存储的指令,以控制接收器64接收信号,并控制发送器65发送信号;As shown in FIG. 6 , an embodiment of the present invention further provides a server 60 with another structure. The server 60 specifically includes a processor 61 , a memory 62 , a bus system 63 , a receiver 64 and a transmitter 65 . The processor 61, the memory 62, the receiver 64 and the transmitter 65 are connected through the bus system 63, the memory 62 is used for storing instructions, and the processor 61 is used for executing the instructions stored in the memory 62 to control the receiver 64 to receive signal, and control the transmitter 65 to send the signal;

其中,该处理器61,用于读取存储器中的程序,执行下列过程:Wherein, the processor 61 is used to read the program in the memory, and execute the following process:

接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识;receiving an authentication request sent by a terminal, where the authentication request carries the device factor and private identifier of the terminal;

查找本地保存所述终端的设备标识和私有标识;Find the device identity and private identity of the terminal locally stored;

根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果;According to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal is authenticated, and the authentication is obtained. result;

向所述终端发送所述认证结果。Send the authentication result to the terminal.

应理解,在本发明实施例中,该处理器61可以是中央处理单元(CentralProcessing Unit,简称为“CPU”),该处理器61还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in this embodiment of the present invention, the processor 61 may be a central processing unit (Central Processing Unit, referred to as “CPU” for short), and the processor 61 may also be other general-purpose processors, digital signal processors (DSPs), Application Specific Integrated Circuits (ASICs), Off-The-Shelf Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

该存储器62可以包括只读存储器和随机存取存储器,并向处理器61提供指令和数据。存储器62的一部分还可以包括非易失性随机存取存储器。例如,存储器62还可以存储设备类型的信息。The memory 62 may include read only memory and random access memory and provides instructions and data to the processor 61 . A portion of memory 62 may also include non-volatile random access memory. For example, memory 62 may also store device type information.

该总线系统63除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统63。In addition to the data bus, the bus system 63 may also include a power bus, a control bus, a status signal bus, and the like. However, for the sake of clarity, the various buses are labeled as bus system 63 in the figure.

在实现过程中,上述方法的各步骤可以通过处理器61中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器62,处理器61读取存储器62中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above-mentioned method can be completed by a hardware integrated logic circuit in the processor 61 or an instruction in the form of software. The steps of the method disclosed in conjunction with the embodiments of the present invention may be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor. The software modules may be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art. The storage medium is located in the memory 62, and the processor 61 reads the information in the memory 62, and completes the steps of the above method in combination with its hardware. To avoid repetition, detailed description is omitted here.

该程序被处理器执行时能实现图2所示的用户认证方法中的所有实现方式,且能达到相同的技术效果,为避免重复,此处不再赘述。When the program is executed by the processor, all the implementation manners in the user authentication method shown in FIG. 2 can be implemented, and the same technical effect can be achieved. In order to avoid repetition, details are not repeated here.

在本发明的一些实施例中,还提供了一种计算机可读存储介质,其上存储有程序,该程序被处理器执行时实现以下步骤:In some embodiments of the present invention, a computer-readable storage medium is also provided, on which a program is stored, and when the program is executed by a processor, the following steps are implemented:

接收终端发送的认证请求,所述认证请求携带有所述终端的设备因子和私有标识;receiving an authentication request sent by a terminal, where the authentication request carries the device factor and private identifier of the terminal;

查找本地保存所述终端的设备标识和私有标识;Find the device identity and private identity of the terminal locally stored;

根据本地保存的所述终端的设备标识和私有标识,是否与所述终端发送的设备标识和基于所述终端发送的设备因子计算得到的私有标识相匹配,对所述终端进行认证,并获得认证结果;According to whether the locally stored device identifier and private identifier of the terminal match the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal, the terminal is authenticated, and the authentication is obtained. result;

向所述终端发送所述认证结果。Send the authentication result to the terminal.

该程序被处理器执行时能实现上述应用于服务器侧的方法中的所有实现方式,且能达到相同的技术效果,为避免重复,此处不再赘述。When the program is executed by the processor, it can implement all the implementation manners in the above-mentioned method applied to the server side, and can achieve the same technical effect. To avoid repetition, details are not repeated here.

请参照图7,本发明实施例还提供了一种终端70,包括:Referring to FIG. 7, an embodiment of the present invention further provides a terminal 70, including:

第一收集模块71,用于收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的;The first collection module 71 is used to collect the device factor of the terminal itself and the private identifier stored locally, wherein the private identifier is calculated by the server based on the device factor sent by the terminal and sent to the terminal;

第一发送模块72,用于向服务器发送携带有所述终端的设备因子和私有标识的认证请求;a first sending module 72, configured to send an authentication request carrying the device factor and private identifier of the terminal to the server;

第一接收模块73,用于接收所述服务器返回的认证结果。The first receiving module 73 is configured to receive the authentication result returned by the server.

可选的,所述终端还包括:Optionally, the terminal further includes:

第二收集模块,用于收集终端自身的设备因子;The second collection module is used to collect the device factor of the terminal itself;

第二发送模块,用于向服务器发送携带有所述终端的设备因子的注册请求;a second sending module, configured to send a registration request carrying the device factor of the terminal to the server;

第二接收模块,用于接收所述服务器发送的所述终端的私有标识并保存在终端本地。The second receiving module is configured to receive the private identifier of the terminal sent by the server and store it locally in the terminal.

请参照图8,本发明实施例提供的终端的一种结构示意图,该终端800包括:处理器801、收发机802、存储器803、用户接口804和总线接口。Please refer to FIG. 8 , which is a schematic structural diagram of a terminal provided by an embodiment of the present invention. The terminal 800 includes: a processor 801 , a transceiver 802 , a memory 803 , a user interface 804 and a bus interface.

在本发明实施例中,终端800还包括:存储在存储器上803并可在处理器801上运行的程序。In this embodiment of the present invention, the terminal 800 further includes: a program stored on the memory 803 and executable on the processor 801 .

所述处理器801执行所述程序时实现以下步骤:‘When the processor 801 executes the program, the following steps are implemented: '

收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的;Collecting the device factor of the terminal itself and the private identifier stored locally, wherein the private identifier is calculated by the server based on the device factor sent by the terminal and sent to the terminal;

向服务器发送携带有所述终端的设备因子和私有标识的认证请求;sending an authentication request carrying the device factor and private identifier of the terminal to the server;

接收所述服务器返回的认证结果。Receive the authentication result returned by the server.

可理解的,本发明实施例中,所述计算机程序被处理器801执行时可实现上述图3所示的方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。Understandably, in this embodiment of the present invention, when the computer program is executed by the processor 801, each process of the method embodiment shown in FIG. 3 can be implemented, and the same technical effect can be achieved. Repeat.

在图8中,总线架构可以包括任意数量的互联的总线和桥,具体由处理器801代表的一个或多个处理器和存储器803代表的存储器的各种电路链接在一起。总线架构还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路链接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口提供接口。收发机802可以是多个元件,即包括发送机和接收机,提供用于在传输介质上与各种其他装置通信的单元。针对不同的用户设备,用户接口804还可以是能够外接内接需要设备的接口,连接的设备包括但不限于小键盘、显示器、扬声器、麦克风、操纵杆等。In FIG. 8, the bus architecture may include any number of interconnected buses and bridges, in particular one or more processors represented by processor 801 and various circuits of memory represented by memory 803 linked together. The bus architecture may also link together various other circuits, such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be described further herein. The bus interface provides the interface. Transceiver 802 may be a number of elements, including a transmitter and a receiver, that provide a means for communicating with various other devices over a transmission medium. For different user equipments, the user interface 804 may also be an interface capable of externally connecting the required equipment, and the connected equipment includes but is not limited to a keypad, a display, a speaker, a microphone, a joystick, and the like.

处理器801负责管理总线架构和通常的处理,存储器803可以存储处理器801在执行操作时所使用的数据。The processor 801 is responsible for managing the bus architecture and general processing, and the memory 803 may store data used by the processor 801 in performing operations.

在本发明的一些实施例中,还提供了一种计算机可读存储介质,其上存储有程序,该程序被处理器执行时实现以下步骤:In some embodiments of the present invention, a computer-readable storage medium is also provided, on which a program is stored, and when the program is executed by a processor, the following steps are implemented:

收集终端自身的设备因子和本地保存的私有标识,其中,所述私有标识是服务器基于所述终端发送的设备因子计算得到并发送给所述终端的;Collecting the device factor of the terminal itself and the private identifier stored locally, wherein the private identifier is calculated by the server based on the device factor sent by the terminal and sent to the terminal;

向服务器发送携带有所述终端的设备因子和私有标识的认证请求;sending an authentication request carrying the device factor and private identifier of the terminal to the server;

接收所述服务器返回的认证结果。Receive the authentication result returned by the server.

该程序被处理器执行时能实现上述应用于终端的方法中的所有实现方式,且能达到相同的技术效果,为避免重复,此处不再赘述。When the program is executed by the processor, all the implementation manners in the above-mentioned method applied to the terminal can be realized, and the same technical effect can be achieved. In order to avoid repetition, details are not repeated here.

本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of the present invention.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here.

在本申请所提供的实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本发明实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solutions in the embodiments of the present invention.

另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited to this. Any person skilled in the art can easily think of various equivalents within the technical scope disclosed by the present invention. Modifications or substitutions should be included within the protection scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.

Claims (13)

1. A user authentication method is applied to a server, and is characterized by comprising the following steps:
receiving an authentication request sent by a terminal, wherein the authentication request carries a device factor and a private identification of the terminal;
searching for a device identifier and a private identifier of the terminal which are locally stored;
according to whether the locally stored equipment identifier and the private identifier of the terminal are matched with the equipment identifier sent by the terminal and the private identifier obtained by calculating based on the equipment factor sent by the terminal, authenticating the terminal and obtaining an authentication result;
and sending the authentication result to the terminal.
2. The method of claim 1,
and when the locally stored equipment identifier and the private identifier of the terminal are respectively matched with the equipment identifier sent by the terminal and the private identifier obtained by calculation based on the equipment factor sent by the terminal, obtaining an authentication result that the terminal passes authentication, otherwise, obtaining an authentication result that the terminal fails authentication.
3. The method of claim 1, wherein the authenticating the terminal according to whether the device identifier and the private identifier of the terminal stored locally match with the device identifier sent by the terminal and the private identifier calculated based on the device factor sent by the terminal comprises:
judging whether the private identity stored locally is the same as the private identity sent by the terminal: if the terminal authentication fails, obtaining an authentication result of the terminal authentication failure; if the terminal identification is the same as the equipment identification, calculating to obtain the equipment identification of the terminal according to the equipment factor of the terminal;
judging whether the locally stored equipment identification is the same as the equipment identification of the terminal obtained by calculation: if the terminal authentication fails, obtaining an authentication result of the terminal authentication failure; and if the authentication result is the same, obtaining the authentication result that the terminal passes the authentication.
4. A method according to any of claims 1 to 3, wherein prior to receiving the device factor and the private identity sent by the terminal, the method further comprises:
receiving a registration request which is sent by the terminal and carries the equipment factor of the terminal;
and calculating to obtain the private identification and the equipment identification of the terminal according to the equipment factor sent by the terminal, sending the generated private identification of the terminal to the terminal, establishing a corresponding relation between the user identity of the terminal and the private identification and the equipment identification of the terminal, and storing the corresponding relation locally.
5. The method as claimed in claim 4, wherein said calculating the private identity and the device identity of the terminal according to the device factor sent by the terminal comprises:
calculating the equipment factor and a first preset parameter sent by the terminal by using a first encryption algorithm to obtain a private identifier of the terminal;
calculating the equipment factor and a second preset parameter sent by the terminal by using a second encryption algorithm to obtain an equipment identifier of the terminal;
wherein the first encryption algorithm is different from the second encryption algorithm, and/or the first preset parameter is different from the second preset parameter.
6. A user authentication method is applied to a terminal, and is characterized by comprising the following steps:
collecting the device factors of the terminal and a private identification stored locally, wherein the private identification is obtained by a server based on the device factors sent by the terminal and is sent to the terminal;
sending an authentication request carrying the equipment factor and the private identification of the terminal to a server;
and receiving an authentication result returned by the server.
7. The method of claim 6, wherein prior to collecting the terminal's own device factor and the locally stored private identity, the method further comprises:
collecting the self equipment factors of the terminal;
sending a registration request carrying the equipment factor of the terminal to a server;
and receiving the private identification of the terminal sent by the server and storing the private identification in the local terminal.
8. A server, comprising:
the first receiving module is used for receiving an authentication request sent by a terminal, wherein the authentication request carries an equipment factor and a private identity of the terminal;
the searching module is used for searching the equipment identifier and the private identifier of the terminal stored locally;
the authentication module is used for authenticating the terminal according to whether the locally stored equipment identifier and the private identifier of the terminal are matched with the equipment identifier sent by the terminal and the private identifier obtained by calculation based on the equipment factor sent by the terminal, and obtaining an authentication result;
and the first sending module is used for sending the authentication result to the terminal.
9. The server of claim 8, wherein the authentication module is further to:
judging whether the private identity stored locally is the same as the private identity sent by the terminal: if the terminal authentication fails, obtaining an authentication result of the terminal authentication failure; if the terminal identification is the same as the equipment identification, calculating to obtain the equipment identification of the terminal according to the equipment factor of the terminal;
judging whether the locally stored equipment identification is the same as the equipment identification of the terminal obtained by calculation: if the terminal authentication fails, obtaining an authentication result of the terminal authentication failure; and if the authentication result is the same, obtaining the authentication result that the terminal passes the authentication.
10. The server according to any one of claims 8 to 9, further comprising:
a second receiving module, configured to receive a registration request that is sent by the terminal and carries the device factor of the terminal;
and the registration module is used for calculating to obtain the private identification and the equipment identification of the terminal according to the equipment factor sent by the terminal, sending the generated private identification of the terminal to the terminal, establishing the corresponding relationship between the user identity of the terminal and the private identification and the equipment identification of the terminal, and storing the corresponding relationship locally.
11. The server of claim 10, wherein the registration module is further to:
calculating the equipment factor and a first preset parameter sent by the terminal by using a first encryption algorithm to obtain a private identifier of the terminal;
calculating the equipment factor and a second preset parameter sent by the terminal by using a second encryption algorithm to obtain an equipment identifier of the terminal;
wherein the first encryption algorithm is different from the second encryption algorithm, and/or the first preset parameter is different from the second preset parameter.
12. A terminal, comprising:
the first collection module is used for collecting the device factors of the terminal and the private identification stored locally, wherein the private identification is obtained by the server through calculation based on the device factors sent by the terminal and is sent to the terminal;
the first sending module is used for sending an authentication request carrying the equipment factor and the private identity of the terminal to a server;
and the first receiving module is used for receiving the authentication result returned by the server.
13. The terminal of claim 12, further comprising:
the second collection module is used for collecting the self equipment factors of the terminal;
the second sending module is used for sending a registration request carrying the equipment factor of the terminal to a server;
and the second receiving module is used for receiving the private identity of the terminal sent by the server and storing the private identity in the local terminal.
CN202011154556.8A 2020-10-26 2020-10-26 User authentication method and device Pending CN114501441A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011154556.8A CN114501441A (en) 2020-10-26 2020-10-26 User authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011154556.8A CN114501441A (en) 2020-10-26 2020-10-26 User authentication method and device

Publications (1)

Publication Number Publication Date
CN114501441A true CN114501441A (en) 2022-05-13

Family

ID=81470394

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011154556.8A Pending CN114501441A (en) 2020-10-26 2020-10-26 User authentication method and device

Country Status (1)

Country Link
CN (1) CN114501441A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115859337A (en) * 2023-02-14 2023-03-28 杭州大晚成信息科技有限公司 Kernel-based method, device, server and medium for preventing device cracking

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115859337A (en) * 2023-02-14 2023-03-28 杭州大晚成信息科技有限公司 Kernel-based method, device, server and medium for preventing device cracking

Similar Documents

Publication Publication Date Title
CN110555029B (en) Ticket management method, device and storage medium based on block chain
CN110958110B (en) Block chain private data management method and system based on zero knowledge proof
CN111835520B (en) Method for device authentication, method for service access control, device and storage medium
CN110958118B (en) Certificate authentication management method, device, equipment and computer readable storage medium
CN109286932B (en) Network access authentication method, device and system
CN108900484B (en) Access right information generation method and device
US11546173B2 (en) Methods, application server, IoT device and media for implementing IoT services
CN111769939B (en) Business system access method and device, storage medium and electronic equipment
CN101867929A (en) Authentication method, system, authentication server and terminal device
KR20160127167A (en) Multi-factor certificate authority
CN108197913A (en) Method of payment, system and computer readable storage medium based on block chain
CN101527714B (en) Method, device and system for accreditation
CN106302332B (en) User data access control method, device and system
CN107612949B (en) Wireless intelligent terminal access authentication method and system based on radio frequency fingerprint
WO2017076216A1 (en) Server, mobile terminal, and internet real name authentication system and method
WO2019056971A1 (en) Authentication method and device
WO2020025056A1 (en) Method, device, system, and mobile terminal for security authorization
TW202211047A (en) Data acquisition method, apparatus and device, and medium
CN105338000B (en) A kind of verification method, verification system
CN104796255A (en) A safety certification method, device and system for a client end
CN108075895B (en) Node permission method and system based on block chain
CN112950201A (en) Node management method and related device applied to block chain system
CN114697963B (en) Identity authentication method and device of terminal, computer equipment and storage medium
CN116323304B (en) Identification method for an electric vehicle charging station
KR101133167B1 (en) Method and apparatus for user verifing process with enhanced security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20220513

WD01 Invention patent application deemed withdrawn after publication