CN115086090A - Network login authentication method and device based on UKey - Google Patents
Network login authentication method and device based on UKey Download PDFInfo
- Publication number
- CN115086090A CN115086090A CN202211010417.7A CN202211010417A CN115086090A CN 115086090 A CN115086090 A CN 115086090A CN 202211010417 A CN202211010417 A CN 202211010417A CN 115086090 A CN115086090 A CN 115086090A
- Authority
- CN
- China
- Prior art keywords
- ukey
- signature
- server
- certificate
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention provides a network login authentication method and device based on UKey, relating to the technical field of computer security, wherein the method comprises the following steps: verifying a PIN (personal identification number) code corresponding to the UKey input by a user, acquiring a UKey certificate of the UKey after the verification is passed, and sending the UKey certificate to a server to request for signing a random number; receiving a signature random number sent by a server; signing the random number by using a UKey private key to obtain signature information; and sending the authentication request containing the signature information to a server so that the server checks the signature of the signature information, and logging in the server after the server passes the signature checking and returns an authentication success message. Compared with the traditional UKey authentication mode through middleware, the method needs the user to input the PIN code for verification, the UKey certificate can be obtained after the verification is passed, the subsequent authentication is realized through the UKey certificate, even if the UKey of the user is lost, the acquirer cannot impersonate the identity of a legal user because the PIN code of the UKey is unknown, and therefore the login authentication safety is improved.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a network login authentication method and device based on UKey.
Background
As information systems occupy more and more important positions in enterprises, ensuring the security of information becomes more and more important. Therefore, some enterprises have built a ca (certificate authority) system to issue digital certificates to enterprise personnel to ensure the secure access of the information system. A typical use method of identity authentication based on a digital certificate is that aiming at a user who has a UKey issued by a CA, the user installs a UKey driver on a client computer, and then the user can use the UKey to safely log in an information system on the client.
The UKey is a small storage device which is directly connected with a computer through a USB, has a password verification function, is reliable and high-speed, is a very powerful supplement to the existing network security system, and is a network security product authenticated by a Chinese information security assessment authentication center. Based on trusted computing and smart card technology, Ukey network access has the ease of use, portability and highest level security, and UKey is USB equipment integrating smart card and card reader, supports hot plug and play function, and is small, light in weight, portable.
The common UKey authentication mode is that bidirectional authentication is carried out through middleware, the authentication mode takes the UKey as the only condition for login, the corresponding network system can be logged in through authentication as long as the UKey is inserted into a client computer, if the UKey is lost, other people can pretend to be a legal identity user to log in the system, and the security is poor.
Disclosure of Invention
The invention provides a network login authentication method and device based on UKey, which are used for solving the problem of poor security of a UKey login network mode in the prior art.
In a first aspect, the present invention provides a network login authentication method based on a UKey, which is used for a client, and includes:
verifying a PIN (personal identification number) code corresponding to a UKey input by a user, and acquiring a UKey certificate of the UKey after the verification is passed, wherein the UKey and the UKey certificate are in one-to-one correspondence;
sending the UKey credential to a server to request a signing random number;
receiving the signature random number sent by the server;
signing the random number by using a UKey private key to obtain signature information;
and sending the authentication request containing the signature information to the server so that the server checks the signature of the signature information, and logging in the server after the server passes the signature check and returns an authentication success message.
According to the network login authentication method based on UKey provided by the invention, the PIN code corresponding to UKey input by a user is verified, and the UKey certificate of the UKey is acquired after verification is passed, the method comprises the following steps:
verifying the PIN code through a preset browser plug-in;
and after the verification is passed, the browser plug-in acquires a UKey certificate from the UKey.
According to the network login authentication method based on UKey provided by the invention, the signature random number is signed by adopting a UKey private key to obtain signature information, and the method comprises the following steps:
and signing the signature random number by adopting a UKey private key and an encryption algorithm preset in the browser plug-in to obtain signature information.
According to the network login authentication method based on UKey provided by the invention, the browser plug-in comprises: IE browser plug-ins and non-IE browser plug-ins.
In a second aspect, the present invention provides a network login authentication method based on a UKey, which is used for a server side, and the method includes:
receiving a UKey certificate sent by a client, and verifying the UKey certificate;
after the UKey certificate passes verification, generating a signature random number, and returning the signature random number to the client;
receiving an authentication request which is sent by a client and comprises signature information, wherein the signature information is obtained by the client signing the random number of the signature by adopting a UKey private key;
and verifying the signature information by adopting the signature random number and a preset UKey public key corresponding to the UKey private key, and sending an authentication success message to the client after the signature is successfully verified.
According to the network login authentication method based on UKey provided by the invention, the verification of the UKey certificate comprises the following steps:
and querying a database, and if the UKey certificate is queried in the database, the verification is passed.
In a third aspect, the present invention provides a network login authentication apparatus based on a UKey, which is used for a client, and includes:
the PIN code verification module is used for verifying a PIN code which is input by a user and corresponds to a UKey, and obtaining a UKey certificate of the UKey after the verification is passed, wherein the UKey corresponds to the UKey certificate one by one;
the UKey certificate sending module is used for sending the UKey certificate to a server to request for signing random numbers;
the signature random number receiving module is used for receiving the signature random number sent by the server;
the signature module is used for signing the random signature number by adopting a UKey private key so as to obtain signature information;
and the authentication request sending module is used for sending the authentication request containing the signature information to the server so as to enable the server to check the signature of the signature information, and log in the server after the server passes the signature check and returns an authentication success message.
In a fourth aspect, the present invention provides a network login authentication apparatus based on a UKey, which is used for a server side, and includes:
the UKey certificate verification module is used for receiving a UKey certificate sent by a client and verifying the UKey certificate;
the signature random number generation module is used for generating a signature random number after the UKey certificate passes verification and returning the signature random number to the client;
the authentication request receiving module is used for receiving an authentication request which is sent by a client and comprises signature information, wherein the signature information is obtained by the client signing the random number of the signature by adopting a UKey private key;
and the signature verification module is used for verifying the signature of the signature information by adopting the signature random number and a preset UKey public key corresponding to the UKey private key, and sending an authentication success message to the client after the signature is successfully verified.
In a fifth aspect, the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the method for authenticating a network login based on a UKey applied to a client or the method for authenticating a network login based on a UKey applied to a server when executing the program.
In a sixth aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the UKey-based network login authentication method applied to a client as described in any of the above, or implements the UKey-based network login authentication method applied to a server as described in any of the above.
The invention provides a network login authentication method and device based on UKey, which are used for verifying a PIN (personal identification number) code corresponding to UKey input by a user, acquiring a UKey certificate of UKey after verification is passed, sending the UKey certificate to a server to request for signing a random number, receiving the signed random number sent by the server, signing the signed random number by adopting a UKey private key to obtain signature information, sending an authentication request containing the signature information to the server so that the server checks the signature information, and logging in the server after the server passes the signature verification and returns an authentication success message. Compared with the traditional UKey authentication mode through middleware, the UKey certificate can be acquired only after the verification is passed by inputting a PIN code by a user for verification, and the subsequent authentication is realized through the UKey certificate, so that even if the UKey of the user is lost, the acquirer cannot impersonate the identity of a legal user because the acquirer does not know the PIN code of the hardware, and the safety of login authentication is improved.
Drawings
In order to more clearly illustrate the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic flow chart of a network login authentication method based on UKey according to the present invention;
FIG. 2 is a second schematic flowchart of the network login authentication method based on UKey according to the present invention;
fig. 3 is one of the structural schematic diagrams of the network login authentication device based on the UKey provided by the present invention;
fig. 4 is a second schematic structural diagram of the network login authentication apparatus based on the UKey provided in the present invention;
fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The UKey is used as a key storage, the hardware structure of the UKey determines that a user can only access data through a manufacturer programming interface, so that the condition that a digital certificate stored in the UKey cannot be copied is ensured, and each UKey is protected by a Personal Identification Number (PIN), so that the hardware of the UKey and the PIN form a double factor for performing identity authentication by using the UKey. If the UKey of the user is lost, the acquirer cannot impersonate the identity of a legal user because the acquirer does not know the PIN code of the hardware; if the PIN code of the user is revealed, the identity of the user can be ensured not to be impersonated as long as the UKey hardware is stored.
Based on the above principle, as shown in fig. 1, the network login authentication method based on the UKey of the first embodiment of the present invention is applied to the client, and the method includes:
and step S110, verifying the PIN code corresponding to the UKey input by the user, and acquiring a UKey certificate of the UKey after the verification is passed, wherein the UKey and the UKey certificate are in one-to-one correspondence. The UKey credential may be information uniquely identifying the UKey, for example: the user mailbox can be used as a UKey certificate, and the purpose of verifying the PIN code is to verify whether the user has the right to use the current UKey or not so as to ensure the safety of the UKey.
Step S120, the UKey certificate is sent to a server to request to sign a random number.
Step S130, receiving the signed random number sent by the server.
And step S140, signing the random number by using a UKey private key to obtain signature information.
And step S150, sending the authentication request containing the signature information to the server so that the server checks the signature of the signature information, and logging in the server after the signature of the server passes the check and the authentication success message is returned.
Compared with the traditional UKey authentication mode through middleware, the network login authentication method based on the UKey of the embodiment needs the user to input the PIN code for verification, the UKey certificate can be obtained after the verification is passed, and the subsequent authentication is realized through the UKey certificate, so that even if the UKey of the user is lost, an acquirer cannot masquerade as the identity of a legal user because the acquirer does not know the PIN code of the hardware, and the security of login authentication is improved. Moreover, the signature random number is signed and verified, so that the safety is further guaranteed, meanwhile, the signature random number also guarantees the timeliness of signature information and the signature information is not intercepted and utilized.
In this embodiment, step S110 includes:
the PIN code is verified through a preset browser plug-in, and a PIN code verification interface is provided by the browser plug-in, so that the correctness of the input PIN code can be verified. Specifically, the browser plug-in obtains a PIN from the UKey through an interface provided by a service management system in the server, compares the PIN input by the user with the PIN obtained from the UKey, and if the PIN is consistent with the PIN obtained from the UKey, the verification is passed.
And after the verification is passed, the browser plug-in acquires a UKey certificate from the UKey.
In this embodiment, step S140 includes:
and signing the signature random number by adopting a UKey private key and an encryption algorithm preset in the browser plug-in to obtain signature information. Specifically, the UKey provides a UKey private key and a standard PKCS 11 interface, the PKCS 11 interface is used for expansion development, an encryption algorithm is realized in a browser plug-in, and the UKey private key is acquired through the PKCS 11 interface. Wherein, the encryption algorithm may be SHA1_ RSA algorithm, etc. The SHA1_ RSA Algorithm is divided into two parts, SHA1 (Secure Hash Algorithm 1) signs a signature random number, and after signing, RSA (an asymmetric encryption Algorithm) is used for encryption, so that the signature information is encrypted signature information.
The browser plug-in includes: the service management system in the server identifies the characteristics of the browser which currently opens the login page through the built-in JS script (for example, the JS script identifies the version number, the kernel code and the like of the browser), and can automatically distinguish the IE browser from the non-IE browser according to the characteristics, so that the current browser respectively calls the corresponding plug-in interfaces, and the communication between different browsers and corresponding plug-ins is realized.
Optionally, before step S110, the method further includes:
and receiving and displaying a login selection interface pushed by the server. Specifically, when the user opens the website of the server at the client, the client may display a login selection interface pushed by the server.
And receiving the login mode selected by the user, generating a corresponding login mode instruction, uploading the login mode instruction to the server, and requesting the server to push a corresponding login interface according to the login mode instruction. The login method comprises the following steps: account password login or UKey login. Specifically, after the login selection interface of the login server is opened, the user clicks the corresponding login selection mode button on the login selection interface to generate a corresponding login mode instruction, that is, selects the corresponding login mode.
And displaying a login interface which is pushed by the server after receiving the login mode instruction and corresponds to the login mode instruction.
Specifically, if the generated UKey login mode instruction is a UKey login mode instruction, a UKey login interface pushed by the server is displayed. Then, steps S110 to S150 are executed. And if the generated account password mode instruction is an account password mode instruction, displaying an account password login interface pushed by the server. And then logging in according to an account password mode, namely, a user inputs an account and a password in an account password logging interface, and the server side can log in after verification.
Compared with a UKey login mode, the mode of selecting the account password for login is low in safety and can crack the account and the password, but the UKey does not need to be inserted, so that login is more convenient and faster, and the safety of the UKey login mode is higher. The user can select a login mode according to different scenes, for example: in an enterprise internal network, a convenient and quick account password login mode can be selected, and in other external networks, a UKey login mode can be selected to ensure the login safety.
Of course, in any login mode, the server configures the related information in advance, and the server configures the account and the password of the user so as to facilitate verification during login of the account password and also to provide the UKey certificate, the UKey public key and other related information.
As shown in fig. 2, the network login authentication method based on Ukey provided by the second embodiment of the present invention is applied to a server, and the method includes:
step 210, receiving a UKey certificate sent by a client, and verifying the UKey certificate, wherein the UKey certificate is obtained after the client inputs a correct PIN code. It should be noted that, the server side is preconfigured with the information related to the UKey of the user, including: UKey certificate and UKey public key.
And step 220, generating a signature random number after the UKey certificate passes verification, and returning the signature random number to the client.
Step 230, receiving an authentication request including signature information sent by the client, where the signature information is obtained by the client signing the random number with the UKey private key.
And 240, checking the signature information by adopting the signature random number and a preset UKey public key corresponding to the UKey private key, sending an authentication success message to the client after the signature is successfully checked, and logging in the server after the client receives the authentication success message. Specifically, the server side is preset with a decryption algorithm corresponding to the encryption algorithm in the browser plug-in, for example: the SHA1_ RSA algorithm described above verifies the signature information through the decryption algorithm.
Compared with the traditional UKey authentication mode through middleware, the network login authentication method based on the UKey of the embodiment needs the user to input the PIN code for verification, the UKey certificate can be obtained after the verification is passed, and the subsequent authentication is realized through the UKey certificate, so that even if the UKey of the user is lost, an acquirer cannot masquerade as the identity of a legal user because the acquirer does not know the PIN code of the hardware, and the security of login authentication is improved. Moreover, the signature random number is signed and verified, so that the safety is further guaranteed, meanwhile, the signature random number also guarantees the timeliness of signature information and the signature information is not intercepted and utilized.
In step S210, verifying the UKey credential includes: and querying a database, and if the UKey certificate is queried in the database, the verification is passed. When a new user is added, the UKey credential of the user, for example: the user mailbox is configured in a database of a service management system of the server, and whether the UKey certificate is legal or not is verified by inquiring whether the database contains the received UKey certificate or not.
Optionally, before step 210, further comprising:
and pushing a login selection interface to a client for display, wherein the login selection interface comprises login mode selection buttons of account password login and UKey login, so that the client receives the login mode selected by the user and generates a login mode instruction. Specifically, after the website of the server is opened at the client, the server pushes a login selection interface to the client for display, and the user selects a login mode at the login selection interface.
And receiving a login mode instruction generated after the user selects.
And pushing a login interface corresponding to the login mode instruction to the client for display. Specifically, if a UKey login mode instruction is received, a UKey login interface is pushed to the client for display. Then, steps S210-S240 are executed to verify the user login. And if the received command is the account password login mode command, pushing an account password login interface to the client for display. And then, the verification can be carried out according to the received account password input by the user and uploaded by the client.
The network login authentication device based on the UKey provided by the invention is described below, and the network login authentication device based on the UKey described below and the network login authentication method based on the UKey described above can be referred to correspondingly.
As shown in fig. 3, the network login authentication apparatus based on the UKey according to the third embodiment of the present invention is used for a client, and the apparatus includes:
a PIN code verification module 310, configured to verify a PIN code corresponding to a UKey input by a user, and obtain a UKey certificate of the UKey after the verification is passed, where the UKey corresponds to the UKey certificate one to one;
a UKey credential sending module 320, configured to send the UKey credential to a server to request to sign a random number;
a signed random number receiving module 330, configured to receive the signed random number sent by the server;
the signature module 340 is configured to sign the random signature number by using a private key of the UKey to obtain signature information;
an authentication request sending module 350, configured to send an authentication request including the signature information to the server, so that the server checks the signature of the signature information, and logs in the server after the server passes the signature check and returns an authentication success message.
Compared with the traditional UKey authentication mode through middleware, the network login authentication device based on the UKey of the embodiment needs a user to input a PIN code for verification, can acquire a UKey certificate after the verification is passed, and realizes subsequent authentication through the UKey certificate, so that even if the UKey of the user is lost, an acquirer cannot masquerade as a legal user identity because the acquirer does not know the PIN code of the hardware, and the security of login authentication is improved. Moreover, the signature random number is signed and verified, so that the safety is further guaranteed, meanwhile, the signature random number also guarantees the timeliness of signature information and the signature information is not intercepted and utilized.
Optionally, the PIN code verification module 310 is specifically configured to verify the PIN code through a preset browser plug-in; and after the verification is passed, the browser plug-in acquires a UKey certificate from the UKey.
Optionally, the signature module 340 is specifically configured to sign the random signature number by using a UKey private key and an encryption algorithm preset in the browser plug-in, so as to obtain signature information.
Optionally, the network login authentication apparatus based on the UKey according to the third embodiment of the present invention further includes:
and the login selection interface display module is used for receiving and displaying the login selection interface pushed by the server. Specifically, when the user opens the website of the server at the client, the client may display a login selection interface pushed by the server.
And the login mode selection module is used for receiving the login mode selected by the user, generating a corresponding login mode instruction, uploading the login mode instruction to the server, and requesting the server to push a corresponding login interface according to the login mode instruction. The login method comprises the following steps: account password login or UKey login. Specifically, after the login selection interface of the login server is opened, the user clicks a corresponding login mode selection button on the login interface to generate a corresponding login mode instruction, that is, selects a corresponding login mode.
And the login interface display module is used for displaying a login interface which is pushed by the server after receiving the login mode instruction and corresponds to the login mode instruction.
Specifically, if the generated UKey login mode instruction is a UKey login mode instruction, a UKey login interface pushed by the server is displayed. And if the generated account password mode instruction is the account password mode instruction, displaying an account password login interface pushed by the server.
As shown in fig. 4, a network login authentication apparatus based on a UKey according to a fourth embodiment of the present invention is used on a server side, and the apparatus includes:
the UKey certificate verification module 410 is configured to receive a UKey certificate sent by a client, and verify the UKey certificate, where the UKey certificate is obtained by the client after inputting a correct PIN code.
And the signature random number generation module 420 is configured to generate a signature random number after the UKey credential passes verification, and return the signature random number to the client.
And an authentication request receiving module 430, configured to receive an authentication request that includes signature information and is sent by a client, where the signature information is obtained by the client signing the signed random number by using a UKey private key.
And the signature verification module 440 is configured to verify the signature of the signature information by using the signature random number and a preset UKey public key corresponding to the UKey private key, and send an authentication success message to the client after the signature is successfully verified.
Compared with the traditional UKey authentication mode through middleware, the network login authentication device based on the UKey of the embodiment needs a user to input a PIN code for verification, can acquire a UKey certificate after the verification is passed, and realizes subsequent authentication through the UKey certificate, so that even if the UKey of the user is lost, an acquirer cannot masquerade as a legal user identity because the acquirer does not know the PIN code of the hardware, and the security of login authentication is improved. Moreover, the signature random number is signed and verified, so that the safety is further guaranteed, meanwhile, the signature random number also guarantees the timeliness of signature information and the signature information is not intercepted and utilized.
Optionally, the UKey credential verification module 410 is specifically configured to query a database, and if the UKey credential is queried in the database, the verification is passed.
Optionally, the network login authentication apparatus based on the UKey according to the fourth embodiment of the present invention further includes:
and the login interface pushing module is used for pushing a login selection interface to the client for display, and the login selection interface comprises login mode selection buttons of account password login and UKey login so that the client receives the login mode selected by the user and generates a login mode instruction. Specifically, after the website of the server is opened at the client, the server pushes a login selection interface to the client for display, and the user selects a login mode at the login selection interface.
And the login mode instruction receiving module is used for receiving a login mode instruction generated after the user selects.
And the login interface pushing module is used for pushing the login interface corresponding to the login mode instruction to the client for display.
Specifically, if a UKey login mode instruction is received, a UKey login interface is pushed to the client for display. And if the received command is the account password login mode command, pushing an account password login interface to the client for display.
Fig. 5 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 5: a processor (processor)510, a communication Interface (Communications Interface)520, a memory (memory)530 and a communication bus 540, wherein the processor 510, the communication Interface 520 and the memory 530 communicate with each other via the communication bus 540. Processor 510 may invoke logic instructions in memory 530 to perform the above-described UKey-based network login authentication method applied to a client, the method comprising:
verifying a PIN code corresponding to a UKey input by a user, and acquiring a UKey certificate of the UKey after the verification is passed, wherein the UKey and the UKey certificate are in one-to-one correspondence.
Sending the UKey credential to a server to request to sign a random number.
And receiving the signature random number sent by the server.
And signing the random number by adopting a UKey private key to obtain signature information.
And sending the authentication request containing the signature information to the server so that the server checks the signature of the signature information, and logging in the server after the server passes the signature check and returns an authentication success message.
Or, the network login authentication method based on UKey applied to the server side is executed, and the method comprises the following steps:
and receiving a UKey certificate sent by a client, and verifying the UKey certificate.
And after the UKey certificate passes verification, generating a signature random number, and returning the signature random number to the client.
And receiving an authentication request which is sent by the client and comprises signature information, wherein the signature information is obtained by the client signing the signature random number by adopting a UKey private key.
And verifying the signature information by adopting the signature random number and a preset UKey public key corresponding to the UKey private key, and sending an authentication success message to the client after the signature is successfully verified.
Furthermore, the logic instructions in the memory 530 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program, when being executed by a processor, implementing the UKey-based network login authentication method applied to a client, provided by the above methods, the method including:
verifying a PIN code corresponding to a UKey input by a user, and acquiring a UKey certificate of the UKey after the verification is passed, wherein the UKey and the UKey certificate are in one-to-one correspondence.
Sending the UKey credential to a server to request a signing random number.
And receiving the signature random number sent by the server.
And signing the random number by adopting a UKey private key to obtain signature information.
And sending the authentication request containing the signature information to the server so that the server checks the signature of the signature information, and logging in the server after the server passes the signature check and returns an authentication success message.
Or, the method for performing the network login authentication based on the UKey applied to the server side includes:
and receiving a UKey certificate sent by a client, and verifying the UKey certificate.
And after the UKey certificate passes verification, generating a signature random number, and returning the signature random number to the client.
And receiving an authentication request which is sent by the client and comprises signature information, wherein the signature information is obtained by the client signing the random number of the signature by adopting a UKey private key.
And verifying the signature information by adopting the signature random number and a preset UKey public key corresponding to the UKey private key, and sending an authentication success message to the client after the signature is successfully verified.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment may be implemented by software plus a necessary general hardware platform, and may also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A network login authentication method based on UKey is characterized in that the method is used for a client and comprises the following steps:
verifying a PIN (personal identification number) code corresponding to a UKey input by a user, and acquiring a UKey certificate of the UKey after the verification is passed, wherein the UKey and the UKey certificate are in one-to-one correspondence;
sending the UKey certificate to a server to request to sign a random number;
receiving the signature random number sent by the server;
signing the random number by using a UKey private key to obtain signature information;
and sending the authentication request containing the signature information to the server so that the server checks the signature of the signature information, and logging in the server after the server passes the signature check and returns an authentication success message.
2. The UKey-based network login authentication method of claim 1, wherein verifying the PIN code corresponding to the UKey input by the user, and obtaining the UKey certificate of the UKey after the verification is passed comprises:
verifying the PIN code through a preset browser plug-in;
and after the verification is passed, the browser plug-in acquires a UKey certificate from the UKey.
3. The UKey-based network login authentication method of claim 2, wherein signing the signed random number with a UKey private key to obtain signature information comprises:
and signing the signature random number by adopting a UKey private key and an encryption algorithm preset in the browser plug-in to obtain signature information.
4. The UKey-based network login authentication method according to claim 2 or 3, wherein the browser plug-in comprises: IE browser plug-ins and non-IE browser plug-ins.
5. A network login authentication method based on UKey is characterized in that the method is used for a server side and comprises the following steps:
receiving a UKey certificate sent by a client, and verifying the UKey certificate;
after the UKey certificate passes verification, generating a signature random number, and returning the signature random number to the client;
receiving an authentication request which is sent by a client and comprises signature information, wherein the signature information is obtained by the client signing the signature random number by adopting a UKey private key;
and verifying the signature information by adopting the signature random number and a preset UKey public key corresponding to the UKey private key, and sending an authentication success message to the client after the signature is successfully verified.
6. The UKey-based network login authentication method of claim 5, wherein verifying the UKey credential comprises:
and querying a database, and if the UKey certificate is queried in the database, the verification is passed.
7. A network login authentication device based on UKey is characterized in that the device is used for a client and comprises:
the PIN code verification module is used for verifying a PIN code which is input by a user and corresponds to the UKey, and obtaining a UKey certificate of the UKey after the verification is passed, wherein the UKey and the UKey certificate correspond to each other one by one;
the UKey certificate sending module is used for sending the UKey certificate to a server to request for signing random numbers;
the signature random number receiving module is used for receiving the signature random number sent by the server;
the signature module is used for signing the random signature number by adopting a UKey private key so as to obtain signature information;
and the authentication request sending module is used for sending the authentication request containing the signature information to the server so as to enable the server to check the signature of the signature information, and log in the server after the server passes the signature check and returns an authentication success message.
8. A network login authentication device based on UKey is characterized in that the device is used for a server side and comprises:
the UKey certificate verification module is used for receiving a UKey certificate sent by a client and verifying the UKey certificate;
the signature random number generation module is used for generating a signature random number after the UKey certificate passes verification and returning the signature random number to the client;
the authentication request receiving module is used for receiving an authentication request which is sent by a client and comprises signature information, wherein the signature information is obtained by the client signing the signature random number by adopting a UKey private key;
and the signature verification module is used for verifying the signature information by adopting the signature random number and a preset UKey public key corresponding to the UKey private key, and sending an authentication success message to the client after the signature verification is successful.
9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the UKey-based network login authentication method of any one of claims 1 to 4, or implements the UKey-based network login authentication method of any one of claims 5 to 6 when executing the program.
10. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the UKey-based network login authentication method of any one of claims 1 to 4, or implements the UKey-based network login authentication method of any one of claims 5 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211010417.7A CN115086090A (en) | 2022-08-23 | 2022-08-23 | Network login authentication method and device based on UKey |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211010417.7A CN115086090A (en) | 2022-08-23 | 2022-08-23 | Network login authentication method and device based on UKey |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115086090A true CN115086090A (en) | 2022-09-20 |
Family
ID=83245226
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211010417.7A Pending CN115086090A (en) | 2022-08-23 | 2022-08-23 | Network login authentication method and device based on UKey |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115086090A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116611098A (en) * | 2023-07-19 | 2023-08-18 | 北京电科智芯科技有限公司 | File encryption mobile storage method and system, storage medium and electronic equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101938473A (en) * | 2010-08-24 | 2011-01-05 | 北京易恒信认证科技有限公司 | Single-point login system and single-point login method |
| US20140380310A1 (en) * | 2013-06-25 | 2014-12-25 | International Business Machines Corporation | Sharing usb key by multiple virtual machines located at different hosts |
| CN104378206A (en) * | 2014-10-20 | 2015-02-25 | 中国科学院信息工程研究所 | Virtualization desktop safety certification method and system based on USB-Key |
| CN107094081A (en) * | 2017-06-28 | 2017-08-25 | 济南浪潮高新科技投资发展有限公司 | The solution that a kind of use UsbKey for supporting many browsers is digitally signed |
| CN107241345A (en) * | 2017-06-30 | 2017-10-10 | 西安电子科技大学 | Cloud computing resources management method based on UKey |
| CN108259440A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | USBKey authentications based on cloud computing are in the method and system of B/S framework applications |
| CN109728909A (en) * | 2019-03-21 | 2019-05-07 | 郑建建 | Identity identifying method and system based on USBKey |
-
2022
- 2022-08-23 CN CN202211010417.7A patent/CN115086090A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101938473A (en) * | 2010-08-24 | 2011-01-05 | 北京易恒信认证科技有限公司 | Single-point login system and single-point login method |
| US20140380310A1 (en) * | 2013-06-25 | 2014-12-25 | International Business Machines Corporation | Sharing usb key by multiple virtual machines located at different hosts |
| CN104378206A (en) * | 2014-10-20 | 2015-02-25 | 中国科学院信息工程研究所 | Virtualization desktop safety certification method and system based on USB-Key |
| CN108259440A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | USBKey authentications based on cloud computing are in the method and system of B/S framework applications |
| CN107094081A (en) * | 2017-06-28 | 2017-08-25 | 济南浪潮高新科技投资发展有限公司 | The solution that a kind of use UsbKey for supporting many browsers is digitally signed |
| CN107241345A (en) * | 2017-06-30 | 2017-10-10 | 西安电子科技大学 | Cloud computing resources management method based on UKey |
| CN109728909A (en) * | 2019-03-21 | 2019-05-07 | 郑建建 | Identity identifying method and system based on USBKey |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116611098A (en) * | 2023-07-19 | 2023-08-18 | 北京电科智芯科技有限公司 | File encryption mobile storage method and system, storage medium and electronic equipment |
| CN116611098B (en) * | 2023-07-19 | 2023-10-27 | 北京电科智芯科技有限公司 | File encryption mobile storage method and system, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102493744B1 (en) | Security Verification Method Based on Biometric Characteristics, Client Terminal, and Server | |
| US9369460B2 (en) | Authentication manager | |
| US20170244676A1 (en) | Method and system for authentication | |
| KR100548638B1 (en) | Creating and authenticating one time password using smartcard and the smartcard therefor | |
| US9767262B1 (en) | Managing security credentials | |
| CN110266642A (en) | Identity identifying method and server, electronic equipment | |
| US20150244695A1 (en) | Network authentication method for secure user identity verification | |
| US20200196143A1 (en) | Public key-based service authentication method and system | |
| CN104426659A (en) | Dynamic password generating method, authentication method, authentication system and corresponding equipment | |
| US20230412399A1 (en) | Database Multi-Authentication Method and System, Terminal, and Storage Medium | |
| CN111327629B (en) | Identity verification method, client and server | |
| US11444936B2 (en) | Managing security credentials | |
| CN105162775A (en) | Logging method and device of virtual machine | |
| CN112615834B (en) | Security authentication method and system | |
| CN112000951A (en) | Access method, device, system, electronic equipment and storage medium | |
| CN103684797A (en) | Subscriber and subscriber terminal equipment correlation authentication method and system | |
| CN111901304B (en) | Registration method and device of mobile security equipment, storage medium and electronic device | |
| CN105162774A (en) | Virtual machine login method and device used for terminal | |
| CN113641973A (en) | Identity authentication method, system and medium | |
| CN115086090A (en) | Network login authentication method and device based on UKey | |
| CN103684796A (en) | SMI (subscriber identity module) card and personal identity authentication method | |
| CN109145543B (en) | Identity authentication method | |
| KR102016976B1 (en) | Unified login method and system based on single sign on service | |
| CN115941217B (en) | Method for secure communication and related products | |
| CN111740938B (en) | Information processing method and device, client and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220920 |