CN115834245A - Security authentication method, system, equipment and storage medium - Google Patents
Security authentication method, system, equipment and storage medium Download PDFInfo
- Publication number
- CN115834245A CN115834245A CN202310013585.XA CN202310013585A CN115834245A CN 115834245 A CN115834245 A CN 115834245A CN 202310013585 A CN202310013585 A CN 202310013585A CN 115834245 A CN115834245 A CN 115834245A
- Authority
- CN
- China
- Prior art keywords
- client
- authentication
- intermediate authentication
- server
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000012795 verification Methods 0.000 claims abstract description 78
- 230000005540 biological transmission Effects 0.000 claims abstract description 40
- 238000004891 communication Methods 0.000 claims description 40
- 230000004044 response Effects 0.000 claims description 20
- 230000000694 effects Effects 0.000 claims description 14
- 238000004422 calculation algorithm Methods 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 4
- 238000013475 authorization Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 7
- 238000007726 management method Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000003993 interaction Effects 0.000 description 5
- 230000002457 bidirectional effect Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 150000003839 salts Chemical class 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Abstract
The invention provides a safety certification method, a system, equipment and a storage medium, which are applied to a safety certification system, wherein the safety certification system comprises an intermediate certification end, a server end, an application end and N client ends, and the safety certification method comprises the following steps: the intermediate authentication end receives a login event of data transmission between the client and the application end; the intermediate authentication end sends the identity information of the client to the server; the intermediate authentication end receives a verification result of the server end for verifying the identity information; and the intermediate authentication terminal determines whether to allow the application terminal to transmit data to the client terminal based on the received verification result. The safety authentication method improves the safety of data transmission and the portability of safety authentication.
Description
Technical Field
The present invention relates to the field of identity security authentication, and in particular, to a security authentication method, system, device, and storage medium.
Background
With the increase of PC and mobile terminal service applications, enterprise organizations gradually establish a plurality of service application systems, and users can use PC terminals or wireless terminals to access the systems through internal networks or mobile networks to carry out service operations. However, in the process, safety problems such as identity authentication, secure transmission, anti-repudiation and the like are faced, it is urgently needed to integrate these information systems which operate independently and are managed dispersedly, add the integrated information systems into a unified authentication platform, and implement unified joint authentication of traditional services and wireless services. The traditional realization mode of the unified authentication platform at present has the defects of inconvenient carrying, incapability of being used by multiple persons, easy leakage of biological characteristic information and falsification of application authentication.
Disclosure of Invention
The invention mainly aims to provide a security authentication method, a security authentication system, security authentication equipment and a storage medium, and aims to solve the technical problems that the existing security authentication system is inconvenient to carry, cannot be used by multiple people, is easy to leak biological characteristics, and can be tampered in application authentication.
In order to achieve the above object, the present invention provides a security authentication system, which includes an intermediate authentication end, a server, an application end, and N clients, wherein the clients are in communication connection with the intermediate authentication end, the intermediate authentication end is in communication connection with the server, the intermediate authentication end is in communication connection with the application end, and N is a positive integer greater than 1;
the security authentication method comprises the following steps:
the intermediate authentication end receives a login event for data transmission between the client and the application end;
the intermediate authentication end sends the identity information of the client to the server;
the intermediate authentication end receives a verification result of the server end for verifying the identity information;
and the intermediate authentication terminal determines whether to allow the application terminal to transmit data to the client terminal based on the received verification result.
Optionally, before the intermediate authentication end sends the identity information of the client to the server, the method further includes:
the intermediate authentication terminal sends a first authentication request to the biological feature library, wherein the first authentication request comprises biological feature information of the client;
the biological characteristic library is verified based on the biological characteristic information in the first authentication request, and returns a characteristic verification result to the intermediate authentication end, wherein the characteristic verification result comprises an authorized result;
the intermediate authentication end allows data transmission with the client based on the received authorization result.
Optionally, the feature verification result further includes an unauthorized result, and before the intermediate authentication end allows data transmission with the client based on the received authorized result, the method further includes:
the intermediate authentication end returns an authority registration request to the client based on the unauthorized result;
the client creates authority information based on the authority registration request and sends the authority information to the intermediate authentication terminal, wherein the authority information comprises the identity information and the biological characteristic information;
the intermediate authentication end sends the authority information to the server end;
the server side verifies the authority information sent by the client side and received by the intermediate authentication side;
under the condition that the audit is passed, the intermediate authentication terminal binds the client according to the identity information created by the client to allow data transmission with the client; and transmitting the biological characteristic information created by the client to the biological characteristic library.
Optionally, the receiving, by the intermediate authentication end, a verification result of the verification of the identity information by the server end specifically includes:
the server receives a second authentication request sent by the intermediate authentication end, wherein the second authentication request comprises the identity information of the client;
and the server verifies the identity information in the second authentication request based on a preset user list.
Under the condition that the user list comprises the identity information, the server side determines that the second authentication request is successfully verified, and sends a successful verification result and a digital certificate corresponding to the identity information to the intermediate authentication side;
and under the condition that the user list does not comprise the identity information, the server side determines that the second authentication request fails to be verified, and sends a verification failure result to the intermediate authentication side.
Optionally, the intermediate authentication end determines whether to allow the application end to perform data transmission on the client based on the received verification result, where the method specifically includes:
based on the verification success result, the intermediate authentication terminal generates response data corresponding to the login event according to the digital certificate, and returns the response data to the client;
the client identifies the response data, generates an encryption request corresponding to the response data based on a preset abstract algorithm and sends the encryption request to the application terminal;
the application terminal forwards the encryption request to the intermediate authentication terminal for verification;
and under the condition that the verification is passed, the application terminal transmits data to the client terminal.
Optionally, the method further comprises:
the identity information and the biological characteristic information corresponding to the client side are encrypted and transmitted to the intermediate authentication side by using a preset private key;
and the intermediate authentication terminal decrypts the identity information and the biological characteristic information corresponding to the client.
Optionally, after the intermediate authentication end determines whether to allow the application end to perform data transmission on the client based on the received verification result, the method further includes:
the intermediate authentication end acquires the activity of each client;
when the activity of the client is lower than a preset threshold, the intermediate authentication end releases the binding with the client
In addition, in order to achieve the above object, the present invention further provides a security authentication system, where the security authentication system includes an intermediate authentication end, a server end, an application end, and N clients, the client is in communication connection with the intermediate authentication end, the intermediate authentication end is in communication connection with the server end, the intermediate authentication end is in communication connection with the application end, and N is a positive integer greater than 1;
the intermediate authentication terminal comprises a receiving module, a sending module, a verification module and a transmission module
The receiving module is used for the intermediate authentication end to receive a login event for data transmission between the client and the application end;
the sending module is used for sending the identity information of the client to the server by the intermediate authentication terminal;
the verification module is used for the middle authentication end to receive a verification result of the server end for verifying the identity information;
the transmission module is configured to determine, by the intermediate authentication end, whether to allow the application end to perform data transmission on the client based on the received verification result.
In addition, in order to achieve the above object, the present invention further provides a computer device, which includes a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the security authentication method as described above when executing the computer program.
Further, to achieve the above object, the present invention also provides a computer readable storage medium having stored thereon a data processing program which, when executed by a processor, implements the steps of the security authentication method as described above.
Compared with the prior art, the embodiment of the application has the following main beneficial effects.
The invention provides a security authentication method, a system, equipment and a storage medium, which are applied to a security authentication system, wherein the security authentication system comprises an intermediate authentication end, a server end, an application end and N client ends, the client ends are in communication connection with the intermediate authentication end, the intermediate authentication end is in communication connection with the server end, the intermediate authentication end is in communication connection with the application end, and N is a positive integer greater than 1; the security authentication method comprises the following steps: the middle authentication end receives a login event for data transmission between the client and the application end; the intermediate authentication end sends the identity information of the client to the server; the intermediate authentication end receives a verification result of the server end for verifying the identity information; and the intermediate authentication terminal determines whether to allow the application terminal to transmit data to the client terminal based on the received verification result. In the process of the security authentication processing, the intermediate authentication end performs authentication interaction and certificate downloading interaction on a login event initiated by the client, so that the security of data transmission and the portability of security authentication are improved.
Drawings
In order to more clearly illustrate the solution of the present application, the drawings used in the description of the embodiments of the present application will be briefly described below, and it is obvious that the drawings in the description below are some embodiments of the present application, and that other drawings may be obtained by those skilled in the art without inventive effort.
FIG. 1 is an exemplary system architecture diagram in which the present application may be applied;
FIG. 2 is a flow diagram of one embodiment of a security authentication method according to the present application;
FIG. 3 is a block diagram of one embodiment of a secure authentication system according to the present application;
FIG. 4 is a block diagram of one embodiment of an intermediate authentication module according to the present application
FIG. 5 is a schematic block diagram of one embodiment of a computer device according to the present application.
Detailed Description
The method for determining a data format provided by the embodiment of the present invention is applied to a data processing system, and unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different objects and not for describing a particular order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have various communication client applications installed thereon, such as a web browser application, a shopping application, a search application, an instant messaging tool, a mailbox client, social online platform software, and the like.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, e-book readers, MP3 players (Moving Picture Experts Group Audio Layer III, motion Picture Experts compression standard Audio Layer 3), MP4 players (Moving Picture Experts Group Audio Layer IV, motion Picture Experts compression standard Audio Layer 4), laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background server providing support for pages displayed on the terminal devices 101, 102, 103.
It should be noted that, the security authentication method provided in the embodiments of the present application is generally executed by a server/terminal device, and accordingly, the security authentication method system is generally disposed in the server/terminal device.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
With continued reference to fig. 2, a flow diagram of one embodiment of a method of secure authentication is presented in accordance with the present application. The embodiment of the application can acquire and process related data based on an artificial intelligence technology. Wherein. The security authentication method provided by the embodiment is applied to a security authentication system, which includes an intermediate authentication end, a server, an application end, and N clients, where N is a positive integer greater than 1, one client corresponds to a user participating in application access of the application end, the user refers to a user to which a usage right is given and who passes security authentication, the client is in communication connection with the intermediate authentication end, the intermediate authentication end is in communication connection with the server, and the intermediate authentication end is in communication connection with the application end.
The client may be understood as a terminal used by a user participating in application access of an application terminal, and the client may be an application client or a terminal page loaded on a mobile device or a non-mobile device.
The service end may refer to a digital Certificate Authority (CA).
The intermediate authentication end can be a secure key container, an identity verification center, or a secure framework, and can be used for completing services such as key security management, identity recognition, data encryption, signature verification and the like; or may be used to provide services for applications such as security, data, transaction support, load balancing large distributed system management, etc.
The application terminal may refer to any service application system.
The security authentication method comprises the following steps:
s210, the intermediate authentication end receives a login event of data transmission between the client and the application end;
the intermediate authentication end detects a login event for data transmission between the client and the application end, wherein the login event is initiated by a user based on the client to access a service application system for service operation, and the application end performs data transmission according to the actual operation of the user; it should be noted that the intermediate authentication end is disposed between the user end and the application end, the user is firstly received by the intermediate authentication end based on the login event initiated by the client, and the intermediate authentication end allows the application end to perform data transmission after performing verification.
S220, the intermediate authentication terminal sends the identity information of the client to the server;
in this embodiment, the intermediate authentication end sends the identity information corresponding to the client to the server based on the login event, where the security authentication system further includes a biometric library, it should be noted that the biometric library is used to store biometric information of the user at the client, the biometric information may be obtained in a manner that any biometric information obtaining device is loaded on the client to collect real-time biometric characteristics of the user, the biometric information obtaining device may be any one of a camera and a microphone, and the biometric information may include any one of face feature information and voice feature information.
In detail, in another embodiment, before the intermediate authentication end sends the identity information of the client to the server, the client acquires the authority information of the user, wherein the authority information includes biometric information and identity information, and the client transmits the authority information of the user to the intermediate authentication end for authority verification; the method comprises the steps that an intermediate authentication end extracts biological characteristic information to generate a first authentication request, the first authentication request is sent to a biological characteristic library, the biological characteristic library carries out characteristic verification based on the obtained biological characteristic information, whether the biological characteristic information exists in the biological characteristic library is verified, and a characteristic verification result is obtained, the characteristic verification result comprises a right result and an unauthorized result, the right result can be understood that the biological characteristic information sent by the intermediate authentication end exists in the biological characteristic library, and the unauthorized result can be understood that the biological characteristic information sent by the intermediate authentication end does not exist in the biological characteristic library.
The method further comprises a user registration step, wherein the intermediate authentication end returns an authority registration request to the client according to an unauthorized result to indicate the user to perform authority registration, the user re-inputs identity information and biological characteristic information through the client and transmits the identity information and the biological characteristic information to the intermediate authentication end, the intermediate authentication end transmits the identity information to the server to perform a digital certificate application request, and the server returns a digital certificate to the intermediate authentication end after the digital certificate application request is approved. The intermediate authentication end transmits the biological characteristic information to a biological characteristic library for storage, binds the digital certificate and the identity information to complete user registration application, and finally returns the received digital certificate to the client for storage, wherein the digital certificate is stored in a TF card or mobile storage equipment of the client to serve as a unique access identifier of the mobile client or the non-mobile client.
In another optional embodiment, the terminal device loaded with the client has a public and private key pair generation instruction set recorded by a producer, a specific public and private key pair is generated according to the public and private key pair generation instruction set by using a built-in chip of the terminal device, and the biological characteristic information and the identity information are encrypted and transmitted to the intermediate authentication end by using the public and private key pair. Where the private key is not derivable. And the intermediate authentication terminal temporarily stores the acquired digital certificate in the TF card or the mobile storage equipment, and if the TF card or the mobile storage equipment is disconnected due to power failure, the digital certificate disappears and needs to apply for the digital certificate again.
In the step, the client can be used by multiple persons through the registration step, authority registration is carried out on the middle authentication terminal through the biological characteristic information and the identity information of the user collected by the client, and the biological characteristic information stored in the biological characteristic library is used for comparing the users of the client so as to realize access of the application terminal by multiple persons.
In another embodiment, the user registration step may also be that a user registration request event is directly initiated to the intermediate authentication end through the client, the intermediate authentication end performs user binding registration according to the above steps, and after the user registration is successful, the intermediate authentication end sends the biometric information corresponding to the user after the registration is successful to the biometric library for storage. It should be understood that the collection of the biometric information in this step is used to determine the user identity of the client.
S230: the intermediate authentication end receives a verification result of the server end for verifying the identity information:
specifically, in this embodiment, the intermediate authentication end encrypts the identity information after passing the feature verification to generate a second authentication request, and sends the second authentication request to the server. It should be noted that, in this embodiment, the server may refer to a CA platform, and is an authority responsible for issuing and managing digital certificates. The CA platform, as a trusted third party in the network, can verify the identity information of the digital certificate application initiating device, manage and update the digital certificate, maintain a digital certificate revocation list, and the like. The digital Certificate in this embodiment is an electronic Certificate issued by a digital Certificate Authority (CA) and used for identifying identity information of a digital Certificate holder (e.g., a client device), and provides a way to verify an identity of a communication peer.
The server decrypts the second authentication request to obtain identity information corresponding to the client, determines the identity information according to the identity information, and inquires whether the identity information exists in a preset user list or not according to the identity information. If the second authentication request exists, the second authentication request is determined to be successfully verified, a verification success result and the digital certificate corresponding to the identity information are sent to the intermediate authentication end, and otherwise, the server end sends a verification failure result to the intermediate authentication end.
S240: the intermediate authentication terminal determines whether to allow the application terminal to transmit data to the client terminal based on the received verification result:
in this embodiment, based on the verification success result, the intermediate authentication end generates response data corresponding to the login event according to the digital certificate, and returns the response data to the client, the client loads the received digital certificate into the storage device of the client, where the storage device of the client may be a TF card, a mobile storage device, and the like, and before the client loads the received digital certificate into the storage device of the client, the client decrypts the generated private key by using the device chip loaded with the client, so as to obtain the digital certificate.
Further, after the client has the digital certificate, the intermediate authentication end establishes a bidirectional SSL connection with the client by using the digital certificate, and it should be noted that the SSL in this embodiment may refer to a secure socket Layer protocol (secure Sockets Layer). SSL ensures integrity through mutual authentication, digital signature and privacy through encryption, so that secure communication between a client and an intermediate authentication end is realized.
Further, the client identifies response data, generates an encryption request corresponding to the response data based on a preset abstract algorithm, and sends the encryption request to the application terminal;
in this embodiment, after the client passes through the established bidirectional SSL connection channel, the client is allowed to access an application list of the application, an access instruction is sent according to an actual access requirement of a user at the client, the application forwards the access instruction to the intermediate authentication end, the intermediate authentication end verifies that a digital certificate of the client is legal, generates a corresponding ticket and a random number and returns the ticket and the random number to the client, the client calculates the returned ticket and the random number plus time salt based on a preset digest algorithm to obtain a corresponding MD5 value, re-encrypts the call instruction by using the MD5 value to obtain an encryption instruction, and transmits the encryption instruction to the application.
Further, the application terminal forwards the encryption request to an intermediate authentication terminal for verification; and under the condition that the verification is passed, the application terminal transmits data to the client terminal.
In this step, in order to prevent the request command from being tampered, the client generates a corresponding MD5 value based on the response data to perform parameter encryption of the request command, and the intermediate authentication end performs parameter verification on the encryption request returned by the application end, where the verification criterion of the intermediate authentication end is determined according to the response data transmitted through the SSL secure channel on line, and it can be determined that data tampering has not occurred after the verification is passed, thereby further ensuring the security of data transmission.
In another feasible embodiment, under the condition that the client establishes communication connection with the intermediate authentication end, the client sends a public key to the intermediate authentication end, and meanwhile, identity information, biological characteristic information and identity information corresponding to the client are encrypted and transmitted to the intermediate authentication end by utilizing a preset private key; and the intermediate authentication terminal obtains the identity information, the biological characteristic information and the identity information corresponding to the client after decrypting by using the public key, wherein the public key is a non-secret half of a key pair used together with the private key. The public key is typically used to encrypt a session key, verify a digital signature, or encrypt data that can be decrypted with a corresponding private key. The public key and the private key are a key pair obtained through an algorithm, and one of the key pair is published to the outside and is called as a public key; the other is not disclosed to the outside, called private key. For the client, the client stores the private key corresponding to the public key, and the client may also send the public key to the intermediate authentication end in other manners, which is not limited herein.
In another possible embodiment, after the step of determining, by the intermediate authentication peer, whether to allow the application peer to perform data transmission on the client based on the received verification result, the method further includes:
the intermediate authentication end acquires the activity of each client; and when the activity of the client is lower than a preset threshold, the intermediate authentication end is unbound with the client.
In this embodiment, the intermediate authentication end may obtain the liveness corresponding to each user in real time or at regular time to determine the target user, and it should be understood that the users correspond to the clients one to one. Wherein the activity level is related to at least one of: the connection time of the client and the biological characteristic library is the latest, the connection active time period of the client and the biological characteristic library is the total connection time of the client and the biological characteristic library.
Further, the embodiment further sets a preset threshold, determines the user with the activity lower than the preset threshold as the target user, and deletes the biometric information corresponding to the target user to optimize the biometric database.
The specific rule specifically comprises the interval time of the connection from the last use, the connection active time period and the total connection use time; and aiming at the inactive user, if the user sends the data operation request again, the intermediate authentication terminal reestablishes the registration authentication.
Compared with the prior art, the embodiment of the application has the following main beneficial effects.
The invention provides a security authentication method, a system, equipment and a storage medium, which are applied to a security authentication system, wherein the security authentication system comprises an intermediate authentication end, a server end, an application end and N client ends, the client ends are in communication connection with the intermediate authentication end, the intermediate authentication end is in communication connection with the server end, the intermediate authentication end is in communication connection with the application end, and N is a positive integer greater than 1; the security authentication method comprises the following steps: the middle authentication end receives a login event for data transmission between the client and the application end; the intermediate authentication end sends the identity information of the client to the server; the intermediate authentication end receives a verification result of the server end for verifying the identity information; and the intermediate authentication terminal determines whether to allow the application terminal to transmit data to the client terminal based on the received verification result. In the process of the security authentication processing, the intermediate authentication end performs authentication interaction and certificate downloading interaction on a login event initiated by the client, so that the security of data transmission and the portability of security authentication are improved.
With further reference to fig. 3, as an implementation of the method shown in fig. 2, the present application provides an embodiment of a security authentication system 300, which corresponds to the embodiment of the method shown in fig. 2, and which is particularly applicable to various electronic devices.
The security authentication system 300 provided by the embodiment of the present invention includes a client 301, an intermediate authentication end 302, a server 303 and an application end 304, where N is a positive integer greater than 1, one client corresponds to a user participating in application access to the application end, the user refers to a user to which a usage right is given and who passes security authentication, the client is in communication connection with the intermediate authentication end, the intermediate authentication end is in communication connection with the server, and the intermediate authentication end is in communication connection with the application end.
Referring to fig. 4, the intermediate authentication terminal 302 includes a receiving module 3021, a generating module 3022, a verifying module 3023, and a transmitting module 3024;
the receiving module 3021 is configured to receive a login event of data transmission between the client and the application;
specifically, the receiving module detects a login event for data transmission between the client and the application terminal, wherein the login event is initiated by a user based on the client to access a service application system for service operation, and the application terminal performs data transmission according to actual operation of the user; it should be noted that the intermediate authentication end is disposed between the user end and the application end, the user is firstly received by the intermediate authentication end based on the login event initiated by the client, and the intermediate authentication end allows the application end to perform data transmission after performing verification.
The sending module 3022 is configured to send the identity information of the client to the server;
in this embodiment, the sending module sends the identity information corresponding to the client to the server based on the login event, where the security authentication system further includes a biometric library, it should be noted that the biometric library is used to store biometric information of the user at the client, the biometric information may be obtained in a manner that any biometric information obtaining device is loaded on the client to collect real-time biometric characteristics of the user, the biometric information obtaining device may be any one of a camera and a microphone, and the biometric information may include any one of face feature information and voice feature information.
In detail, in another embodiment, before the intermediate authentication end sends the identity information of the client to the server, the client acquires the authority information of the user, wherein the authority information includes biometric information and identity information, and the client transmits the authority information of the user to the intermediate authentication end for authority verification; the method comprises the steps that an intermediate authentication end extracts biological characteristic information to generate a first authentication request, the first authentication request is sent to a biological characteristic library, the biological characteristic library carries out characteristic verification based on the obtained biological characteristic information, whether the biological characteristic information exists in the biological characteristic library is verified, and a characteristic verification result is obtained, the characteristic verification result comprises a right result and an unauthorized result, the right result can be understood that the biological characteristic information sent by the intermediate authentication end exists in the biological characteristic library, and the unauthorized result can be understood that the biological characteristic information sent by the intermediate authentication end does not exist in the biological characteristic library.
The sending module further comprises a registration subunit, the registration subunit is used for registering the user, the intermediate authentication end returns an authority registration request to the client according to an unauthorized result to indicate the user to perform authority registration, the user re-inputs the identity information and the biological characteristic information through the client and transmits the identity information and the biological characteristic information to the intermediate authentication end, the intermediate authentication end transmits the identity information to the server to perform a digital certificate application request, and the server returns the digital certificate to the intermediate authentication end after the digital certificate application request is approved. The intermediate authentication end transmits the biological characteristic information to a biological characteristic library for storage, binds the digital certificate and the identity information to complete user registration application, and finally returns the received digital certificate to the client for storage, wherein the digital certificate is stored in a TF card or mobile storage equipment of the client to serve as a unique access identifier of the mobile client or the non-mobile client.
In another embodiment, the registration subunit may further initiate a user registration request event, the intermediate authentication terminal performs user binding registration according to the above steps, and after the user registration is successful, the intermediate authentication terminal sends the biometric information corresponding to the user after the registration is successful to the biometric database for storage. It should be understood that the collection of the biometric information in this step is used to determine the user identity of the client.
The verification module 3023 is configured to receive a verification result obtained by verifying the identity information by the server;
specifically, in this embodiment, the verification module encrypts the identity information that passes the feature verification to generate a second authentication request, and sends the second authentication request to the server. It should be noted that, in this embodiment, the server may refer to a CA platform, and is an authority responsible for issuing and managing digital certificates. The CA platform, as a trusted third party in the network, can verify the identity information of the digital certificate application initiating device, manage and update the digital certificate, maintain a digital certificate revocation list, and the like. The digital Certificate in this embodiment is an electronic Certificate issued by a digital Certificate Authority (CA) and used for identifying identity information of a digital Certificate holder (e.g., a client device), and provides a way to verify an identity of a communication peer.
The server decrypts the second authentication request to obtain identity information corresponding to the client, determines the identity information according to the identity information, and inquires whether the identity information exists in a preset user list or not according to the identity information. If the second authentication request exists, the second authentication request is determined to be successfully verified, a verification success result and the digital certificate corresponding to the identity information are sent to the intermediate authentication end, and otherwise, the server end sends a verification failure result to the intermediate authentication end.
The transmitting module 3024 is configured to determine whether to allow the application to perform data transmission on the client based on the received verification result:
in this embodiment, the transmission module generates response data corresponding to the login event according to the digital certificate based on the verification success result, and returns the response data to the client, and the client loads the received digital certificate to the storage device of the client, where the storage device of the client may be a TF card, a mobile storage device, and the like, and before the client loads the received digital certificate to the storage device of the client, the generated private key is decrypted by using the device chip loaded with the client, so as to obtain the digital certificate.
Further, after the client has the digital certificate, the intermediate authentication end establishes a bidirectional SSL connection with the client by using the digital certificate, and it should be noted that the SSL in this embodiment may refer to a secure socket Layer protocol (secure Sockets Layer). SSL ensures integrity through mutual authentication, digital signature and privacy through encryption, so that secure communication between a client and an intermediate authentication end is realized.
Further, the client identifies response data, generates an encryption request corresponding to the response data based on a preset abstract algorithm, and sends the encryption request to the application terminal;
in this embodiment, after the client passes through the established bidirectional SSL connection channel, the client is allowed to access an application list of the application, an access instruction is sent according to an actual access requirement of a user at the client, the application forwards the access instruction to the intermediate authentication end, the intermediate authentication end verifies that a digital certificate of the client is legal, generates a corresponding ticket and a random number and returns the ticket and the random number to the client, the client calculates the returned ticket and the random number plus time salt based on a preset digest algorithm to obtain a corresponding MD5 value, re-encrypts the call instruction by using the MD5 value to obtain an encryption instruction, and transmits the encryption instruction to the application.
Further, the application end forwards the encryption request to an intermediate authentication end for verification; and under the condition that the verification is passed, the application terminal transmits data to the client.
In this step, in order to prevent the request command from being tampered, the client generates a corresponding MD5 value based on the response data to perform parameter encryption of the request command, and the intermediate authentication end performs parameter verification on the encryption request returned by the application end, where the verification criterion of the intermediate authentication end is determined according to the response data transmitted through the SSL secure channel on line, and it can be determined that data tampering has not occurred after the verification is passed, thereby further ensuring the security of data transmission.
In another possible embodiment, the intermediate authentication end further includes a security management subunit:
the safety management subunit receives a public key sent by the client under the condition that the client establishes communication connection with the intermediate authentication terminal, and simultaneously, identity information, biological characteristic information and identity information corresponding to the client are encrypted and transmitted to the intermediate authentication terminal by utilizing a preset private key; and the intermediate authentication end decrypts by using a public key to obtain the identity information, the biological characteristic information and the identity information corresponding to the client, wherein the public key is a non-secret half of a key pair used together with the private key. The public key is typically used to encrypt a session key, verify a digital signature, or encrypt data that can be decrypted with a corresponding private key. The public key and the private key are a key pair obtained through an algorithm, and one of the key pair is published to the outside and is called as a public key; the other is not disclosed to the outside, called private key. For the client, the client stores the private key corresponding to the public key, and the client may also send the public key to the intermediate authentication end in other manners, which is not limited herein.
In another possible embodiment, the intermediate authentication end further includes an activity management subunit:
the activity management subunit acquires the activity of each client; and when the activity of the client is lower than a preset threshold, the intermediate authentication end is unbound with the client.
In this embodiment, the intermediate authentication end may obtain the liveness corresponding to each user in real time or at regular time to determine the target user, and it should be understood that the users correspond to the clients one to one. Wherein the activity level is related to at least one of: the connection time of the client and the biological characteristic library is the latest, the connection active time period of the client and the biological characteristic library is the total connection time of the client and the biological characteristic library.
Further, the embodiment further sets a preset threshold, determines the user with the activity lower than the preset threshold as the target user, and deletes the biometric information corresponding to the target user to optimize the biometric database.
The specific rule specifically comprises the interval time of the connection from the last use, the connection active time period and the total connection use time; and aiming at the inactive user, if the user sends the data operation request again, the intermediate authentication terminal reestablishes the registration authentication.
In order to solve the technical problem, an embodiment of the present application further provides a computer device. Referring to fig. 5, fig. 5 is a block diagram of a basic structure of a computer device according to the present embodiment.
The computer device 5 comprises a memory 51, a processor 52, a network interface 53 communicatively connected to each other via a system bus. It is noted that only a computer device 5 having components 51-53 is shown, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and the hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.
The memory 51 includes at least one type of readable storage medium including flash memory, hard disks, multimedia cards, card-type memory (e.g., SD or DX memory, etc.), random Access Memory (RAM), static Random Access Memory (SRAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), programmable Read Only Memory (PROM), magnetic memory, magnetic disks, optical disks, etc. In some embodiments, the memory 51 may be an internal storage unit of the computer device 5, such as a hard disk or a memory of the computer device 5. In other embodiments, the memory 51 may also be an external storage device of the computer device 5, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 5. Of course, the memory 51 may also comprise both an internal storage unit of the computer device 5 and an external storage device thereof. In this embodiment, the memory 51 is generally used for storing an operating system installed in the computer device 5 and various types of application software, such as program codes of the X method. Further, the memory 51 may also be used to temporarily store various types of data that have been output or are to be output.
The processor 52 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 52 is typically used to control the overall operation of the computer device 5. In this embodiment, the processor 52 is configured to execute the program code stored in the memory 51 or process data, for example, execute the program code of the X method.
The network interface 53 may comprise a wireless network interface or a wired network interface, and the network interface 53 is generally used for establishing communication connections between the computer device 5 and other electronic devices.
The present application further provides another embodiment, which is to provide a computer-readable storage medium storing the security authentication method program, which is executable by at least one processor to cause the at least one processor to perform the steps of the security authentication method as described above.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware online platform, and certainly can also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
It is to be understood that the above-described embodiments are merely illustrative of some, but not restrictive, of the broad invention, and that the appended drawings illustrate preferred embodiments of the invention and do not limit the scope of the invention. This application is capable of embodiments in many different forms and is provided for the purpose of enabling a thorough understanding of the disclosure of the application. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that the present application may be practiced without modification or with equivalents of some of the features described in the foregoing embodiments. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields and are within the protection scope of the present application.
Claims (10)
1. A safety certification method is characterized in that the method is applied to a safety certification system, the safety certification system comprises an intermediate certification end, a server end, an application end and N clients, the clients are in communication connection with the intermediate certification end, the intermediate certification end is in communication connection with the server end, the intermediate certification end is in communication connection with the application end, and N is a positive integer greater than 1;
the method comprises the following steps:
the intermediate authentication end receives a login event for data transmission between the client and the application end;
the intermediate authentication end sends the identity information of the client to the server;
the intermediate authentication end receives a verification result of the server end for verifying the identity information;
and the intermediate authentication terminal determines whether to allow the application terminal to transmit data to the client terminal based on the received verification result.
2. A security authentication method as claimed in claim 1, wherein said security authentication system further comprises a biometric library, and before said intermediate authenticator sends the identity information of said client to said server, said method further comprises:
the intermediate authentication terminal sends a first authentication request to the biological feature library, wherein the first authentication request comprises biological feature information of the client;
the biological characteristic library verifies based on the biological characteristic information in the first authentication request, and returns a characteristic verification result to the intermediate authentication end, wherein the characteristic verification result comprises an authorized result;
the intermediate authentication end allows data transmission with the client based on the received authorization result.
3. A security authentication method as claimed in claim 2, wherein said feature verification result further comprises an unauthorized result, and before said intermediate authentication end allows data transmission with said client based on said authorized result received, said method further comprises:
the intermediate authentication end returns an authority registration request to the client based on the unauthorized result;
the client creates authority information based on the authority registration request and sends the authority information to the intermediate authentication terminal, wherein the authority information comprises the identity information and the biological characteristic information;
the intermediate authentication terminal sends the authority information to the server terminal;
the server side verifies the authority information sent by the client side and received by the intermediate authentication side;
under the condition that the verification is passed, the intermediate authentication terminal binds the client according to the identity information created by the client to allow data transmission with the client; and transmitting the biological characteristic information created by the client to the biological characteristic library.
4. The security authentication method according to claim 1, wherein the receiving, by the intermediate authentication end, the verification result of the authentication performed on the identity information by the server end specifically includes:
the server receives a second authentication request sent by the intermediate authentication terminal, wherein the second authentication request comprises the identity information of the client;
the server verifies the identity information in the second authentication request based on a preset user list;
under the condition that the user list comprises the identity information, the server side determines that the second authentication request is successfully verified, and sends a successful verification result and a digital certificate corresponding to the identity information to the intermediate authentication side;
and under the condition that the user list does not comprise the identity information, the server side determines that the second authentication request fails to be verified, and sends a verification failure result to the intermediate authentication side.
5. The security authentication method according to claim 1, wherein the intermediate authentication end determines whether to allow the application end to perform data transmission on the client based on the received verification result, and the method specifically includes:
based on the verification success result, the intermediate authentication terminal generates response data corresponding to the login event according to the determined digital certificate, and returns the response data to the client;
the client identifies the response data, generates an encryption request corresponding to the response data based on a preset abstract algorithm and sends the encryption request to the application terminal;
the application terminal forwards the encryption request to the intermediate authentication terminal for verification;
and under the condition that the verification is passed, the application terminal transmits data to the client terminal.
6. A security authentication method as claimed in claim 3, the method further comprising:
the identity information and the biological characteristic information corresponding to the client are encrypted and transmitted to the intermediate authentication end by utilizing a preset private key;
and the intermediate authentication terminal decrypts the identity information and the biological characteristic information corresponding to the client.
7. The secure authentication method of claim 1, wherein after the intermediate authentication end determines whether to allow the application end to perform data transmission on the client based on the received verification result, the method further comprises:
the intermediate authentication end acquires the activity of each client;
and when the activity of the client is lower than a preset threshold, the intermediate authentication end is unbound with the client.
8. A safety certification system is characterized by comprising an intermediate certification end, a server end, an application end and N clients, wherein the clients are in communication connection with the intermediate certification end, the intermediate certification end is in communication connection with the server end, the intermediate certification end is in communication connection with the application end, and N is a positive integer greater than 1;
the intermediate authentication terminal comprises a receiving module, a sending module, a verification module and a transmission module
The receiving module is used for the intermediate authentication end to receive a login event for data transmission between the client and the application end;
the sending module is used for sending the identity information of the client to the server by the intermediate authentication terminal;
the verification module is used for the middle authentication end to receive a verification result of the server end for verifying the identity information;
the transmission module is configured to determine, by the intermediate authentication end, whether to allow the application end to perform data transmission on the client based on the received verification result.
9. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the security authentication method of any one of claims 1 to 7 when executing a program stored on a memory.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the secure authentication method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310013585.XA CN115834245A (en) | 2023-01-05 | 2023-01-05 | Security authentication method, system, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310013585.XA CN115834245A (en) | 2023-01-05 | 2023-01-05 | Security authentication method, system, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115834245A true CN115834245A (en) | 2023-03-21 |
Family
ID=85520188
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310013585.XA Pending CN115834245A (en) | 2023-01-05 | 2023-01-05 | Security authentication method, system, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834245A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102970299A (en) * | 2012-11-27 | 2013-03-13 | 西安电子科技大学 | File safe protection system and method thereof |
| US20170310660A1 (en) * | 2016-04-25 | 2017-10-26 | Unisys Corporation | Single sign on system for secure networks |
| CN108881290A (en) * | 2018-07-17 | 2018-11-23 | 深圳前海微众银行股份有限公司 | Digital certificate application method, system and storage medium based on block chain |
| CN108965250A (en) * | 2018-06-06 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of digital certificate installation method and system |
| CN113672897A (en) * | 2021-07-22 | 2021-11-19 | 北京奇艺世纪科技有限公司 | Data communication method, device, electronic equipment and storage medium |
| CN114679293A (en) * | 2021-06-15 | 2022-06-28 | 腾讯云计算(北京)有限责任公司 | Access control method, device and storage medium based on zero trust security |
-
2023
- 2023-01-05 CN CN202310013585.XA patent/CN115834245A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102970299A (en) * | 2012-11-27 | 2013-03-13 | 西安电子科技大学 | File safe protection system and method thereof |
| US20170310660A1 (en) * | 2016-04-25 | 2017-10-26 | Unisys Corporation | Single sign on system for secure networks |
| CN108965250A (en) * | 2018-06-06 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of digital certificate installation method and system |
| CN108881290A (en) * | 2018-07-17 | 2018-11-23 | 深圳前海微众银行股份有限公司 | Digital certificate application method, system and storage medium based on block chain |
| CN114679293A (en) * | 2021-06-15 | 2022-06-28 | 腾讯云计算(北京)有限责任公司 | Access control method, device and storage medium based on zero trust security |
| CN113672897A (en) * | 2021-07-22 | 2021-11-19 | 北京奇艺世纪科技有限公司 | Data communication method, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110417750B (en) | Block chain technology-based file reading and storing method, terminal device and storage medium | |
| CN111080295B (en) | Electronic contract processing method and device based on blockchain | |
| CN105608577B (en) | Method for realizing non-repudiation, payment management server and user terminal thereof | |
| WO2017197974A1 (en) | Biometric characteristic-based security authentication method, device and electronic equipment | |
| CN101527633B (en) | Method for intelligent key devices to obtain digital certificates | |
| CN111064757B (en) | Application access method and device, electronic equipment and storage medium | |
| US20130254535A1 (en) | Embedded extrinsic source for digital certificate validation | |
| KR102248237B1 (en) | Decentralized identifiers system using browser-based security personal identification number authentication and method thereof | |
| CN109691057A (en) | Sensitive content is convertibly fetched via private contents distribution network | |
| JP2018504789A (en) | Payment authentication system, method and apparatus | |
| CN110826043A (en) | Digital identity application system and method, identity authentication system and method | |
| CN109660534B (en) | Multi-merchant-based security authentication method and device, electronic equipment and storage medium | |
| CN110601858B (en) | Certificate management method and device | |
| CN109995699B (en) | Multimedia equipment management system | |
| US20210241270A1 (en) | System and method of blockchain transaction verification | |
| JP7223067B2 (en) | Methods, apparatus, electronics, computer readable storage media and computer programs for processing user requests | |
| CN109194651A (en) | A kind of identity identifying method, device, equipment and storage medium | |
| CN114760071B (en) | Zero-knowledge proof based cross-domain digital certificate management method, system and medium | |
| CN109587100A (en) | A kind of cloud computing platform user authentication process method and system | |
| CN115001841A (en) | Identity authentication method, identity authentication device and storage medium | |
| CN116226289A (en) | Electronic certificate management method, device, equipment and storage medium based on blockchain | |
| CN113434882A (en) | Communication protection method and device of application program, computer equipment and storage medium | |
| CN113869901B (en) | Key generation method, key generation device, computer-readable storage medium and computer equipment | |
| CN115482132A (en) | Data processing method and device for electronic contract based on block chain and server | |
| CN111178896B (en) | Bus taking payment method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230321 |