CN116015812A - Server fingerprint authentication method, device and storage medium - Google Patents
Server fingerprint authentication method, device and storage medium Download PDFInfo
- Publication number
- CN116015812A CN116015812A CN202211626383.4A CN202211626383A CN116015812A CN 116015812 A CN116015812 A CN 116015812A CN 202211626383 A CN202211626383 A CN 202211626383A CN 116015812 A CN116015812 A CN 116015812A
- Authority
- CN
- China
- Prior art keywords
- fingerprint
- server
- client
- unencrypted
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 238000004590 computer program Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 abstract description 14
- 238000010586 diagram Methods 0.000 description 6
- 230000003993 interaction Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000012795 verification Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Abstract
The application provides a server fingerprint authentication method, equipment and a storage medium, wherein the method comprises the following steps: the client receives the encrypted fingerprint and the unencrypted fingerprint sent by the server, and the encrypted fingerprint is obtained by encrypting the unencrypted fingerprint of the server by the server based on the public key of the client; decrypting the encrypted fingerprint according to the private key of the client; and if the decryption is successful, obtaining the authenticated fingerprint of the server according to the unencrypted fingerprint and the decrypted actual decrypted fingerprint. The method can directly realize the automatic authentication of the server fingerprint through the public key on the server and the private key of the client based on the existing public key authentication process, avoids the manual authentication process of the user, and has higher usability on the premise of ensuring the safety.
Description
Technical Field
The present invention relates to the field of remote access technology for data communication, and in particular, to a server fingerprint authentication method, device and storage medium.
Background
SSH (Secure shell) is a network security protocol, and implements services such as Secure access and file transfer through encryption and authentication mechanisms. In the current SSH interaction scene, when an SSH client logs in an SSH server, the SSH server sends own SSH server fingerprints to the SSH client in SSH message interaction, and the SSH client can compare fingerprint information sent by the SSH server with server fingerprint information stored by the SSH client to confirm whether the server is a target server to be accessed by the SSH client.
Currently, when the client does not store fingerprint information of the server, for example, when the SSH client accesses the SSH server for the first time, a user is required to manually confirm whether the fingerprint information sent by the server is the fingerprint information of the target SSH server itself, so as to confirm whether the SSH server accessed by the SSH client is the target SSH server.
However, the manual confirmation of fingerprint information by a user has a problem of poor security and usability.
Disclosure of Invention
The present application aims to provide a server fingerprint authentication method, device and storage medium for solving the problem of poor security and usability of manually confirming fingerprint information in the prior art.
In order to achieve the above purpose, the technical scheme adopted in the application is as follows:
in a first aspect, the present application provides a server fingerprint authentication method, applied to a client, the method including:
receiving an encrypted fingerprint and an unencrypted fingerprint sent by a server, wherein the encrypted fingerprint is obtained by encrypting the unencrypted fingerprint by the server based on a public key of the client;
decrypting the encrypted fingerprint according to the private key of the client;
and if the decryption is successful, obtaining the authenticated fingerprint of the server according to the unencrypted fingerprint and the decrypted actual decrypted fingerprint.
Optionally, the obtaining the authenticated fingerprint of the server according to the unencrypted fingerprint and the decrypted actual decrypted fingerprint includes:
comparing the unencrypted fingerprint with the actual decrypted fingerprint;
and if the unencrypted fingerprint is the same as the actual decrypted fingerprint, taking the unencrypted fingerprint as the authenticated fingerprint of the server.
Optionally, after said comparing the unencrypted fingerprint with the actual decrypted fingerprint, further comprising:
and if the unencrypted fingerprint is different from the actual decrypted fingerprint, sending first authentication failure information to the server, wherein the first authentication failure information is used for indicating that the unencrypted fingerprint is successful in authentication and the reasons of the successful authentication are inconsistent in fingerprint comparison.
Optionally, after decrypting the encrypted fingerprint according to the private key of the client, the method further includes:
and if the decryption fails, sending second authentication failure information to the server, wherein the second authentication failure information is used for indicating that the unencrypted fingerprint is not authenticated successfully and the reason that the unencrypted fingerprint is not authenticated successfully is decryption failure.
Optionally, the receiving the encrypted fingerprint and the unencrypted fingerprint sent by the server includes:
sending a first access request to the server;
and receiving the encrypted fingerprint and the unencrypted fingerprint sent by the server in response to the first access request.
In a second aspect, the present application provides a server fingerprint authentication method, applied to a server, where the method includes:
encrypting the unencrypted fingerprints of the server according to the public key of the client to obtain encrypted fingerprints of the server;
and sending the encrypted fingerprint and the unencrypted fingerprint to the client so that the client determines the authenticated fingerprint of the server based on the encrypted fingerprint and the unencrypted fingerprint.
Optionally, the sending the encrypted fingerprint and the unencrypted fingerprint to the client includes:
and when a first access request sent by the client is received, responding to the first access request, and sending the encrypted fingerprint and the unencrypted fingerprint to the client.
Optionally, the method further comprises:
receiving first authentication failure information sent by the client, wherein the first authentication failure information is used for indicating that the unencrypted fingerprint is successful in unauthentication and the reasons of the successful unauthentication are inconsistent in fingerprint comparison;
and according to the first authentication failure information, the encrypted fingerprint and the unencrypted fingerprint are sent to the client again.
In a third aspect, the present application provides an electronic device, including: a processor, a storage medium and a bus, the storage medium storing machine-readable instructions executable by the processor, the processor and the storage medium communicating over the bus when the electronic device is running, the processor executing the machine-readable instructions to perform the steps of the server fingerprint authentication method according to the first aspect or the second aspect.
In a fourth aspect, the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the server fingerprint authentication method according to the first aspect or the second aspect described above.
The beneficial effects of this application are: the client receives the encrypted fingerprint and the unencrypted fingerprint sent by the server, and the encrypted fingerprint is obtained by encrypting the unencrypted fingerprint of the server by the server based on the public key of the client; decrypting the encrypted fingerprint according to the private key of the client; and if the decryption is successful, obtaining the authenticated fingerprint of the server according to the unencrypted fingerprint and the decrypted actual decrypted fingerprint. The method can directly realize the automatic authentication of the server fingerprint through the public key on the server and the private key of the client based on the existing public key authentication process, avoids the manual authentication process of the user, and has higher usability on the premise of ensuring the safety.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered limiting the scope, and that other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 shows a schematic diagram of an SSH interaction scenario provided in an embodiment of the present application;
fig. 2 shows a flowchart of a server fingerprint authentication method applied to a client according to an embodiment of the present application;
FIG. 3 illustrates a flowchart for determining authenticated fingerprints provided by an embodiment of the present application;
FIG. 4 illustrates a flowchart for receiving an unencrypted fingerprint and an encrypted fingerprint provided by embodiments of the present application;
FIG. 5 shows a flowchart of yet another server fingerprint authentication method applied to a client according to an embodiment of the present application;
fig. 6 shows a flowchart of a server fingerprint authentication method applied to a server according to an embodiment of the present application;
FIG. 7 is a flowchart of receiving first authentication failure information according to an embodiment of the present application;
fig. 8 shows a flowchart of a server fingerprint authentication method according to an embodiment of the present application;
fig. 9 shows a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it should be understood that the accompanying drawings in the present application are only for the purpose of illustration and description, and are not intended to limit the protection scope of the present application. In addition, it should be understood that the schematic drawings are not drawn to scale. A flowchart, as used in this application, illustrates operations implemented according to some embodiments of the present application. It should be understood that the operations of the flow diagrams may be implemented out of order and that steps without logical context may be performed in reverse order or concurrently. Moreover, one or more other operations may be added to the flow diagrams and one or more operations may be removed from the flow diagrams as directed by those skilled in the art.
In addition, the described embodiments are only some, but not all, of the embodiments of the present application. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.
It should be noted that the term "comprising" will be used in the embodiments of the present application to indicate the presence of the features stated hereinafter, but not to exclude the addition of other features.
In the SSH interaction scenario, as shown in fig. 1, the SSH interaction scenario generally includes an SSH client and an SSH server, where the SSH server sends its own fingerprint (which may uniquely identify the SSH server) to the SSH client in the message interaction process, and the SSH client compares the fingerprint information sent by the SSH server with the server fingerprint information already stored by the SSH client, to confirm whether the server is a target server to be accessed by itself.
When the client does not store the fingerprint information of the server, for example, when the SSH client accesses the SSH server for the first time, the user needs to manually confirm whether the fingerprint information sent by the server is the fingerprint information of the target SSH server itself, so as to confirm whether the SSH server accessed by the SSH client is the target SSH server, and if so, establish a secure connection with the target server.
However, there are cases where the user confirms the fingerprint information manually, and thus the security is poor, and there is also a problem that the usability is poor by manually checking the server fingerprint.
Therefore, how to implement automatic SSH server fingerprint authentication becomes a problem to be solved.
Based on the above problems, the present application proposes a method for server fingerprint authentication, which may be applied to a client, and an exemplary client may be an SSH client shown in fig. 1, and the method for server fingerprint authentication of the present application will be described with reference to fig. 2, where the method includes:
s201: and receiving the encrypted fingerprint and the unencrypted fingerprint sent by the server, wherein the encrypted fingerprint is obtained by encrypting the unencrypted fingerprint by the server based on the public key of the client.
Alternatively, the client may generate a public-private key pair, where the public-private key pair includes a public key and a private key, and the information encrypted by the public key can be decrypted only by the private key corresponding to the public key.
It should be noted that, after the client generates the public and private key pair, the public key and the identity information of the client may be stored in the server first, and for example, the client may package the public key and the identity information into a message, and send the message to the server; or the user copies the public key and the identity information of the client to the server by a secure means, for example, copies the public key and the identity information of the client to the server.
Alternatively, the unencrypted fingerprint may be a unique identification of the server, and illustratively, a hash of the public key of the server may be used as the unencrypted fingerprint of the server, or a hash value of the device identification of the server may be used as the unencrypted fingerprint of the server. The encrypted fingerprint may be obtained by the server encrypting the unencrypted fingerprint of the server based on the public key of the client.
As a possible implementation manner, the client may first send a security verification request to the server, after receiving the security verification request, the server may search the directory storing the public key for the client according to the identity information of the client in the security verification request, encrypt the unencrypted fingerprint of the server according to the public key, obtain an encrypted fingerprint, and send both the unencrypted fingerprint and the encrypted fingerprint to the client.
As another possible implementation manner, the server may also actively initiate fingerprint authentication to the client, encrypt the unencrypted fingerprint of the server according to the public key of the client, obtain an encrypted fingerprint, and send the encrypted fingerprint and the unencrypted fingerprint to the client corresponding to the public key.
S202: and decrypting the encrypted fingerprint according to the private key of the client.
Optionally, after receiving the unencrypted fingerprint and the encrypted fingerprint sent by the server, the client may decrypt the encrypted fingerprint according to a private key that interacts with the server.
It is worth noting that the public and private keys belonging to one public-private key pair have the following properties: only the corresponding private key of the data encrypted by the public key can be decrypted; the data encrypted by the private key can be decrypted only by the corresponding public key. Therefore, as long as the public key and the private key belong to the same public-private key pair, the client can decrypt the encrypted fingerprint encrypted by the public key according to the private key.
S203: and if the decryption is successful, obtaining the authenticated fingerprint of the server according to the unencrypted fingerprint and the decrypted actual decrypted fingerprint.
Optionally, if the private key decrypted by the client and the public key encrypted by the server are corresponding, i.e. belong to the same public-private key pair, the client may successfully decrypt the encrypted fingerprint. Otherwise, if the decryption is unsuccessful, it may be indicated that the private key of the client and the encrypted public key of the encrypted fingerprint do not correspond.
Optionally, the client decrypts the encrypted fingerprint according to the private key, and then obtains the actual decrypted fingerprint. For example, assuming that the unencrypted fingerprint is fingerprint 1 and the encrypted fingerprint is fingerprint 2, after receiving fingerprint 1 and fingerprint 2, the client may decrypt fingerprint 2 with the private key to obtain fingerprint 3, where fingerprint 3 is the actual decrypted fingerprint.
When the actual decrypted fingerprint and the unencrypted fingerprint are the same, it may be stated that the server fingerprint is correct, and the authenticated fingerprint of the server may be the unencrypted fingerprint. If they are not identical, it is assumed that the fingerprint of the server may be modified or the client authenticates the wrong server (e.g., the client originally wants to authenticate the fingerprint of server a, but receives the fingerprint of server B), and the authentication may be regarded as failure.
In the embodiment of the application, the client receives the encrypted fingerprint and the unencrypted fingerprint sent by the server, decrypts the encrypted fingerprint and the unencrypted fingerprint by the private key to obtain an actual decrypted fingerprint, and obtains the authenticated fingerprint of the server according to the actual decrypted fingerprint and the unencrypted fingerprint. The method can directly realize the automatic authentication of the server fingerprint through the public key on the server and the private key of the client based on the existing public key authentication process, avoids the manual authentication process of the user, and has higher usability on the premise of ensuring the safety.
Next, the steps of obtaining the authenticated fingerprint of the server from the unencrypted fingerprint and the actual decrypted fingerprint will be described with reference to fig. 3, and as shown in fig. 3, the step S203 includes:
s301: the unencrypted fingerprint is compared to the actual decrypted fingerprint.
Alternatively, the client may compare the unencrypted fingerprint with the actual decrypted fingerprint. For example, the hash value of the unencrypted fingerprint may be compared with the hash value of the actually decrypted fingerprint, bit by bit, for example, by a software process on the client.
S302: if the unencrypted fingerprint is the same as the actual decrypted fingerprint, the unencrypted fingerprint is used as the authenticated fingerprint of the server.
Alternatively, if the unencrypted fingerprint is the same as the actual decrypted fingerprint. For example, assuming that the hash values of the unencrypted fingerprint and the actual decrypted fingerprint are the same after the front-to-back comparison, each bit of the hash value is determined to be the same, the unencrypted fingerprint and the actual decrypted fingerprint may be considered the same.
It should be noted that, when the unencrypted fingerprint is the same as the actually decrypted fingerprint, it may be stated that the fingerprint of the server is not tampered in the transmission process, and then the unencrypted fingerprint may be used as the authenticated fingerprint of the server and stored.
As another possible implementation manner, after comparing the unencrypted fingerprint with the actual decrypted fingerprint, the method further includes:
if the unencrypted fingerprint is different from the actual decrypted fingerprint, first authentication failure information is sent to the server, wherein the first authentication failure information is used for indicating that the unencrypted fingerprint is not authenticated successfully and the reasons of the authentication failure are inconsistent in fingerprint comparison.
It should be noted that, after the server encrypts the fingerprint to obtain the encrypted fingerprint, the situation that the unencrypted fingerprint is tampered may occur, and at this time, the unencrypted fingerprint received by the client is actually a modified fingerprint, and after the client performs the comparison, the situation that the comparison result is that the unencrypted fingerprint is different from the actual decrypted fingerprint may occur.
For example, assuming that hash values of an unencrypted fingerprint and an actually decrypted fingerprint are compared bit by bit, and a comparison result is finally determined to be different, it is explained that the fingerprint sent to the client by the server is modified, and at this time, the client may send first authentication failure information to the server.
Alternatively, the first authentication failure information may indicate to the server that the unencrypted fingerprint was not successfully authenticated on the client, and that the reason for the unauthorized success is that the unencrypted fingerprint and the actual decrypted fingerprint are not identical.
In the step S202, after decrypting the encrypted fingerprint according to the private key of the client, the method further includes, in addition to the case of successful decryption:
if decryption fails, second authentication failure information is sent to the server, wherein the second authentication failure information is used for indicating that the unencrypted fingerprint is not authenticated successfully and the reason that the unencrypted fingerprint is not authenticated successfully is decryption failure.
Alternatively, when the client fails to decrypt the encrypted fingerprint, it is indicated that the fingerprint sent by the server to the client may be modified, or that the client authenticates a fingerprint other than the target server, at which time the client may send second authentication failure information to the server.
Optionally, the second authentication failure information may indicate to the server that the unencrypted fingerprint was not successfully authenticated on the client, and that the reason for the failure of the authentication is a decryption failure.
Next, a case where the client authenticates not the fingerprint of the target server will be exemplified. For example, assuming that the client sends a security verification request to the server a (which may be regarded as a target server), and then receives the encrypted fingerprint and the unencrypted fingerprint sent by the server B to the client, when the client fails to decrypt the encrypted fingerprint by using the private key in communication with the server a, it may be explained that the public key used for encrypting the encrypted fingerprint does not correspond to the private key used by the client, and this encrypted fingerprint explained by the client authentication is not the fingerprint of the server a.
Next, the step S201 is described, and as shown in fig. 4, the step of receiving the encrypted fingerprint and the unencrypted fingerprint sent by the server includes:
s401: and sending a first access request to the server.
Alternatively, the client may send a first access request (i.e., the security authentication request described above) to the server to begin security authentication with the server.
It is noted that the first access request may be a request message sent to the SSH server when the SSH client first accesses the server in the SSH public key authentication process shown in fig. 1.
S402: the receiving server responds to the encrypted fingerprint and the unencrypted fingerprint sent by the first access request.
Optionally, after receiving the first access request sent by the client, the server may send the encrypted fingerprint and the unencrypted fingerprint to the client, where the client may receive the encrypted fingerprint and the unencrypted fingerprint, and perform the steps S202 to S203 to complete the fingerprint authentication process of the server.
As another possible implementation manner, the server may also actively perform security authentication, that is, the server determines a client that needs to perform active authentication from the public key directory, encrypts an unencrypted fingerprint of the server based on the public key of the client, and sends the unencrypted fingerprint and the encrypted fingerprint to the client for authentication.
Next, a further explanation of the server fingerprint authentication method of the client will be described with reference to fig. 5.
As shown in fig. 5, after receiving the encrypted fingerprint and the unencrypted fingerprint sent by the server, the client may decrypt the encrypted fingerprint according to the private key of the client, and if the decryption fails, send the second authentication information to the server. If the decryption is successful, the unencrypted fingerprint and the decrypted actual decrypted fingerprint are continuously compared. If the unencrypted fingerprint is the same as the actual decrypted fingerprint, the unencrypted fingerprint can be used as the authenticated fingerprint of the server; if the unencrypted fingerprint and the actual decrypted fingerprint are different, the client may send first authentication failure information to the server.
It should be noted that, after the client sends the first failure authentication information and the second failure authentication information to the server, the client may resend the access request to the target server, and re-accept the unencrypted fingerprint and the encrypted fingerprint sent by the target server, so as to re-authenticate the fingerprint of the server.
The method on the client side is described above, and the fingerprint authentication method on the server side of the present application is described next, and the server may be, for example, an SSH server in fig. 1, as shown in fig. 6, and the method includes:
s601: and encrypting the unencrypted fingerprints of the server according to the public key of the client to obtain the encrypted fingerprints of the server.
Alternatively, after the client generates the public-private key pair, the server may obtain the public key of the client. The server may receive a message containing the public key sent by the client to obtain the client public key, or may copy the client public key file to the server by the user, for example.
The server may determine the public key of the client from the first access request after receiving the first access request of the client. For example, the server may parse the first access request, determine the device identification of the client, and search the public key of the client in the directory storing the public key according to the device identification of the client.
Alternatively, the unencrypted fingerprint of the server may be the unique identification of the server.
Optionally, after determining the public key of the client, the server may encrypt the unencrypted fingerprint according to the public key to obtain an encrypted fingerprint.
As a possible implementation manner, the server may first send the unencrypted fingerprint to the client, and after the server encrypts the unencrypted fingerprint to obtain an encrypted fingerprint, send the encrypted fingerprint to the client.
As another possible implementation manner, the server may also encapsulate the unencrypted fingerprint and the encrypted fingerprint into one authentication message, and send the authentication message to the client.
S602: the encrypted fingerprint and the unencrypted fingerprint are sent to the client such that the client determines an authenticated fingerprint for the server based on the encrypted fingerprint and the unencrypted fingerprint.
Optionally, after the server sends the encrypted fingerprint and the unencrypted fingerprint to the client, the client may perform the steps S201-S203 described above to determine the authenticated fingerprint of the server.
In the embodiment of the application, the server encrypts the unencrypted fingerprint based on the public key to obtain the encrypted fingerprint, and sends the encrypted fingerprint and the unencrypted fingerprint to the client for authentication, so that the automatic authentication of the server fingerprint can be directly realized through the public key on the server and the private key of the client on the basis of the existing public key authentication process, the manual authentication process of a user is avoided, and the client has higher usability on the premise of ensuring the security.
The following is a description of the encrypted fingerprint and the unencrypted fingerprint sent to the client in the step S602, which includes:
and when the first access request sent by the client is received, sending the encrypted fingerprint and the unencrypted fingerprint to the client in response to the first access request.
Alternatively, the first access request may include the device identification of the client or the public key of the client.
As a possible implementation manner, a directory of public keys may be pre-stored in the server, where the directory may include the public keys and device identifiers corresponding to the public keys, and after the server receives the first access request, the server may parse to obtain the device identifier of the client, search the public key of the client in the directory storing the public keys according to the device identifier, encrypt the unencrypted fingerprint according to the public key, obtain an encrypted fingerprint, and send the unencrypted fingerprint and the encrypted fingerprint to the client.
As another possible implementation manner, when the first access request includes the public key of the client, the server may compare the public key analyzed in the first access request with the public key in the stored public key directory, determine the same public key and the client corresponding to the public key, encrypt the unencrypted fingerprint according to the public key, obtain an encrypted fingerprint, and send the unencrypted fingerprint and the encrypted fingerprint to the client by the server.
Next, after the client sends the first authentication failure information to the server in fig. 5, the step on the server side is described, as shown in fig. 7, where the method of the present application further includes:
s701: and receiving first authentication failure information sent by the client, wherein the first authentication failure information is used for indicating that the unencrypted fingerprint is successful in authentication and the reasons of the successful authentication are inconsistent in fingerprint comparison.
Optionally, when the client determines that the unencrypted fingerprint is inconsistent with the actual decrypted fingerprint after comparing the unencrypted fingerprint with the actual decrypted fingerprint, the server may send first authentication failure information, and determine that the unencrypted fingerprint is not authenticated successfully according to the first authentication failure information, and determine that the reason for the failure of the authentication is inconsistent with the fingerprint comparison.
S702: and re-sending the encrypted fingerprint and the unencrypted fingerprint to the client according to the first authentication failure information.
It is noted that the first authentication failure information may indicate that the fingerprint sent by the server to the client may be modified, and thus after receiving the first authentication failure information of the client, the server may send the encrypted fingerprint and the unencrypted fingerprint to the client again.
Optionally, the first authentication failure information may include a device identifier of the client, and after receiving the first authentication failure information, the server may determine the client according to the device identifier, and resend the encrypted fingerprint and the unencrypted fingerprint to the client.
It should be noted that the second authentication failure information may indicate that the client fails to decrypt the encrypted fingerprint, and this indicates that the server is not the target server of the client, so after the server receives the second authentication failure information, the encrypted fingerprint and the unencrypted fingerprint may not be sent to the client again.
Next, a server fingerprint authentication method according to the present application will be further described with reference to fig. 8.
As shown in fig. 8, after the client sends the first access request to the server, the server may encrypt the unencrypted fingerprint based on the public key of the client in response to the first access request, obtain an encrypted fingerprint, and send the unencrypted fingerprint and the encrypted fingerprint to the client.
Referring to fig. 8, after receiving the unencrypted fingerprint and the encrypted fingerprint, the client may decrypt the encrypted fingerprint according to the private key, and if decryption is successful, the client may obtain an actual decrypted fingerprint; if the decryption fails, the client sends second authentication failure information to the server.
With continued reference to fig. 8, after the decryption is successful, the client may compare the actual decrypted fingerprint with the unencrypted fingerprint, and if the actual decrypted fingerprint is consistent with the unencrypted fingerprint, indicating that the authentication is passed, the client may use the unencrypted fingerprint as the authenticated fingerprint of the server; if the first authentication result is inconsistent, the client may send a first authentication failure result to the server, so that the server sends the encrypted fingerprint and the unencrypted fingerprint to the client again.
Based on the same inventive concept, the embodiment of the present application further provides a server fingerprint authentication device corresponding to the server fingerprint authentication method, and since the principle of solving the problem by the device in the embodiment of the present application is similar to that of the server fingerprint authentication method in the embodiment of the present application, the implementation of the device may refer to the implementation of the method, and the repetition is omitted.
The embodiment of the application provides a server fingerprint authentication device applied to a client, which comprises: the device comprises a receiving module, a decryption module and a determining module, wherein:
the receiving module is used for: receiving encrypted fingerprints and unencrypted fingerprints sent by a server, wherein the encrypted fingerprints are obtained by encrypting the unencrypted fingerprints of the server by the server based on a public key of a client;
the decryption module is used for: decrypting the encrypted fingerprint according to the private key of the client;
the determining module is used for: and if the decryption is successful, obtaining the authenticated fingerprint of the server according to the unencrypted fingerprint and the decrypted actual decrypted fingerprint.
Optionally, the determining module is further configured to: comparing the unencrypted fingerprint with the actual decrypted fingerprint;
if the unencrypted fingerprint is the same as the actual decrypted fingerprint, the unencrypted fingerprint is used as the authenticated fingerprint of the server.
Optionally, the determining module is further configured to: if the unencrypted fingerprint is different from the actual decrypted fingerprint, first authentication failure information is sent to the server, wherein the first authentication failure information is used for indicating that the unencrypted fingerprint is not authenticated successfully and the reasons of the authentication failure are inconsistent in fingerprint comparison.
Optionally, the server fingerprint authentication device of the client may further comprise a notification module, configured to: if decryption fails, second authentication failure information is sent to the server, wherein the second authentication failure information is used for indicating that the unencrypted fingerprint is not authenticated successfully and the reason that the unencrypted fingerprint is not authenticated successfully is decryption failure.
Optionally, the receiving module is further configured to: sending a first access request to a server;
the receiving server responds to the encrypted fingerprint and the unencrypted fingerprint sent by the first access request.
In another aspect, the present application further provides a server fingerprint authentication device applied to a server, where the device includes: encryption module and send module, wherein:
the encryption module is used for: encrypting the unencrypted fingerprint of the server according to the public key of the client to obtain an encrypted fingerprint of the server;
the sending module is used for: the encrypted fingerprint and the unencrypted fingerprint are sent to the client such that the client determines an authenticated fingerprint for the server based on the encrypted fingerprint and the unencrypted fingerprint.
Optionally, the sending module is further configured to: when a first access request sent by a client is received, responding to the first access request, and sending an encrypted fingerprint and an unencrypted fingerprint to the client;
optionally, the sending module is further configured to: receiving first authentication failure information sent by a client, wherein the first authentication failure information is used for indicating that an unencrypted fingerprint is successful in authentication and the reasons of the successful authentication are inconsistent in fingerprint comparison;
and re-sending the encrypted fingerprint and the unencrypted fingerprint to the client according to the first authentication failure information.
In the embodiment of the application, the client receives the encrypted fingerprint and the unencrypted fingerprint sent by the server, decrypts the encrypted fingerprint and the unencrypted fingerprint by the private key to obtain an actual decrypted fingerprint, and obtains the authenticated fingerprint of the server according to the actual decrypted fingerprint and the unencrypted fingerprint. The method can directly realize the automatic authentication of the server fingerprint through the public key on the server and the private key of the client based on the existing public key authentication process, avoids the manual authentication process of the user, and has higher usability on the premise of ensuring the safety.
The embodiment of the application further provides an electronic device, which may be the foregoing client or the foregoing server, as shown in fig. 9, which is a schematic structural diagram of the electronic device provided in the embodiment of the application, including: processor 901, memory 902, and a bus. The memory 902 stores machine-readable instructions executable by the processor 901, and when the computer device is running, the processor 901 communicates with the memory 902 via a bus, and when the machine-readable instructions are executed by the processor 901, the processing of the server-side or client-side server fingerprint authentication method described above is performed.
The embodiment of the application also provides a computer readable storage medium, and a computer program is stored on the computer readable storage medium, and the computer program is executed by a processor to execute the steps of the server fingerprint authentication method on the server side or the client side.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described system and apparatus may refer to corresponding procedures in the method embodiments, which are not described in detail in this application. In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, and the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, and for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, indirect coupling or communication connection of devices or modules, electrical, mechanical, or other form.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-On-y Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes or substitutions are covered in the protection scope of the present application.
Claims (10)
1. A server fingerprint authentication method, applied to a client, the method comprising:
receiving an encrypted fingerprint and an unencrypted fingerprint sent by a server, wherein the encrypted fingerprint is obtained by encrypting the unencrypted fingerprint by the server based on a public key of the client;
decrypting the encrypted fingerprint according to the private key of the client;
and if the decryption is successful, obtaining the authenticated fingerprint of the server according to the unencrypted fingerprint and the decrypted actual decrypted fingerprint.
2. The method according to claim 1, wherein the obtaining the authenticated fingerprint of the server from the unencrypted fingerprint and the decrypted actual decrypted fingerprint comprises:
comparing the unencrypted fingerprint with the actual decrypted fingerprint;
and if the unencrypted fingerprint is the same as the actual decrypted fingerprint, taking the unencrypted fingerprint as the authenticated fingerprint of the server.
3. The method of claim 2, further comprising, after said comparing said unencrypted fingerprint to said actual decrypted fingerprint:
and if the unencrypted fingerprint is different from the actual decrypted fingerprint, sending first authentication failure information to the server, wherein the first authentication failure information is used for indicating that the unencrypted fingerprint is successful in authentication and the reasons of the successful authentication are inconsistent in fingerprint comparison.
4. The method of claim 1, further comprising, after decrypting the encrypted fingerprint according to the client's private key:
and if the decryption fails, sending second authentication failure information to the server, wherein the second authentication failure information is used for indicating that the unencrypted fingerprint is not authenticated successfully and the reason that the unencrypted fingerprint is not authenticated successfully is decryption failure.
5. The method of claim 1, wherein the receiving the encrypted fingerprint and the unencrypted fingerprint transmitted by the server comprises:
sending a first access request to the server;
and receiving the encrypted fingerprint and the unencrypted fingerprint sent by the server in response to the first access request.
6. A server fingerprint authentication method, applied to a server, the method comprising:
encrypting the unencrypted fingerprints of the server according to the public key of the client to obtain encrypted fingerprints of the server;
and sending the encrypted fingerprint and the unencrypted fingerprint to the client so that the client determines the authenticated fingerprint of the server based on the encrypted fingerprint and the unencrypted fingerprint.
7. The method of claim 6, wherein the sending the encrypted fingerprint and the unencrypted fingerprint to the client comprises:
and when a first access request sent by the client is received, responding to the first access request, and sending the encrypted fingerprint and the unencrypted fingerprint to the client.
8. The method of claim 6, wherein the method further comprises:
receiving first authentication failure information sent by the client, wherein the first authentication failure information is used for indicating that the unencrypted fingerprint is successful in unauthentication and the reasons of the successful unauthentication are inconsistent in fingerprint comparison;
and according to the first authentication failure information, the encrypted fingerprint and the unencrypted fingerprint are sent to the client again.
9. An electronic device, comprising: a processor, a storage medium and a bus, the storage medium storing program instructions executable by the processor, the processor and the storage medium communicating over the bus when the electronic device is running, the processor executing the program instructions to perform the steps of the server fingerprint authentication method according to any one of claims 1 to 5 or 6-8.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, performs the steps of the server fingerprint authentication method according to any of claims 1 to 5 or claims 6-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211626383.4A CN116015812A (en) | 2022-12-16 | 2022-12-16 | Server fingerprint authentication method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211626383.4A CN116015812A (en) | 2022-12-16 | 2022-12-16 | Server fingerprint authentication method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116015812A true CN116015812A (en) | 2023-04-25 |
Family
ID=86033283
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211626383.4A Pending CN116015812A (en) | 2022-12-16 | 2022-12-16 | Server fingerprint authentication method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116015812A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170180367A1 (en) * | 2015-12-16 | 2017-06-22 | ClearChat, Inc. | System And Method For Encrypted And Authenticated Electronic Messaging Using A Central Address Book |
| CN112367165A (en) * | 2020-10-19 | 2021-02-12 | 珠海格力电器股份有限公司 | Serial port communication method and device, electronic equipment and computer readable medium |
| CN113709513A (en) * | 2021-08-30 | 2021-11-26 | 广州方硅信息技术有限公司 | Equipment fingerprint processing method, user side, server, system and storage medium |
| CN115037547A (en) * | 2022-06-22 | 2022-09-09 | 北京天拓四方科技有限公司 | Software authorization method and system |
-
2022
- 2022-12-16 CN CN202211626383.4A patent/CN116015812A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170180367A1 (en) * | 2015-12-16 | 2017-06-22 | ClearChat, Inc. | System And Method For Encrypted And Authenticated Electronic Messaging Using A Central Address Book |
| CN112367165A (en) * | 2020-10-19 | 2021-02-12 | 珠海格力电器股份有限公司 | Serial port communication method and device, electronic equipment and computer readable medium |
| CN113709513A (en) * | 2021-08-30 | 2021-11-26 | 广州方硅信息技术有限公司 | Equipment fingerprint processing method, user side, server, system and storage medium |
| CN115037547A (en) * | 2022-06-22 | 2022-09-09 | 北京天拓四方科技有限公司 | Software authorization method and system |
Non-Patent Citations (1)
| Title |
|---|
| 冯晓玲: "《电子商务安全》", 31 March 2008, pages: 140 - 141 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110049016B (en) | Data query method, device, system, equipment and storage medium of block chain | |
| EP2057819B1 (en) | Method for synchronising between a server and a mobile device | |
| CN106612180B (en) | Method and device for realizing session identification synchronization | |
| US9491174B2 (en) | System and method for authenticating a user | |
| CN100512201C (en) | Method for dealing inserted-requested message of business in groups | |
| CN113472793B (en) | Personal data protection system based on hardware password equipment | |
| KR20060045440A (en) | A method and system for recovering password protected private data via a communication network without exposing the private data | |
| CN111935712A (en) | Data transmission method, system and medium based on NB-IoT communication | |
| WO2005091149A1 (en) | Backup device, backed-up device, backup intermediation device, backup system, backup method, data restoration method, program, and recording medium | |
| US9954853B2 (en) | Network security | |
| CN112312393A (en) | 5G application access authentication method and 5G application access authentication network architecture | |
| US20160021101A1 (en) | Method for backing up a user secret and method for recovering a user secret | |
| US20150328119A1 (en) | Method of treating hair | |
| CN109729000B (en) | Instant messaging method and device | |
| CN113225352A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN112565265A (en) | Authentication method, authentication system and communication method between terminal devices of Internet of things | |
| US20020018570A1 (en) | System and method for secure comparison of a common secret of communicating devices | |
| CN114143082A (en) | Encryption communication method, system and device | |
| EP4037250A1 (en) | Message transmitting system with hardware security module | |
| JP2024501326A (en) | Access control methods, devices, network equipment, terminals and blockchain nodes | |
| CN112053477B (en) | Control system, method and device of intelligent door lock and readable storage medium | |
| JPH10242957A (en) | User authentication method, system therefor and storage medium for user authentication | |
| WO2014177055A1 (en) | Establishment of communication connection between mobile device and secure element | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| KR101745482B1 (en) | Communication method and apparatus in smart-home system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |