CN116112233A - Identity authentication method, device, equipment and storage medium - Google Patents

Identity authentication method, device, equipment and storage medium Download PDF

Info

Publication number
CN116112233A
CN116112233A CN202310009148.0A CN202310009148A CN116112233A CN 116112233 A CN116112233 A CN 116112233A CN 202310009148 A CN202310009148 A CN 202310009148A CN 116112233 A CN116112233 A CN 116112233A
Authority
CN
China
Prior art keywords
name information
user
user name
secret key
seed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310009148.0A
Other languages
Chinese (zh)
Inventor
张宗骏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huayao Technology Co ltd
Original Assignee
Beijing Huayao Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huayao Technology Co ltd filed Critical Beijing Huayao Technology Co ltd
Priority to CN202310009148.0A priority Critical patent/CN116112233A/en
Publication of CN116112233A publication Critical patent/CN116112233A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Abstract

The embodiment of the application provides an identity authentication method, an identity authentication device, identity authentication equipment and a storage medium. The method is applied to the first gateway device and comprises the following steps: responding to a login request of a user side, and acquiring login information sent by the user side, wherein the login information comprises user name information and a first dynamic password; inquiring a seed secret key corresponding to the user side in a first database corresponding to the first gateway equipment based on the user name information; if the seed secret key is not queried, a query request is sent to at least one second gateway device so as to acquire the seed secret key from any one of the at least one second gateway device; and calculating to obtain a second dynamic password based on a preset algorithm and the seed secret key so as to authenticate the first dynamic password based on the second dynamic password and output an authentication result. The embodiment of the application can realize the sharing of the seed secret key among different security proxy devices so as to carry out identity authentication on the user terminal.

Description

Identity authentication method, device, equipment and storage medium
Technical Field
The embodiment of the application relates to the technical field of internet, in particular to an identity authentication method, an identity authentication device, identity authentication equipment and a storage medium.
Background
With the development of computer and internet technologies, security proxy devices are widely used in enterprises, and enterprise users access internal business systems through the security proxy devices to realize safe and reliable remote office. The security proxy device can be used only by authenticating a user, and various authentication modes are used for logging in the security proxy device by the user, so that the security is enhanced, and most enterprise users use a two-factor authentication mode, namely a mode of jointly authenticating a static password and a one-time password (One Time Password, abbreviated as OTP).
In some scenarios, each enterprise may have security proxy devices deployed in multiple domains, and enterprise users may access security proxy devices in any domain, requiring separate registration when users access different security proxy devices. At present, configuration synchronization among different security agent devices can be realized through a dual-computer hot standby method, and the need of independent registration when a user accesses different security agent devices is avoided.
However, the configuration of the dual hot standby method is complex, only configuration synchronization between two security proxy devices can be realized, and the configuration of the two security proxy devices is completely the same, so that the personalized requirements of enterprises cannot be realized.
Disclosure of Invention
The embodiment of the application provides an identity authentication method, an identity authentication device, identity authentication equipment and a storage medium, which are used for sharing seed keys among different security proxy equipment so as to authenticate the identity of a user terminal.
In a first aspect, an embodiment of the present application provides an identity authentication method, which is applied to a first gateway device, and includes:
responding to a login request of a user side, acquiring login information sent by the user side, wherein the login information comprises user name information and a first dynamic password, and the first dynamic password is obtained by calculating by the user side based on a preset algorithm and a seed key corresponding to the user name information;
inquiring a seed secret key corresponding to the user side in a first database corresponding to the first gateway equipment based on the user name information;
if the seed secret key is not queried, sending a query request to at least one second gateway device so as to acquire the seed secret key from any one of the at least one second gateway device;
and calculating to obtain a second dynamic password based on the preset algorithm and the seed secret key so as to authenticate the first dynamic password based on the second dynamic password and output an authentication result.
Preferably, the method further comprises: if the seed secret key corresponding to the user terminal is queried in a first database corresponding to the first gateway equipment based on the user name information, a third dynamic password is obtained through calculation based on the preset algorithm and the seed secret key, so that the first dynamic password is authenticated based on the third dynamic password, and an authentication result is output.
Preferably, the login information further includes an equipment identification code corresponding to the user side and a static password corresponding to the user name information;
before the seed secret key corresponding to the user terminal is queried in the first database corresponding to the first gateway equipment based on the user name information, the method further comprises the following steps:
judging whether the user name information is matched with the equipment identification code or not;
if the user name information is matched with the equipment identification code, judging whether the static password is valid or not;
and if the static password is valid, inquiring a seed secret key corresponding to the user terminal in a first database corresponding to the first gateway equipment based on the user name information.
Preferably, the method further comprises: responding to a registration request of a user side, and acquiring the user name information sent by the user side and a device identification code corresponding to the user side;
Generating the seed secret key corresponding to the user name information based on a preset rule;
storing the user name information, the seed secret key and the corresponding relation between the user name information and the equipment identification code in the first database so as to inquire the seed secret key corresponding to the user side in the first database.
Preferably, after generating the seed key corresponding to the user name information based on a preset rule, the method further includes:
and transmitting the user name information, the device identification code and the seed secret key to the at least one second gateway device, so that the at least one second gateway device stores the user name information, the seed secret key and the corresponding relation between the user name information and the device identification code in the second databases corresponding to the user name information, the seed secret key and the device identification code.
Preferably, before the user name information sent by the user side and the device identification code corresponding to the user side are obtained in response to a registration request of the user side, the method further includes:
responding to an access request of a user terminal, and sending an identity verification page to the user terminal, wherein the identity verification page comprises a first input control corresponding to user name information and a second input control corresponding to password information;
Acquiring the user name information and the password information sent by a user terminal based on the first input control and the second input control;
judging whether the user name information and the password information are matched;
and if the user name information is matched with the password information, sending a registration page to the user side so that the user side can generate the registration request based on the registration page.
In a second aspect, an embodiment of the present application provides an identity authentication device, which is applied to a first gateway device, including:
the response module is used for responding to a login request of a user side, acquiring login information sent by the user side, wherein the login information comprises user name information and a first dynamic password, and the first dynamic password is obtained by calculation of the user side based on a preset algorithm and a seed secret key corresponding to the user name information;
the query module is used for querying a seed secret key corresponding to the user side in a first database corresponding to the first gateway equipment based on the user name information;
a sending module, configured to send a query request to at least one second gateway device if the seed key is not queried, so as to obtain the seed key from any one of the at least one second gateway device;
And the authentication module is used for calculating a second dynamic password based on the preset algorithm and the seed secret key so as to authenticate the first dynamic password based on the second dynamic password and output an authentication result.
In a third aspect, an embodiment of the present application provides an identity authentication device, which is applied to a second gateway device, including:
responding to a query request sent by first gateway equipment, and acquiring user name information corresponding to a user terminal;
inquiring a seed secret key corresponding to the user side in a second database corresponding to the second gateway equipment based on the user name information;
if the seed secret key corresponding to the user terminal is queried, the seed secret key is sent to the first gateway equipment, so that the first gateway equipment authenticates the user terminal based on the seed secret key.
In a fourth aspect, an embodiment of the present application provides an identity authentication device, which is applied to a second gateway device, including:
the response module is used for responding to the query request sent by the first gateway equipment and acquiring user name information corresponding to the user side;
the query module is used for querying a seed secret key corresponding to the user side in a second database corresponding to the second gateway equipment based on the user name information;
And the sending module is used for sending the seed secret key to the first gateway equipment if the seed secret key corresponding to the user terminal is queried, so that the first gateway equipment authenticates the user terminal based on the seed secret key.
In a fifth aspect, in an embodiment of the present application, there is provided an electronic device, including: a memory, a processor; wherein the memory has executable code stored thereon which, when executed by the processor, causes the processor to perform the authentication method according to the first or third aspect.
In a sixth aspect, embodiments of the present application provide a non-transitory machine-readable storage medium having executable code stored thereon, which when executed by a processor of an electronic device, causes the processor to perform the identity authentication method according to the first or third aspect.
The embodiment of the application provides an identity authentication method, based on which seed secret keys among different security proxy devices can be shared so as to realize identity authentication of a user. In the actual use process, the first gateway device can respond to the login request of the user terminal to acquire the user name information and the first dynamic password sent by the user terminal, and then can query the seed secret key corresponding to the user terminal in the first database according to the user name information. Under the condition that the seed secret key is not queried, the first gateway device can send a query request to the second gateway device, so that the second gateway device can send the seed secret key to the first gateway device after querying the seed secret key corresponding to the user terminal. Finally, the first gateway device may calculate a second dynamic password based on the seed key and authenticate the first dynamic password based on the second dynamic password.
In the scheme provided by the embodiment of the application, when the user terminal logs in the first gateway device, if the first gateway device does not inquire the seed secret key corresponding to the user terminal when authenticating the identity of the user terminal, an inquiry request can be sent to the second gateway device, so that the seed secret key corresponding to the user terminal is obtained through the second gateway device, and further authentication of the user terminal is achieved. The sharing of seed secret keys among a plurality of gateway devices can be realized without complex configuration work on the gateway devices; meanwhile, different gateway devices do not need to be configured identically, and personalized requirements of different enterprise users can be met.
These and other aspects of the present application will be more readily apparent from the following description of the embodiments.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, a brief description will be given below of the drawings that are needed in the embodiments or the prior art descriptions, and it is obvious that the drawings in the following description are some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a network topology diagram of a security proxy device according to an embodiment of the present application.
Fig. 2 is a flowchart of an identity authentication method provided in an embodiment of the present application.
Fig. 3 is a flowchart of an identity authentication method according to an embodiment of the present application.
Fig. 4 is a flowchart of an identity registration method provided in an embodiment of the present application.
Fig. 5 is a flowchart of an identity registration method provided in an embodiment of the present application.
Fig. 6 is a flowchart of an identity authentication method according to an embodiment of the present application.
Fig. 7 is a schematic structural diagram of an identity authentication device according to an embodiment of the present application.
Fig. 8 is a schematic structural diagram of another identity authentication device according to an embodiment of the present application.
Fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Fig. 10 is a schematic structural diagram of another electronic device according to an embodiment of the present application.
Detailed Description
In order to enable those skilled in the art to better understand the present application, the following description will make clear and complete descriptions of the technical solutions in the embodiments of the present application with reference to the accompanying drawings in the embodiments of the present application.
In some of the flows described in the specification and claims of this application and in the foregoing figures, a number of operations are included that occur in a particular order, but it should be understood that the operations may be performed in other than the order in which they occur or in parallel, that the order of operations such as 101, 102, etc. is merely for distinguishing between the various operations, and that the order of execution is not by itself represented by any order of execution. In addition, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first" and "second" herein are used to distinguish different messages, devices, modules, etc., and do not represent a sequence, and are not limited to the "first" and the "second" being different types.
The SSL VPN device serves as a security proxy device, which serves to protect network resources inside an enterprise, and is typically disposed between an internal local area network and an external wide area network of the enterprise, and may be disposed between a switch and a server. The end user typically needs to use a secure access mode to access the internal service system through a secure proxy device (i.e., SSL VPN device), and the response result of the internal web page is also returned to the end user through the secure proxy device.
As described above, the security proxy device is used by authenticating the user, and the authentication modes of the user logging into the security proxy device are various, so that most enterprise users use two factors to enhance the security
The authentication mode is a mode of 5 authentication by a static password and a one-time password (One Time Password, abbreviated as OTP).
OTP is also called dynamic password or single-time effective password, which refers to a password which can only be used once on a calculator system or other digital equipment, and the effective period is only one login session or transaction, so that the defects related to the traditional (static) password-based authentication are avoided. OTP authentication techniques may be applied to clients
And the server side, the client side is used for generating the dynamic password, and is a hardware device, for example, the client 0 side can be a mobile phone, a token device and the like. The server side is used for managing and checking dynamic state
And (5) a password.
In some scenarios, as shown in FIG. 1, a customer (e.g., enterprise user) using a security proxy device deploys multiple security proxy devices in different regions, and a business system user may access the security of any region
Full proxy device. Generally, if a business system user has already registered 5 OTP on one security proxy device, then after he exits the current security proxy device, he accesses another zone again
The domain needs to re-register when it is at the security proxy device. For such application scenario, configuration synchronization between different security proxy devices can be realized through a dual-machine hot standby method, so that the need of independently registering when a user accesses different security proxy devices is avoided, but the method requires that different security proxy devices must be identical
The configuration synchronization can be realized only by the same configuration, and the problems that the configuration method of the security proxy equipment is complex, the configuration synchronization between two 0 security proxy equipment can be realized, and the personalized requirements of enterprises can not be realized exist.
In order to solve the above technical problems, the core idea of the identity authentication method applied to the first gateway device (i.e. the security proxy device) provided in the embodiments of the present application is: the first gateway device may respond to the login request of the user side, obtain the user name information and the first dynamic password sent by the user side, and then may
And inquiring a seed secret key corresponding to the user terminal in the first database according to the user name information. In the event that the seed 5 subkey is not queried, the first gateway device may send a query request to the second gateway device, such that,
the second gateway device may send the seed key to the first gateway device after querying the seed key corresponding to the user terminal. Finally, the first gateway device may calculate a second dynamic password based on the seed key and authenticate the first dynamic password based on the second dynamic password.
Based on the above, the information interaction between different gateway devices may be implemented based on Representational State Transfer API (RESTful API for short). The RESTful API enables front-end and back-end separation, developed based on the API, that delivers data based on a unified interface specification. In REST architecture style, data and functions are treated as resources and accessed using a uniform resource identifier (Uniform Resource Identifier, URI for short). Operations on resources include acquire, create, modify, and DELETE, corresponding to GET, POST, PUT and DELETE methods of the HTTP protocol. In the application, POST operation is adopted, and json data format is used for synchronizing information of a user side from one security proxy device to one or more other security proxy devices.
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
Fig. 2 is a flowchart of an identity authentication method according to an embodiment of the present application, where the identity authentication method is applied to a first gateway device. As shown in fig. 2, the method includes S201 to S204.
S201, responding to a login request of a user terminal, acquiring login information sent by the user terminal, wherein the login information comprises user name information and a first dynamic password, and the first dynamic password is obtained by calculating a seed secret key corresponding to the user name information by the user terminal based on a preset algorithm.
S202, inquiring a seed secret key corresponding to the user side in a first database corresponding to the first gateway equipment based on the user name information.
And S203, if the seed key is not queried, sending a query request to at least one second gateway device so as to acquire the seed key from any one of the at least one second gateway device.
S204, calculating to obtain a second dynamic password based on a preset algorithm and the seed secret key so as to authenticate the first dynamic password based on the second dynamic password and output an authentication result.
It should be noted that, in this embodiment, the first gateway device and the second gateway device may be VPN gateway devices, and in practical application, the gateway devices may be SSL VPN devices.
Firstly, responding to a login request of a user side, and acquiring login information sent by the user side. Wherein the login information includes user name information and a first dynamic password.
In this embodiment, the login request may be generated by the user side and sent to the first gateway device. Specifically, the user may access the device home page corresponding to the first gateway device based on the user side, so that the first gateway device
The gateway device may send a login page to the user. The user terminal may then generate the login request based on the login page.
In practical application, the login page can comprise the user for filling in user name information and first dynamic password
The user can fill the user name information and the first dynamic password 0 into the login page based on the input control of the code, then click a submit button in the login page to generate a login request,
And sends the login request to the first gateway device.
In this embodiment, the first dynamic password is calculated by the user terminal based on a preset algorithm and a seed key corresponding to the user name information. Specifically, the preset algorithm may be based on the value and the value of the user name information
Time determination, or any other calculation method can be adopted; the seed key may be generated by the first gateway device or the second gateway device, and in practical applications, may be generated during the registration phase of the user.
Note that, the corresponding registration method in the present application is described in detail in the following embodiments.
In an alternative embodiment, the login information further includes a device identifier corresponding to the user side and a static password corresponding to the user name information. Correspondingly, the login page sent to the user by the first gateway equipment is also
An input control for a user to enter a static password may be included; meanwhile, when the user side sends a login request to the first gateway device 0, the user side may also send its own device identification code to the first gateway device.
In this embodiment, before the seed key corresponding to the user terminal is queried in the first database corresponding to the first gateway device based on the user name information, the first gateway device may further determine whether the user name information is matched with the device identification code; if the user name information is matched with the equipment identification code, judging whether the static password is or not
The effect is achieved; and if the static password is valid, inquiring a seed key corresponding to the user side in a first database 5 corresponding to the first gateway equipment based on the user name information. In practical application, if the user name information and the equipment identification code
And if the login failure page is not matched or the static password is invalid, returning the login failure page to the user side.
Before verifying the first dynamic password, the first gateway device also judges whether the user name information is matched with the device identification code or not, and meanwhile, judges a static password corresponding to the user name information, so that the security of device login can be improved.
After obtaining a login request sent by a user side, a first dynamic password in the login request needs to be authenticated, and therefore, the first gateway device needs to obtain a seed secret key corresponding to the user name information. Firstly, the first gateway device may query a first database corresponding to the first gateway device for a seed key corresponding to the user terminal based on the user name information. In this embodiment, each gateway device corresponds to a database, and the seed key may be stored in the corresponding database.
If the seed key is not queried, a query request is sent to at least one second gateway device so as to acquire the seed key from any one of the at least one second gateway device.
As described above, each gateway device may store the seed key in a respective corresponding database; further, each gateway device may also obtain the seed key sent by any other gateway device.
In practical application, if the first gateway device does not find the seed key corresponding to the user name information in the first database, a RESTful API command may be sent to the second gateway device, so that the second gateway device queries the seed key corresponding to the user name information in the second databases corresponding to the second gateway device. If any one of the second gateway devices queries the seed secret key, the second gateway device can send the seed secret key to the first gateway device.
In practical application, if the plurality of second gateway devices do not query the seed key corresponding to the user name information, the first gateway device may send a login failure page to the user terminal, and prompt the user to register.
After the first gateway device obtains the seed secret key sent by the second gateway device, the second dynamic password can be obtained by calculation based on a preset algorithm and the seed secret key, so that the first dynamic password is authenticated based on the second dynamic password, and an authentication result is output. In practical application, the first dynamic password is authenticated based on the second dynamic password, namely whether the first dynamic password is the same as the second dynamic password is judged, and if the first dynamic password is the same as the second dynamic password, the authentication is passed; if it is different, it does not pass.
In an optional embodiment, if the seed key corresponding to the user terminal is queried in the first database corresponding to the first gateway device based on the user name information, a third dynamic password is obtained by calculation based on a preset algorithm and the seed key, so that the first dynamic password is authenticated based on the third dynamic password, and an authentication result is output.
For easy understanding, the identity authentication method according to the embodiment of the present application is described in detail below with reference to fig. 3. As shown in fig. 3, it is assumed that an enterprise is deployed with a first gateway device and a second gateway device, where a user of the enterprise accesses the first gateway device through a user side.
First, the enterprise user may access a device home page of the first gateway device based on the user side, and the first gateway device returns a login page to the user side. In this embodiment, the login page includes user name information, a static password, and an input control for a first dynamic password.
The enterprise user can input user name information, a static password and a first dynamic password into respective corresponding input controls so as to generate a login request and send the user name information, the static password and the first dynamic password to the first gateway equipment; meanwhile, the login request also comprises a device identification code of the user.
After the first gateway device obtains the user name information, the static password, the device identification code and the first dynamic password, the first gateway device authenticates the user name information, the static password and the device identification code. Specifically, the user name information, the static password and the equipment identification code are authenticated, namely whether the user name information is matched with the static password and the equipment identification code is judged.
If the user name information is matched with the static password and the equipment identification code, the first gateway equipment inquires a seed secret key corresponding to the user name information in a first database corresponding to the first gateway equipment. And if the user name information is not matched with the static password and the equipment identification code, returning to the login page.
If the first gateway equipment inquires the seed secret key, the first gateway equipment generates a second dynamic password according to the seed secret key so as to authenticate the first dynamic password through the second dynamic password, and if the authentication is passed, the enterprise user login is successful; if the authentication is not passed, the enterprise user login fails.
If the first gateway device does not inquire the seed secret key, a query request is sent to the second gateway device, and after the second gateway device inquires the seed secret key, the seed secret key is sent to the first gateway device. After the first gateway equipment acquires the seed secret key sent by the second gateway equipment, the first gateway equipment generates a second dynamic password according to the seed secret key so as to authenticate the first dynamic password through the second dynamic password, and if the authentication is passed, the enterprise user login is successful; if the authentication is not passed, the enterprise user login fails. Accordingly, if the second gateway device does not query the seed key, the enterprise user login fails.
Fig. 4 is a flowchart of an identity registration method provided in an embodiment of the present application, where the identity registration method is applied to a first gateway device. As shown in fig. 4, the method includes S401 to S403.
S401, responding to a registration request of a user terminal, and acquiring user name information sent by the user terminal and a device identification code corresponding to the user terminal.
S402, generating a seed secret key corresponding to the user name information based on a preset rule.
S403, storing the user name information, the seed secret key and the corresponding relation between the user name information and the equipment identification code in a first database so as to inquire the seed secret key corresponding to the user side in the first database.
The user needs to register with the first gateway device before logging into the gateway device. For this purpose, the user may generate a registration request based on the user terminal, so as to send the user name information and the device identification code corresponding to the user terminal to the first gateway device. For the first gateway device, the user name information sent by the user side and the device identification code corresponding to the user side can be obtained in response to the registration request of the user side. In practical application, the user may access the device home page of the first gateway device based on the user side to obtain the registration page. Wherein the registration page can comprise an input control of user name information.
After the first gateway device obtains the registration request, a seed secret key corresponding to the user name information can be generated based on a preset rule, and the device identification code and the user name information are bound. It should be noted that, the preset rule may be set according to actual use requirements, and specific content of the preset rule is not limited herein.
Finally, the first gateway device may store the user name information, the seed secret key, and the correspondence between the user name information and the device identification code in the first database, so as to query the seed secret key corresponding to the user terminal in the first database.
In an optional embodiment, after generating the seed key corresponding to the user name information based on the preset rule, the first gateway device may further send the user name information, the device identification code and the seed key to at least one second gateway device, so that the at least one second gateway device stores the corresponding relationship between the user name information, the seed key and the user name information and the device identification code in the second database corresponding to each other. Thus, if the user logs in the second gateway device, the second gateway device can query the seed key corresponding to the user name information in the second database corresponding to the second gateway device.
In an optional embodiment, in response to a registration request of a user side, acquiring user name information sent by the user side and a device identification code corresponding to the user side, where the first gateway device may also send an identity verification page to the user side in response to an access request of the user side, where the identity verification page includes a first input control corresponding to the user name information and a second input control corresponding to the password information; acquiring user name information and password information sent by a user terminal based on a first input control and a second input control; judging whether the user name information and the password information are matched; and if the user name information is matched with the password information, sending a registration page to the user terminal so that the user terminal generates a registration request based on the registration page.
In this embodiment, before the user registers, the user name information and the static password of the user may be authenticated in advance, so as to prevent the illegal user from registering, and further increase the security of the gateway device.
For ease of understanding, the identity registration method of the embodiments of the present application is described in detail below with reference to fig. 5. As shown in fig. 5, assume that an enterprise is deployed with a first gateway device and a second gateway device, where an enterprise user registers through the first gateway device.
First, an enterprise user can access a device home page of a first gateway device based on a user terminal, and the first gateway device sends an identity verification page comprising a first input control corresponding to user name information and a second input control corresponding to password information to the user terminal.
The enterprise user may populate the first input control and the second input control with user name information and static password information, respectively, and submit the user name information and static password information to the first gateway device.
The first gateway equipment verifies the user name information and the static password information and judges whether the user name information and the password information are matched; if the user name information is matched with the password information, a registration page is sent to the user terminal; and if the user name information and the password information are not matched, sending an identity verification page to the user terminal.
The enterprise user may fill in the user name information based on the registration page, and generate a registration request in combination with the device identification code of the user side, and then send the registration request to the first gateway device.
The first gateway device generates a seed secret key corresponding to the user name information, and stores the user name information, the seed secret key and the corresponding relation between the user name information and the device identification code in a first database so as to inquire the seed secret key corresponding to the user side in the first database. Meanwhile, the first gateway device may further send the user name information, the device identification code and the seed secret key to at least one second gateway device, so that the at least one second gateway device stores the user name information, the seed secret key and the correspondence between the user name information and the device identification code in the second databases corresponding to the user name information, the seed secret key and the device identification code.
The embodiment of the application also discloses an identity authentication method applied to the second gateway device, as shown in fig. 6, the method includes S601-S603.
S601, responding to a query request sent by first gateway equipment, and acquiring user name information corresponding to a user side.
S602, inquiring a seed secret key corresponding to the user side in a second database corresponding to the second gateway equipment based on the user name information.
And S603, if the seed secret key corresponding to the user terminal is queried, the seed secret key is sent to the first gateway equipment, so that the first gateway equipment authenticates the user terminal based on the seed secret key.
As described in the above embodiments, when the ue logs in to the first gateway device and the first gateway device does not query the seed key corresponding to the ue in the first database corresponding to the first gateway device. The first gateway device may send a query request with user name information to the second gateway device.
The second gateway device may query the second database for the seed key corresponding to the user terminal according to the user name information, and if the seed key corresponding to the user terminal is queried, send the seed key to the first gateway device, so that the first gateway device stores the seed key in the first database corresponding to the first gateway device, and authenticates the user terminal based on the seed key.
Fig. 7 is a schematic structural diagram of an identity authentication device according to an embodiment of the present application; as shown in fig. 7, the present embodiment provides an identity authentication apparatus 700 applied to a first gateway device, and specifically, the identity authentication apparatus includes a response module 701, a query module 702, a sending module 703, and an authentication module 704.
The response module 701 is configured to respond to a login request of a user side, obtain login information sent by the user side, where the login information includes user name information and a first dynamic password, and the first dynamic password is obtained by calculating, by the user side, based on a preset algorithm and a seed key corresponding to the user name information;
the query module 702 is configured to query a first database corresponding to the first gateway device for a seed key corresponding to the user terminal based on the user name information;
a sending module 703, configured to send a query request to at least one second gateway device if the seed key is not queried, so as to obtain the seed key from any one of the at least one second gateway device;
and the authentication module 704 is configured to calculate a second dynamic password based on a preset algorithm and the seed key, so as to authenticate the first dynamic password based on the second dynamic password, and output an authentication result.
According to an embodiment of the present application, the query module 702 is further configured to, if a seed key corresponding to the user terminal is queried in a first database corresponding to the first gateway device based on the user name information, calculate, based on a preset algorithm and the seed key, a third dynamic password, so as to authenticate the first dynamic password based on the third dynamic password, and output an authentication result.
According to the embodiment of the application, the login information further comprises a device identification code corresponding to the user side and a static password corresponding to the user name information. Before inquiring the seed secret key corresponding to the user terminal in the first database corresponding to the first gateway device based on the user name information, the authentication module 704 is further configured to determine whether the user name information is matched with the device identification code; if the user name information is matched with the equipment identification code, judging whether the static password is valid or not; if the static password is valid, inquiring a seed secret key corresponding to the user side in a first database corresponding to the first gateway equipment based on the user name information.
According to an embodiment of the present application, the response module 701 is further configured to obtain, in response to a registration request of a user side, user name information sent by the user side and an equipment identifier corresponding to the user side; generating a seed secret key corresponding to the user name information based on a preset rule; storing the user name information, the seed secret key and the corresponding relation between the user name information and the equipment identification code in a first database so as to inquire the seed secret key corresponding to the user side in the first database.
According to an embodiment of the present application, after generating the seed key corresponding to the user name information based on the preset rule, the sending module 703 is further configured to send the user name information, the device identification code, and the seed key to at least one second gateway device, so that the at least one second gateway device stores the corresponding relationship between the user name information, the seed key, and the user name information and the device identification code in the second database corresponding to each other.
According to an embodiment of the present application, before a registration request of a user terminal is responded, user name information sent by the user terminal and a device identification code corresponding to the user terminal are obtained, the response module 701 is further configured to send an identity verification page to the user terminal in response to an access request of the user terminal, where the identity verification page includes a first input control corresponding to the user name information and a second input control corresponding to the password information; acquiring user name information and password information sent by a user terminal based on a first input control and a second input control; judging whether the user name information and the password information are matched; and if the user name information is matched with the password information, sending a registration page to the user terminal so that the user terminal generates a registration request based on the registration page.
The identity authentication device shown in fig. 7 may perform the identity authentication method shown in the embodiment shown in fig. 4, and its implementation principle and technical effects are not repeated. The specific manner in which the individual modules perform the operations of the authentication device in the above embodiments has been described in detail in the embodiments related to the method, and will not be described in detail here.
FIG. 8 is a schematic diagram of another identity authentication device according to an embodiment of the present disclosure; as shown in fig. 8, the present embodiment provides an identity authentication apparatus 800 applied to a second gateway device, and specifically, the identity authentication apparatus includes a response module 801, a query module 802, and a sending module 803.
And the response module 801 is configured to obtain user name information corresponding to the user side in response to the query request sent by the first gateway device.
And a query module 802, configured to query a second database corresponding to the second gateway device for a seed key corresponding to the user terminal based on the user name information.
And a sending module 803, configured to send the seed key to the first gateway device if the seed key corresponding to the user terminal is queried, so that the first gateway device authenticates the user terminal based on the seed key.
The identity authentication device shown in fig. 8 may perform the identity authentication method shown in the embodiment shown in fig. 6, and its implementation principle and technical effects are not repeated. The specific manner in which the individual modules perform the operations of the authentication device in the above embodiments has been described in detail in the embodiments related to the method, and will not be described in detail here.
In one possible design, the configuration of the identity authentication device shown in fig. 7 or fig. 8 may be implemented as an electronic device. As shown in fig. 9, the electronic device 900 may include: processor 901, memory 902. Wherein the memory 902 has stored thereon executable code which, when executed by the processor 901, at least causes the processor 901 to implement the identity authentication method as provided in the embodiments shown in fig. 2 or fig. 4 described above.
The control device may further include a communication interface 903 in the structure for communicating with other devices.
Fig. 10 is a schematic structural diagram of another electronic device according to an embodiment of the present application, as shown in fig. 10, where the electronic device 1000 may include one or more of the following components: a processing component 1002, a memory 1004, a power component 1006, a multimedia component 1008, an audio component 1010, an input/output (I/O) interface 1012, a sensor component 1014, and a communications component 1016.
The processing component 1002 generally controls overall operation of the electronic device 1000, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing component 1002 can include one or more processors 620 to execute instructions to perform all or part of the steps of the methods S101-S105 described above. Further, the processing component 1002 can include one or more modules that facilitate interaction between the processing component 1002 and other components. For example, the processing component 1002 can include a multimedia module to facilitate interaction between the multimedia component 1008 and the processing component 1002.
The memory 1004 is configured to store various types of data to support operations at the electronic device 1000. Examples of such data include instructions for any application or method operating on the electronic device 1000, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 1004 may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
The power supply component 1006 provides power to the various components of the electronic device 1000. The power components 1006 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the electronic device 1000.
The multimedia component 1008 includes a screen between the electronic device 1000 and the user that provides an output interface. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP).
If the screen comprises a touch panel, the screen may be implemented as a touch screen to receive an input 5 signal from a user. The touch panel includes one or more touch sensors to sense touch, swipe, and on the touch panel
Is a gesture of (a). The touch sensor may sense not only the boundary of a touch or slide action, but also the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia assembly 1008 includes a front-facing camera and/or a rear-facing camera. When the electronic device 1000 is in the operational mode
The front camera and/or the rear camera may receive external 0 multimedia data when in a photographing mode or a video mode. Each front camera and rear camera may be a fixed optical lens system
Or have focal length and optical zoom capabilities.
The audio component 1010 is configured to output and/or input audio signals. For example, the audio component 1010 includes a Microphone (MIC) when the electronic device 1000 is in an operational mode, such as a call mode, a memory
In the recording mode and the speech recognition mode, the microphone is configured to receive an external audio signal. The received audio 5 signal may be further stored in memory 1004 or transmitted via communication component 1016. In some cases
In an embodiment, the audio component 1010 further comprises a speaker for outputting audio signals.
The input/output interface 1012 provides an interface between the processing assembly 1002 and peripheral interface modules, which may be a keyboard, click wheel, buttons, and the like. These buttons may include, but are not limited to:
homepage button, volume button, start button, and lock button.
The 0 sensor assembly 1014 includes one or more sensors for providing various sensors for the electronic device 1000
Status assessment of the aspects. For example, the sensor assembly 1014 may detect an on/off state of the electronic device 1000, a relative positioning of the assemblies, such as a display and keypad of the electronic device 1000, the sensor assembly 1014 may also detect the electronic device 1000 or a group of electronic devices 1000
The position of the piece changes, the presence or absence of user contact with the electronic device 1000, the orientation of the electronic device 10005 or acceleration/deceleration and the temperature change of the electronic device 1000. The sensor assembly 1014 can include an interface
A proximity sensor configured to detect the presence of a nearby object without any physical contact. The sensor assembly 1014 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 1014 can also include an acceleration sensor, a gyroscopic sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 1016 is configured to facilitate communication between the electronic device 1000 and other devices, either wired or wireless. The electronic device 1000 may access a wireless network based on a communication standard, such as WiFi,2G or 3G or 4G or a combination thereof. In one exemplary embodiment, the communication component 1016 receives broadcast signals or broadcast-related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 1016 further includes a Near Field Communication (NFC) module to facilitate short range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the electronic device 1000 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic elements for executing the methods described above.
In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, such as memory 1004, including instructions executable by processor 620 of electronic device 1000 to perform the above-described method. For example, the non-transitory computer readable storage medium may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk, or optical disk.
In addition, the embodiments of the present application provide a non-transitory machine-readable storage medium having executable code stored thereon, which when executed by a processor of an electronic device, causes the processor to perform the method provided in the foregoing embodiment of fig. 1.
The apparatus embodiments described above are merely illustrative, wherein the various modules illustrated as separate components may or may not be physically separate. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of embodiments, those skilled in the art will readily understand the various embodiments
The implementation may be by means of adding necessary general hardware platforms, but of course also by means of a combination of hardware and software 5. Based on such understanding, the above technical solution is essential or the present application
Portions of the contribution may be embodied in the form of computer-program products, which may take the form of computer-program products embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Finally, it should be noted that: the above examples are only for illustrating the technical solution of the present application, and are not limited to 0 thereof; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art
The person should understand that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims (10)

1. An identity authentication method, applied to a first gateway device, comprising:
responding to a login request of a user side, acquiring login information sent by the user side, wherein the login information comprises user name information and a first dynamic password, and the first dynamic password is obtained by calculating by the user side based on a preset algorithm and a seed key corresponding to the user name information;
inquiring a seed secret key corresponding to the user side in a first database corresponding to the first gateway equipment based on the user name information;
if the seed secret key is not queried, sending a query request to at least one second gateway device so as to acquire the seed secret key from any one of the at least one second gateway device;
and calculating to obtain a second dynamic password based on the preset algorithm and the seed secret key so as to authenticate the first dynamic password based on the second dynamic password and output an authentication result.
2. The method according to claim 1, wherein the method further comprises:
if the seed secret key corresponding to the user terminal is queried in a first database corresponding to the first gateway equipment based on the user name information, a third dynamic password is obtained through calculation based on the preset algorithm and the seed secret key, so that the first dynamic password is authenticated based on the third dynamic password, and an authentication result is output.
3. The method of claim 1, wherein the login information further includes a device identifier corresponding to the user side and a static password corresponding to the user name information;
before the seed secret key corresponding to the user terminal is queried in the first database corresponding to the first gateway equipment based on the user name information, the method further comprises the following steps:
judging whether the user name information is matched with the equipment identification code or not;
if the user name information is matched with the equipment identification code, judging whether the static password is valid or not;
and if the static password is valid, inquiring a seed secret key corresponding to the user terminal in a first database corresponding to the first gateway equipment based on the user name information.
4. The method according to claim 1, wherein the method further comprises:
responding to a registration request of a user side, and acquiring the user name information sent by the user side and a device identification code corresponding to the user side;
generating the seed secret key corresponding to the user name information based on a preset rule;
storing the user name information, the seed secret key and the corresponding relation between the user name information and the equipment identification code in the first database so as to inquire the seed secret key corresponding to the user side in the first database.
5. The method of claim 4, wherein after generating the seed key corresponding to the user name information based on a preset rule, the method further comprises:
and transmitting the user name information, the device identification code and the seed secret key to the at least one second gateway device, so that the at least one second gateway device stores the user name information, the seed secret key and the corresponding relation between the user name information and the device identification code in the second databases corresponding to the user name information, the seed secret key and the device identification code.
6. The method according to claim 5, wherein before acquiring the user name information and the device identification code corresponding to the user terminal, which are sent by the user terminal, in response to a registration request of the user terminal, the method further comprises:
Responding to an access request of a user terminal, and sending an identity verification page to the user terminal, wherein the identity verification page comprises a first input control corresponding to user name information and a second input control corresponding to password information;
acquiring the user name information and the password information sent by a user terminal based on the first input control and the second input control;
judging whether the user name information and the password information are matched;
and if the user name information is matched with the password information, sending a registration page to the user side so that the user side can generate the registration request based on the registration page.
7. An identity authentication method, applied to a second gateway device, comprising:
responding to a query request sent by first gateway equipment, and acquiring user name information corresponding to a user terminal;
inquiring a seed secret key corresponding to the user side in a second database corresponding to the second gateway equipment based on the user name information;
if the seed secret key corresponding to the user terminal is queried, the seed secret key is sent to the first gateway equipment, so that the first gateway equipment authenticates the user terminal based on the seed secret key.
8. An identity authentication device, applied to a first gateway device, comprising:
the response module is used for responding to a login request of a user side, acquiring login information sent by the user side, wherein the login information comprises user name information and a first dynamic password, and the first dynamic password is obtained by calculation of the user side based on a preset algorithm and a seed secret key corresponding to the user name information;
the query module is used for querying a seed secret key corresponding to the user side in a first database corresponding to the first gateway equipment based on the user name information;
a sending module, configured to send a query request to at least one second gateway device if the seed key is not queried, so as to obtain the seed key from any one of the at least one second gateway device;
and the authentication module is used for calculating a second dynamic password based on the preset algorithm and the seed secret key so as to authenticate the first dynamic password based on the second dynamic password and output an authentication result.
9. An electronic device, comprising: a memory, a processor; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the identity authentication method of any one of claims 1 to 6.
10. A non-transitory machine-readable storage medium having stored thereon executable code which, when executed by a processor of an electronic device, causes the processor to perform the identity authentication method of any of claims 1 to 6.
CN202310009148.0A 2023-01-04 2023-01-04 Identity authentication method, device, equipment and storage medium Pending CN116112233A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310009148.0A CN116112233A (en) 2023-01-04 2023-01-04 Identity authentication method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310009148.0A CN116112233A (en) 2023-01-04 2023-01-04 Identity authentication method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116112233A true CN116112233A (en) 2023-05-12

Family

ID=86264998

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310009148.0A Pending CN116112233A (en) 2023-01-04 2023-01-04 Identity authentication method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116112233A (en)

Similar Documents

Publication Publication Date Title
US11297051B2 (en) Authenticated session management across multiple electronic devices using a virtual session manager
US11218460B2 (en) Secure authentication for accessing remote resources
CN111639319B (en) User resource authorization method, device and computer readable storage medium
US11196739B2 (en) Authorization activation
EP2887615A1 (en) Cloud-based scalable authentication for electronic devices
US9338156B2 (en) System and method for integrating two-factor authentication in a device
US8606234B2 (en) Methods and apparatus for provisioning devices with secrets
US8826398B2 (en) Password changing
US11843593B2 (en) Application integration using multiple user identities
CN115021991A (en) Single sign-on for unmanaged mobile devices
US11489831B2 (en) Communication system and computer readable storage medium
US11075895B2 (en) Cloud operation interface sharing method, related device, and system
US11627129B2 (en) Method and system for contextual access control
CN113347242B (en) Cross-device resource access method and device, storage medium and electronic device
US11812263B2 (en) Methods and apparatus for securely storing, using and/or updating credentials using a network device at a customer premises
JP2018517367A (en) Service provider certificate management
CN112840339A (en) Progressive access to data and device functionality
RU2649323C1 (en) Method and device for managing equipment
CN116112233A (en) Identity authentication method, device, equipment and storage medium
Yeh et al. A robust NFC-based personalized IPTV service system
CN113328971A (en) Access resource authentication method and device and electronic equipment
US11856037B2 (en) Multi-factor authentication for audio meeting participants
Yeh et al. A NFC-Based Authentication Scheme for Personalized IPTV Services
CN116800477A (en) Certificate registration and login authentication method of application program and electronic equipment
CN117882348A (en) Application program interface API calling method and device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination