CN116193429B

CN116193429B - Authentication method, authentication device and storage medium

Info

Publication number: CN116193429B
Application number: CN202310144760.9A
Authority: CN
Inventors: 冯毅; 蔡超; 刘思聪
Original assignee: China United Network Communications Group Co Ltd
Current assignee: China United Network Communications Group Co Ltd
Priority date: 2023-02-06
Filing date: 2023-02-06
Publication date: 2024-07-26
Anticipated expiration: 2043-02-06
Also published as: CN116193429A

Abstract

The application provides an authentication method, an authentication device and a storage medium, relates to the technical field of communication, and can improve the security of network access authentication. The method comprises the following steps: receiving an authentication request from a terminal, wherein the authentication request comprises a terminal identifier of the terminal; generating n groups of verification information according to the terminal identification; wherein n is a positive integer, each group of verification information in the n groups of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated by encrypting a target field by the network access equipment by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target field is an authentication password of the terminal or a field randomly generated by network access equipment; n groups of verification information are sent to the terminal; receiving feedback information from the terminal; and determining whether the terminal passes the authentication according to the feedback information. The application is used for the terminal network access authentication process.

Description

Authentication method, authentication device and storage medium

Technical Field

The present application relates to the field of communications technologies, and in particular, to an authentication method, an authentication device, and a storage medium.

Background

Currently, existing network access devices and terminals default to authentication using the authentication password protocol (Password Authentication Protocol, PAP) authentication mode during the link control protocol (Link Control Protocol, LCP) authentication phase. However, according to the PAP authentication protocol, when transmitting an authentication request including a terminal identifier and an authentication password to a network access device, the terminal needs to transmit the request in a plain text manner. The authentication request is transmitted in a plaintext manner, so that the terminal identification and the authentication password contained in the terminal authentication information are easily stolen by a hacker through session hijacking, data packet sniffing and other manners. Therefore, how to improve the security of the terminal network access authentication process is a technical problem to be solved.

Disclosure of Invention

The application provides an authentication method, an authentication device and a storage medium, which can improve the security of a network access authentication process.

In order to achieve the above purpose, the application adopts the following technical scheme:

In a first aspect, the present application provides an authentication method applied to a network access device, where the network access device is configured to authenticate a terminal requesting access, and the method includes: receiving an authentication request from a terminal, wherein the authentication request comprises a terminal identifier of the terminal; generating n groups of verification information according to the terminal identification; wherein n is a positive integer, each group of verification information in the n groups of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated by encrypting a target field by the network access equipment by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target field is an authentication password of the terminal or a field randomly generated by network access equipment; n groups of verification information are sent to the terminal; receiving feedback information from a terminal; the feedback information comprises a target identifier; the target mark is a mark determined according to a matching result of the second ciphertext and the first ciphertext; the second ciphertext is generated after the authentication password of the terminal is encrypted according to an encryption algorithm; and determining whether the terminal passes the authentication according to the feedback information.

With reference to the first aspect, in one possible implementation manner, generating n groups of verification information according to a terminal identifier includes: determining n target fields, wherein the n target fields comprise n fields randomly generated by the network access equipment, or the n target fields comprise n-1 fields randomly generated by the network access equipment and an authentication password; encrypting the n target fields according to an encryption algorithm to determine n first ciphertexts; matching a corresponding verification identifier for each first ciphertext in the n first ciphers; generating n groups of verification information according to the n first ciphertexts and verification identifications corresponding to each of the n first ciphertexts.

With reference to the first aspect, in one possible implementation manner, in a case that the n target fields include n-1 target fields randomly generated by the network access device and the authentication password, determining, according to the feedback information, whether the terminal passes authentication includes: determining whether the feedback information comprises a verification identifier corresponding to a first ciphertext generated according to the authentication password; if so, determining that the terminal authentication passes; if not, determining that the terminal authentication is not passed.

With reference to the first aspect, in one possible implementation manner, in a case that the n target fields include n fields randomly generated by the network access device, determining, according to feedback information, whether the terminal passes authentication includes: determining whether the feedback information comprises verification identifiers corresponding to any ciphertext of the n first ciphers; if not, determining that the terminal authentication passes; if so, determining that the terminal authentication is not passed.

With reference to the first aspect, in a possible implementation manner, after determining that the terminal authentication passes, the method further includes: determining whether the current authentication times of the terminal are larger than a preset value; if yes, determining that the terminal authentication is successful, indicating the terminal to be accessed to the network access equipment, and ending the authentication process; if not, regenerating n groups of verification information according to the terminal identification, and sending the n groups of verification information to the terminal.

In a second aspect, the present application provides an authentication method, applied to a terminal, where the terminal is used for requesting access to a network access device, and the method includes: sending an authentication request to the network access equipment, wherein the authentication request comprises a terminal identifier of a terminal; receiving n groups of authentication information from a network access device; wherein n is a positive integer, each group of verification information in the n groups of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated by encrypting a target field by the network access equipment by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target field is an authentication password of the terminal or a field randomly generated by network access equipment; encrypting the authentication password of the terminal according to an encryption algorithm to generate a second ciphertext; determining a target identifier according to a matching result of the second ciphertext and the first ciphertext in the n groups of verification information; generating feedback information according to the target identification; and sending feedback information to the network access equipment.

With reference to the second aspect, in one possible implementation manner, determining the target identifier according to a matching result of the second ciphertext and the first ciphertext in the n sets of verification information includes: respectively matching the second ciphertext with the first ciphertext in the n groups of verification information, and determining whether the first ciphertext which is the same as the second ciphertext exists or not; if the first ciphertext is the same as the second ciphertext, determining that the verification identifier in the verification information to which the first ciphertext belongs is the target identifier; if the preset empty mark does not exist, the preset empty mark is determined to be the target mark.

In a third aspect, the present application provides an authentication apparatus applied to a network access device, where the network access device is configured to authenticate a terminal requesting access, the apparatus including: a processing unit and a communication unit; the communication unit is used for receiving an authentication request from the terminal, wherein the authentication request comprises a terminal identifier of the terminal; the processing unit is used for generating n groups of verification information according to the terminal identification; wherein n is a positive integer, each group of verification information in the n groups of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated by encrypting a target field by the network access equipment by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target field is an authentication password of the terminal or a field randomly generated by network access equipment; the communication unit is also used for sending n groups of verification information to the terminal; the communication unit is also used for receiving feedback information from the terminal; the feedback information comprises a target identifier; the target mark is a mark determined according to a matching result of the second ciphertext and the first ciphertext; the second ciphertext is generated after the authentication password of the terminal is encrypted according to an encryption algorithm; and the processing unit is used for determining whether the terminal passes authentication according to the feedback information.

With reference to the third aspect, in one possible implementation manner, the processing unit is specifically configured to: determining n target fields, wherein the n target fields comprise n fields randomly generated by the network access equipment, or the n target fields comprise n-1 fields randomly generated by the network access equipment and an authentication password; encrypting the n target fields according to an encryption algorithm to determine n first ciphertexts; matching a corresponding verification identifier for each first ciphertext in the n first ciphers; generating n groups of verification information according to the n first ciphertexts and verification identifications corresponding to each of the n first ciphertexts.

With reference to the third aspect, in one possible implementation manner, the processing unit is further configured to: determining whether the feedback information comprises a verification identifier corresponding to a first ciphertext generated according to the authentication password; if so, determining that the terminal authentication passes; if not, determining that the terminal authentication is not passed.

With reference to the third aspect, in one possible implementation manner, the processing unit is further configured to: determining whether the feedback information comprises verification identifiers corresponding to any ciphertext of the n first ciphers; if not, determining that the terminal authentication passes; if so, determining that the terminal authentication is not passed.

With reference to the third aspect, in one possible implementation manner, the processing unit is further configured to: determining whether the current authentication times of the terminal are larger than a preset value; if yes, determining that the terminal authentication is successful, enabling the terminal to be accessed into the network access equipment, and ending the authentication process; if not, according to the regenerated n groups of verification information, the communication unit is instructed to send the n groups of verification information to the terminal.

In a fourth aspect, the present application provides an authentication apparatus, applied to a terminal, where the terminal is used for requesting access to a network access device, the apparatus includes: a processing unit and a communication unit; the communication unit is used for sending an authentication request to the network access equipment, wherein the authentication request comprises a terminal identifier of the terminal; the communication unit is also used for receiving n groups of verification information from the network access equipment; wherein n is a positive integer, each group of verification information in the n groups of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated by encrypting a target field by the network access equipment by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target field is an authentication password of the terminal or a field randomly generated by network access equipment; the processing unit is used for encrypting the authentication password of the terminal according to an encryption algorithm to generate a second ciphertext; the processing unit is also used for determining a target identifier according to the matching result of the second ciphertext and the first ciphertext in the n groups of verification information; the processing unit is also used for generating feedback information according to the target identification; and the communication unit is also used for sending feedback information to the network access equipment.

With reference to the fourth aspect, in one possible implementation manner, the processing unit is specifically configured to: respectively matching the second ciphertext with the first ciphertext in the n groups of verification information, and determining whether the first ciphertext which is the same as the second ciphertext exists or not; if the first ciphertext belongs to the verification information, the verification identifier in the verification information which is the same as the second ciphertext is determined to be the target identifier; if it is not present, the preset empty identifier is determined to be the target identifier.

In a fifth aspect, the present application provides an authentication apparatus comprising: a processor and a communication interface; wherein the memory is configured to store computer-executable instructions that, when executed by the authentication device, cause the authentication device to perform an authentication method as described in any one of the possible implementations of the first aspect and the first aspect.

In a sixth aspect, the present application provides an authentication apparatus comprising: a processor and a communication interface; wherein the memory is configured to store computer-executable instructions that, when executed by the authentication device, cause the authentication device to perform the authentication method as described in any one of the possible implementations of the second aspect and the second aspect.

In a seventh aspect, the present application provides a computer readable storage medium having instructions stored therein which, when executed by a processor of an authentication apparatus, enable the authentication apparatus to perform the authentication method as described in any one of the possible implementations of the first aspect and the first aspect.

In an eighth aspect, the present application provides a computer readable storage medium having instructions stored therein which, when executed by a processor of an authentication apparatus, enable the authentication apparatus to perform the authentication method as described in any one of the possible implementations of the second aspect and the second aspect.

In a ninth aspect, the application provides a computer program product comprising instructions which, when run on an authentication device, cause the authentication device to perform the authentication method as described in any one of the possible implementations of the first aspect and the first aspect.

In a tenth aspect, the application provides a computer program product comprising instructions which, when run on an authentication device, cause the authentication device to perform the authentication method as described in any one of the possible implementations of the second aspect and the second aspect.

In an eleventh aspect, the present application provides a chip comprising a processor and a communication interface, the communication interface and the processor being coupled, the processor being for running a computer program or instructions to implement an authentication method as described in the first aspect and any one of the possible implementations of the first aspect.

In a twelfth aspect, the application provides a chip comprising a processor and a communication interface, the communication interface and the processor being coupled, the processor being for running a computer program or instructions to implement an authentication method as described in any one of the possible implementations of the second aspect and the second aspect.

Specifically, the chip provided in the embodiment of the application further includes a memory, which is used for storing a computer program or instructions.

In the present application, the names of the above-described authentication apparatuses do not constitute a limitation on the devices or function modules themselves, and in actual implementation, these devices or function modules may appear under other names. Insofar as the function of each device or function module is similar to that of the present application, it falls within the scope of the claims of the present application and the equivalents thereof.

These and other aspects of the application will be more readily apparent from the following description.

The technical scheme provided by the application has at least the following beneficial effects:

The terminal sends an authentication request to the network access device, wherein the authentication request comprises a terminal identifier of the terminal. After receiving the authentication request from the terminal, the network access device generates n groups or n-1 groups of target fields according to the terminal identification. And the network access equipment encrypts n groups of target fields or n-1 groups of target fields and the terminal authentication password by adopting an encryption algorithm to generate n groups of first ciphertexts. The network access device performs one-to-one correspondence on the n groups of first ciphertext and the n verification identifications to generate n groups of verification information. And the network access equipment sends the n groups of verification information to the terminal to perform terminal identity verification. After receiving n groups of verification information sent by the network access equipment, the terminal encrypts the terminal authentication password according to the encryption algorithm to generate a second ciphertext. The terminal matches the generated second ciphertext with the first ciphertext in the n groups of verification information one by one, and determines the target identification according to the matching result of the second ciphertext and the first ciphertext. And the terminal generates feedback information according to the target identifier and sends the feedback information to the network access equipment. And the network access equipment determines whether the terminal passes authentication according to the received feedback information from the terminal. In this way, when the terminal performs the network access authentication request, the terminal only needs to send the authentication request only including the terminal identification information to the network access device, and the feedback information is determined according to the n groups of verification information sent by the network access device. In the process of access authentication between the terminal and the network access equipment, the authentication password of the terminal is not required to be transmitted, the risk of stealing the authentication password of the terminal is reduced, and the security of the network access authentication of the terminal is improved.

Drawings

Fig. 1 is a schematic hardware structure of an authentication device according to an embodiment of the present application;

fig. 2 is a schematic flow chart of an authentication method according to an embodiment of the present application;

FIG. 3 is a flowchart of another authentication method according to an embodiment of the present application;

FIG. 4 is a flowchart of another authentication method according to an embodiment of the present application;

FIG. 5 is a flowchart of another authentication method according to an embodiment of the present application;

Fig. 6 is a schematic structural diagram of an authentication device applied to a network access device according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of an authentication device applied to a terminal according to an embodiment of the present application.

Detailed Description

The authentication method, the authentication device and the storage medium provided by the embodiment of the application are described in detail below with reference to the accompanying drawings.

The term "and/or" is herein merely an association relationship describing an associated object, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone.

The terms "first" and "second" and the like in the description and in the drawings are used for distinguishing between different objects or between different processes of the same object and not for describing a particular order of objects.

Furthermore, references to the terms "comprising" and "having" and any variations thereof in the description of the present application are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed but may optionally include other steps or elements not listed or inherent to such process, method, article, or apparatus.

It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.

Fig. 1 is a schematic structural diagram of an authentication device according to an embodiment of the present application. As shown in fig. 1, the authentication device 100 includes at least one processor 101, a communication line 102, and at least one communication interface 104, and may also include a memory 103. The processor 101, the memory 103, and the communication interface 104 may be connected through a communication line 102.

Processor 101 may be a central processing unit (central processing unit, CPU), an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present application, such as: one or more digital signal processors (DIGITAL SIGNAL processors, DSPs), or one or more field programmable gate arrays (field programmable GATE ARRAY, FPGAs).

Communication line 102 may include a pathway for communicating information between the aforementioned components.

The communication interface 104, for communicating with other devices or communication networks, may use any transceiver-like device, such as ethernet, radio access network (radio access network, RAN), wireless local area network (wireless local area networks, WLAN), etc.

The memory 103 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-only memory, EEPROM), a compact disc read-only memory (compact disc read-only memory) or other optical disc storage, a compact disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to include or store the desired program code in the form of instructions or data structures and that can be accessed by a computer.

In a possible design, the memory 103 may exist separately from the processor 101, i.e. the memory 103 may be a memory external to the processor 101, where the memory 103 may be connected to the processor 101 through a communication line 102 for storing execution instructions or application program codes, and the execution is controlled by the processor 101 to implement a method for determining a spatial measurement according to an embodiment of the present application. In yet another possible design, the memory 103 may be integrated with the processor 101, i.e., the memory 103 may be an internal memory of the processor 101, e.g., the memory 103 may be a cache, and may be used to temporarily store some data and instruction information, etc.

As one implementation, processor 101 may include one or more CPUs, such as CPU0 and CPU1 in fig. 1. As another implementation, the authentication device 100 may include multiple processors, such as the processor 101 and the processor 107 in fig. 1. As a further alternative in an implementation manner, the method comprises the steps of, the authentication apparatus 100 may further include an output device 105 and an input device 106.

From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of the network node is divided into different functional modules to implement all or part of the functions described above. The specific working processes of the above-described system, module and network node may refer to the corresponding processes in the foregoing method embodiments, which are not described herein.

Currently, multiple hosts on a shared ethernet may perform multiple PPP sessions with a Broadband Remote access server BRAS (Broadband Remote ACCESS SERVER, BRAS) or other network access devices through one or more simple bridge access devices according to a point-to-point protocol on ethernet (PPP over Ethernet, PPPoE), i.e., a point-to-point protocol carried by ethernet (Point to Point Protocol, PPP). Wherein the BRAS is an access device in a certain area, which is responsible for accessing terminal devices and authenticating the terminals. Each host may use its own PPP protocol stack in the PPP session mode and provide a familiar user interface to the user.

For example, when the terminal accesses the internet through the home broadband, the terminal first transmits authentication information including a terminal identification and an authentication password to the network access device BRAS. And the network access device BRAS completes the authentication request for the terminal to access the network according to the PPPoE protocol and the authentication information.

The authentication process of the PPPOE protocol comprises two stages of discovery and session. In particular, in the discovery phase, the terminal is able to discover one or more network access devices. Further, the terminal selects one of the network access devices, and transmits a physical (MEDIA ACCESS Control, MAC) address of the terminal thereto. After receiving the MAC address of the terminal, the network access device sends the MAC address to the terminal. The terminal and the network access equipment exchange information through exchanging MAC addresses to generate a PPPoE session_ID. It should be noted that the terminal and the network access device remain stateless until the session is established. After the session stage is established, the terminal and the network access device allocate resources for the PPP virtual interface in the session stage.

Further, the session phase includes a link control protocol (Link Control Protocol, LCP) and a network control protocol (NetWare Core Protocol, NCP). The LCP is used for negotiating and authenticating between the terminal and the network access equipment bottom layer link. Specifically, the Radius server assists the terminal and the network access device in authentication through an authentication password protocol (Password Authentication Protocol, PAP) and a challenge handshake authentication protocol (CHALLENGE HANDSHAKE Authentication Protocol, CHAP).

The specific implementation process of the negotiation part and the authentication part in the LCP stage is as follows:

The negotiation part, the terminal and the network access device exchange parameters of the devices at two ends, such as MTU value, link type, etc., through messages of LCP config_Req, LCP config_Rej, LCP config_Nak, LCP config_ack, etc. Wherein LCP config_req is used for link negotiation requests. Specifically, when the receiving end does not support the configuration parameter type in the LCP config_req message of the sending end, the receiving end replies the unsupported configuration parameter type information in the form of an LCP config_req reply message. When the receiving end receives the configuration parameter types in the LCP config_Req message of the supporting sending end but does not support the configuration parameter values in the LCP config_Req message, the receiving end replies the unsupported configuration parameter values in the form of an LCP config_Nak reply message. Further, when the negotiation is successful, the receiving end responds to the LCP config_ack message of the transmitting end.

The authentication modes of the terminal and the network access device comprise two types, namely PAP and CHAP respectively. Wherein PAP is a two-way handshake protocol. Specifically, the terminal sends an authentication request containing a terminal identifier and an authentication password to the network access equipment, and the network access equipment performs comparison verification on the received content. If the verification is successful, the network access equipment returns an authentication passing response message to the terminal. If the verification fails, the network access equipment returns a response message that the authentication fails to pass to the terminal.

CHAP is a three-way handshake protocol. Specifically, the terminal sends an authentication request containing a random message and a terminal identifier to the network access device. After receiving the authentication request, the network access device generates a response through a message-digest MD5 (md5) encryption algorithm according to the key, the message ID and the challenge field corresponding to the terminal. Further, the network access device returns feedback information including the response and the terminal identification to the terminal. The terminal extracts the terminal identification from the feedback information returned by the network access equipment. Further, the terminal generates a result through an MD5 algorithm according to the secret key, the message ID and the random message corresponding to the terminal identification. The terminal compares the result of the production with feedback information of the terminal. If the comparison result is the same, the terminal returns a Success message to the network access equipment. If the comparison results are different, the terminal returns a Failure message to the network access equipment.

Further, after the terminal completes negotiation and authentication of the network access device, the terminal obtains the IP address through the network control protocol NCP (NetWare Core Protocol, NCP) (NCP is the internet protocol control protocol IPCP (Internet Protocol Control Protocol, IPCP)) in contrast to the IP network.

In the related art, the existing network access device and the terminal perform authentication by adopting a PAP authentication mode by default in the LCP authentication stage. However, according to the PAP authentication protocol, when transmitting an authentication request including a terminal identifier and an authentication password to a network access device, the terminal needs to transmit the request in a plain text manner. The authentication request is transmitted in a plaintext manner, so that the terminal identification and the authentication password contained in the terminal authentication information are easily stolen by a hacker through session hijacking, data packet sniffing and other manners. Therefore, how to improve the security of the authentication process of the terminal access network is a technical problem to be solved.

In order to solve the technical problem, an embodiment of the present application provides an authentication method, where a terminal sends an authentication request to a network access device, where the authentication request includes a terminal identifier of the terminal. After receiving the authentication request from the terminal, the network access device generates n groups or n-1 groups of target fields according to the terminal identification. And the network access equipment encrypts n groups of target fields or n-1 groups of target fields and the terminal authentication password by adopting an encryption algorithm to generate n groups of first ciphertexts. The network access device performs one-to-one correspondence on the n groups of first ciphertext and the n verification identifications to generate n groups of verification information. And the network access equipment sends the n groups of verification information to the terminal to perform terminal identity verification. After receiving n groups of verification information sent by the network access equipment, the terminal encrypts the terminal authentication password according to the encryption algorithm to generate a second ciphertext. The terminal matches the generated second ciphertext with the first ciphertext in the n groups of verification information one by one, and determines the target identification according to the matching result of the second ciphertext and the first ciphertext. And the terminal generates feedback information according to the target identifier and sends the feedback information to the network access equipment. And the network access equipment determines whether the terminal passes authentication according to the received feedback information from the terminal. In this way, when the terminal performs the network access authentication request, the terminal only needs to send the authentication request only including the terminal identification information to the network access device, and the feedback information is determined according to the n groups of verification information sent by the network access device. In the process of access authentication between the terminal and the network access equipment, the authentication password of the terminal is not required to be transmitted, the risk of stealing the authentication password of the terminal is reduced, and the security of the network access authentication of the terminal is improved.

The authentication method provided by the embodiment of the application can be applied to the authentication device shown in fig. 1, and as shown in fig. 2, the authentication method provided by the embodiment of the application can be realized through the following steps 201 to 208.

Step 201, the terminal sends an authentication request to the network access device. Accordingly, the network access device receives an authentication request from the terminal.

Wherein the authentication request includes a terminal identification of the terminal.

The terminal sends an authentication request containing only the terminal identification to the network access device. Accordingly, the network access device receives an authentication request from the terminal.

In a possible implementation manner, the terminal sends an authentication request to the network access device, such as a BRAS, where the authentication request only includes the terminal identifier and does not include the password of the terminal. After receiving the authentication request from the terminal, the network access device determines the terminal applying for access authentication through the terminal identification.

Step 202, the network access device generates n groups of verification information according to the terminal identification.

Wherein n is a positive integer, each group of verification information in the n groups of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated by encrypting a target field by the network access equipment by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target field is an authentication password of the terminal or a field randomly generated by the network access device.

In one possible implementation manner, the network access device determines an authentication password of the terminal through log inquiry according to the terminal identifier in the authentication request. The network access device generates n groups of verification information according to the terminal password.

In one example, a network access device randomly determines whether to generate n sets of authentication information containing a terminal authentication password.

If the network access device determines to generate n groups of verification information containing the terminal authentication password, the network access device generates n-1 groups of random fields according to the terminal authentication password in a random generation mode (at this time, the n-1 groups of random fields and the terminal authentication password are target fields in the embodiment of the application). And the network access equipment performs encryption operation on the terminal authentication password and the n-1 group of random fields through an MD5 encryption algorithm to obtain n first ciphertexts. The network access equipment distributes corresponding verification identifiers for the n first ciphertexts respectively, and takes each first ciphertext and the corresponding verification identifier thereof as one group of verification information to obtain n groups of verification information.

If the network access device determines to generate n groups of verification information which does not contain the terminal authentication password, the network access device generates n groups of random fields according to the terminal authentication password in a random generation mode (at this time, the n groups of random fields are target fields in the embodiment of the application). The network access device performs encryption operation on n groups of random fields through an MD5 encryption algorithm to obtain n first ciphertexts. The network access equipment distributes corresponding verification identifiers for the n first ciphertexts respectively, and takes each first ciphertext and the corresponding verification identifier thereof as one group of verification information to obtain n groups of verification information.

It should be noted that, the MD5 encryption algorithm is a HASH (Hash House Harriers, HASH) algorithm, which can convert input data with an arbitrary length into output data with a fixed length through a HASH algorithm, for example, the HASH256 algorithm can convert input data with an arbitrary length into output data with 256 bits. Further, the operation result obtained by HASH operation cannot be used to reversely derive the original input data. The algorithm is a compression map that can compress messages of arbitrary length into a message digest of a fixed length.

Specifically, as shown in table 1, n sets of authentication information are generated for the network access device.

Table 1 n sets of authentication information generated by network access devices

Sequence number	Original password	Encryption ciphertext	Corresponding identifier	Verifying information
					1	N₁	K₁	T₁	K₁₊T₁
2	N₂	K₂	T₂	K₂₊T₂
					…	…	…	…	…
n	N_n	K_n	T_n	K_n+T_n

The ciphertext of K ₁-K_n is identical in length, T ₁-T_n is the identification corresponding to K ₁-K_n, and the content of each label is different.

Step 203, the network access device sends n groups of verification information to the terminal. Correspondingly, the terminal receives n groups of verification information sent by the network access equipment.

In a possible implementation manner, the network access device sends the n sets of authentication information generated in step 202 to the terminal applying for the authentication request. Correspondingly, the terminal receives n groups of verification information sent by the network access equipment.

In one example, a terminal sends a terminal identification to a network access device, and the network access device completes a first handshake authentication after receiving the terminal identification. After receiving the terminal identification, the network access device generates n groups of verification information according to the terminal identification, and sends the n groups of verification information to the terminal, and the corresponding terminal receives the n groups of verification information sent by the network access device and performs second handshake authentication.

And 204, encrypting the authentication password of the terminal by the terminal according to an encryption algorithm to generate a second ciphertext.

In one possible implementation manner, after receiving n groups of authentication information sent by the network access device, the terminal encrypts a terminal authentication password of the terminal through an MD5 encryption algorithm to generate a second ciphertext.

An example is that the terminal authentication password of the terminal is H, and the second ciphertext is generated as M after encryption by the MD5 encryption algorithm.

Step 205, the terminal determines the target identifier according to the matching result of the second ciphertext and the first ciphertext in the n groups of verification information.

In one possible implementation manner, the terminal compares the generated second ciphertext with the first ciphertext in the n groups of verification information one by one, and determines whether the first ciphertext which is the same as the second ciphertext exists. If yes, the terminal determines the verification identifier corresponding to the first ciphertext as a target identifier. If the preset empty mark does not exist, the terminal determines the preset empty mark as the target mark.

In one example, the terminal compares the generated second ciphertext M with the n sets of verification ciphertexts K ₁-K_n one-to-one to determine whether there is a first ciphertext identical to the terminal second ciphertext M. If so, the terminal determines that the verification identifier corresponding to the first ciphertext is a target identifier, e.g., T ₃. If the preset empty mark does not exist, the terminal determines the preset empty mark as the target mark. The preset NULL flag may be set to NULL.

And 206, the terminal generates feedback information according to the target identification.

In a possible implementation manner, the terminal generates corresponding feedback information according to the identifier in the target verification information determined in step 205.

In one example, the terminal compares the second ciphertext with the first ciphertext in the n sets of authentication information one-to-one. And generating feedback information according to the corresponding identification in the target verification information under the condition that the target verification information exists in the n groups of verification information. In the case where the target authentication information does not exist in the n sets of authentication information, the null flag indicating that the target authentication information does not exist in the n sets of authentication information is used to generate feedback information.

Step 207, the terminal sends feedback information to the network access device. Correspondingly, the network access device receives feedback information from the terminal.

The feedback information comprises a target identifier; the target mark is a mark determined according to a matching result of the second ciphertext and the first ciphertext; the second ciphertext is generated after the authentication password of the terminal is encrypted according to the encryption algorithm.

In one example, the terminal generates feedback information from a result of the validation of the target verification information and sends the feedback information to the network access device, and the corresponding network access device receives the feedback information from the terminal and performs third handshake authentication.

Step 208, the network access device determines whether the terminal passes authentication according to the feedback information.

In a possible implementation manner, if the n authentication fields generated in step 202 by the network access device include n-1 fields randomly generated by the network access device, and the terminal authentication password. The network access device determines whether the feedback information includes a verification identifier corresponding to the first ciphertext generated according to the terminal authentication password. If so, the network access equipment determines that the terminal authentication passes; if not, the network access device determines that the terminal authentication is not passed.

If the n fields generated in step 202 include n fields randomly generated by the network access device, the network access device determines whether the feedback information includes an identifier corresponding to any one of the n ciphertexts. If not, the network access equipment determines that the terminal authentication passes; if so, the network access device determines that the terminal authentication is not passed.

The above-described solution brings at least the following advantageous effects. The terminal sends an authentication request to the network access device, wherein the authentication request comprises a terminal identifier of the terminal. After receiving the authentication request from the terminal, the network access device generates n groups or n-1 groups of target fields according to the terminal identification. And the network access equipment encrypts n groups of target fields or n-1 groups of target fields and the terminal authentication password by adopting an encryption algorithm to generate n groups of first ciphertexts. The network access device performs one-to-one correspondence on the n groups of first ciphertext and the n verification identifications to generate n groups of verification information. And the network access equipment sends the n groups of verification information to the terminal to perform terminal identity verification. After receiving n groups of verification information sent by the network access equipment, the terminal encrypts the terminal authentication password according to the encryption algorithm to generate a second ciphertext. The terminal matches the generated second ciphertext with the first ciphertext in the n groups of verification information one by one, and determines the target identification according to the matching result of the second ciphertext and the first ciphertext. And the terminal generates feedback information according to the target identifier and sends the feedback information to the network access equipment. And the network access equipment determines whether the terminal passes authentication according to the received feedback information from the terminal. In this way, when the terminal performs the network access authentication request, the terminal only needs to send the authentication request only including the terminal identification information to the network access device, and the feedback information is determined according to the n groups of verification information sent by the network access device. In the process of access authentication between the terminal and the network access equipment, the authentication password of the terminal is not required to be transmitted, the risk of stealing the authentication password of the terminal is reduced, and the security of the network access authentication of the terminal is improved.

In connection with fig. 2, as shown in fig. 3, the above-mentioned step 202 may be implemented by the following steps 301 to 304.

Step 301, the network access device determines n target fields.

The n target fields comprise n fields randomly generated by the network access device, or the n target fields comprise n-1 fields randomly generated by the network access device and an authentication password.

In one possible implementation, the network access device randomly determines whether a terminal authentication password is included in the n sets of authentication information. If the terminal authentication password is included, the network access equipment randomly generates n fields. If the terminal authentication password is not included, the network access equipment randomly generates n-1 fields.

An example is shown in table 2, where a table is generated for the network access device field.

Table 2, network access device field generation table

Sequence number	Whether or not to contain an authentication password	Generating a result
			1	Is that	N₁,N₂…N_n-1，H
2	Whether or not	N₁,N₂…N_n-1,N_n

Wherein N ₁,N₂…N_n-1,N_n is an initial field generated by the network access device, and H is a terminal authentication password.

Step 302, the network access device encrypts n target fields according to an encryption algorithm to determine n first ciphertexts.

In one example, the network access device encrypts n fields by an MD5 encryption algorithm to generate n first ciphertexts.

As shown in table 3, n first ciphertexts are generated for the network access device.

TABLE 3 first ciphertext table

Sequence number	Original field	MD5 encrypted ciphertext (32 bit)
			1	12458639	a1b0f84ec5266918364f3585cd440f58
2	145Asjkjie	a5d5afc2497c4a4c74009e35bc94010e
			…	…	…
n	Kdji45745	455facdbc776ec5ed056c0e83d2bfc7b

Step 303, the network access device matches the corresponding verification identifier for each first ciphertext in the n first ciphers.

In one possible implementation, the network access device generates n authentication identities. The network access device distributes the n verification identifications to the n first ciphertexts respectively. And each first ciphertext of the n first ciphers corresponds to a unique verification identifier.

As an example, the validation logo may be n numbers of 1-n.

In one possible implementation, the network access device matches a corresponding identifier for each of the n first ciphertexts. As shown in table 1 above, each identifier corresponds to a different content, and each identifier is also used to characterize the number of each first ciphertext.

Step 304, the network access device generates n groups of verification information according to the n first ciphertexts and the verification identifier corresponding to each first ciphertext in the n first ciphertexts.

In a possible implementation manner, the network access device generates n groups of verification information by using n first ciphertexts and an identifier corresponding to each first ciphertext in the n first ciphertexts.

Optionally, the network access device stores the n groups of authentication information, and the network access device does not want other devices to send the n groups of authentication information, so that other devices are prevented from authenticating the terminal according to the n groups of authentication information.

The technical scheme at least brings the following beneficial effects. The network access device determines n target fields according to the terminal identification. The n target fields comprise n randomly generated fields or n-1 randomly generated fields and a terminal authentication password. The network access device encrypts the n target fields according to an encryption algorithm to generate n first ciphertexts. The network access device matches each first ciphertext in the n first ciphers with a corresponding verification identifier, and the verification identifier is used for verifying the authentication identity of the terminal. The network access equipment generates n groups of verification information according to the n first ciphertexts and verification identifiers corresponding to each of the n first ciphertexts. Thus, the network access equipment confirms the authentication identity of the terminal by constructing n groups or n-1 groups of false authentication information, and the accuracy of terminal identity authentication is improved.

Referring to fig. 2, as shown in fig. 4, step 205 may be implemented by the following steps 401 to 403.

And step 401, the terminal respectively matches the second ciphertext with the first ciphertext in the n groups of verification information, and determines whether the first ciphertext identical to the second ciphertext exists.

If so, the terminal performs the following step 402; if not, the terminal performs the following step 403.

Step 402, if yes, the terminal determines that the verification identifier in the verification information to which the first ciphertext identical to the second ciphertext belongs is the target identifier.

In a possible implementation manner, if the first ciphertext identical to the second ciphertext exists in the n groups of verification information, the terminal determines that the verification information to which the first ciphertext belongs is target verification information, and generates a corresponding identifier in the target verification information as feedback information.

Step 403, if not, the terminal determines that the preset empty identifier is the target identifier.

In a possible implementation manner, if the first ciphertext identical to the second ciphertext does not exist in the n groups of verification information, the terminal determines that the target verification information does not exist in the n groups of verification information, and the terminal uses a preset null identifier as a target identifier to generate feedback information.

The technical scheme at least brings the following beneficial effects. And the terminal respectively matches the second ciphertext with the first ciphertexts in the n groups of verification information one by one, and determines whether the first ciphertexts which are the same as the second ciphertexts exist. If the first ciphertext identical to the second ciphertext exists, the terminal determines that the verification identifier in the verification information to which the first ciphertext identical to the second ciphertext belongs is the target identifier. If the first ciphertext which is the same as the second ciphertext does not exist, the terminal determines that the preset empty identifier is the target identifier. In this way, the terminal encrypts the terminal authentication password by using the same encryption algorithm as the network access device to generate the second ciphertext. And the terminal generates feedback information by comparing whether the second ciphertext is the same as the first ciphertext. The feedback information is used as the basis of terminal identity authentication, and the authentication request of the network access equipment is fed back. The accuracy of the network access equipment to the terminal identity verification is improved.

With reference to fig. 2, after the above step 208, the following steps 501-503 are further included, as shown in fig. 5.

Step 501, the network access device determines whether the current authentication number of the terminal is greater than a preset value.

In one possible implementation manner, the network access device sets the verification preset threshold value to W times, and after confirming that the terminal passes the authentication according to the feedback information of the terminal, the network access device confirms whether the current authentication times of the terminal are greater than the preset threshold value W.

As an example, the value of W may be set to 3.

As an example, the network access device sets the number of terminal authentications to N. Wherein, the initial value of N is 0. And adding 1 to the N value by the network access equipment every time the terminal passes authentication. The network access device determines whether the terminal reaches the authentication times of passing authentication by comparing the N value with a preset value W.

Step 502, if yes, the network access device determines that the terminal authentication is successful, indicates the terminal to access the network access device, and ends the authentication process.

In one possible implementation manner, if the network access device determines that the current authentication number of the terminal is greater than the preset value W, the network access device determines that the terminal authentication is successful, the terminal accesses the network access device, and the authentication process is ended.

If not, the network access device regenerates n groups of verification information according to the terminal identifier, and sends the n groups of verification information to the terminal.

In one possible implementation manner, if the network access device determines that the current authentication number of times of the terminal is smaller than the preset value W, the network access device sends n groups of authentication information to the terminal according to the regenerated n groups of authentication information.

The process of regenerating n sets of authentication information by the network access device according to the terminal identifier may refer to step 202 above. It will be appreciated that the n sets of authentication information regenerated by the network access device are typically different authentication information than the n sets of authentication information generated by the network access device in step 202.

If the authentication of the terminal is not passed, the network access device does not process the authentication request initiated by the terminal within the preset time P. The preset time P may be, but not limited to, manually set according to an actual authentication condition.

The technical scheme at least brings the following beneficial effects. The network access equipment sets the preset authentication times of terminal identity authentication. After the terminal passes the identity authentication of the network access equipment once, the network access equipment determines whether the current authentication times of the terminal are larger than a preset value. If the current authentication times are greater than the preset value, the network access equipment determines that the terminal authentication is successful, indicates the terminal to access the network access equipment, and ends the authentication process. If the current authentication times are smaller than or equal to the preset value, the network access equipment regenerates n groups of verification information according to the terminal identification, and sends the n groups of verification information to the terminal. And continuing to carry out identity authentication on the terminal. Thus, the network access equipment reduces errors in the terminal identity authentication process and improves the accuracy of the terminal identity authentication by carrying out multiple times of identity authentication on the terminal.

The authentication apparatus according to the embodiment of the present application, and the functions of the respective devices of the authentication apparatus, and interactions between the devices are described in detail above.

It can be seen that the technical solution provided by the embodiment of the present application is mainly described from the method perspective. To achieve the above functions, it includes corresponding hardware structures and/or software modules that perform the respective functions. Those of skill in the art will readily appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The embodiment of the application can divide the functional modules of the authentication device according to the method example, for example, each functional module can be divided corresponding to each function, or two or more functions can be integrated in one processing module. The integrated modules may be implemented in hardware or in software functional modules. Optionally, the division of the modules in the embodiment of the present application is schematic, which is merely a logic function division, and other division manners may be implemented in practice.

The embodiment of the application provides an authentication device which is used for executing a method required to be executed by any device in an authentication system. The authentication device may be an authentication device according to the present application, or a module in an authentication device; or the chip in the authentication device, or other devices for performing the spatial measurement determination method, which is not limited in the present application.

Fig. 6 is a schematic structural diagram of an authentication device according to an embodiment of the present application. The authentication device is applied to network access equipment, the network access equipment is used for authenticating a terminal requesting access, and the device comprises: a processing unit 601 and a communication unit 602.

A communication unit 602, configured to receive an authentication request from a terminal, where the authentication request includes a terminal identifier of the terminal; a processing unit 601, configured to generate n groups of verification information according to a terminal identifier; wherein n is a positive integer, each group of verification information in the n groups of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated by encrypting a target field by the network access equipment by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target field is an authentication password of the terminal or a field randomly generated by network access equipment; a communication unit 602, configured to send n groups of authentication information to a terminal; a communication unit 602, configured to receive feedback information from the terminal; the feedback information comprises a target identifier; the target mark is a mark determined according to a matching result of the second ciphertext and the first ciphertext; the second ciphertext is generated after the authentication password of the terminal is encrypted according to an encryption algorithm; the processing unit 601 determines whether the terminal passes authentication according to the feedback information.

Optionally, the processing unit 601 is specifically configured to: determining n target fields, wherein the n target fields comprise n fields randomly generated by the network access equipment, or the n target fields comprise n-1 fields randomly generated by the network access equipment and an authentication password; encrypting the n target fields according to an encryption algorithm to determine n first ciphertexts; matching a corresponding verification identifier for each first ciphertext in the n first ciphers; generating n groups of verification information according to the n first ciphertexts and verification identifications corresponding to each of the n first ciphertexts.

Optionally, the processing unit 601 is further configured to: determining whether the feedback information comprises a verification identifier corresponding to a first ciphertext generated according to the authentication password; if so, determining that the terminal authentication passes; if not, determining that the terminal authentication is not passed.

Optionally, the processing unit 601 is further configured to: determining whether the feedback information comprises verification identifiers corresponding to any ciphertext of the n first ciphers; if not, determining that the terminal authentication passes; if so, determining that the terminal authentication is not passed.

Optionally, the processing unit 601 is further configured to: determining whether the current authentication times of the terminal are larger than a preset value; if yes, determining that the terminal authentication is successful, enabling the terminal to be accessed into the network access equipment, and ending the authentication process; if not, the communication unit 602 is instructed to transmit n sets of authentication information to the terminal according to the regenerated n sets of authentication information.

Fig. 7 is a schematic structural diagram of an authentication device according to an embodiment of the present application. The authentication device is applied to a terminal, wherein the terminal is used for requesting to access network access equipment, and the device comprises: a processing unit 701 and a communication unit 702.

A communication unit 702, configured to send an authentication request to a network access device, where the authentication request includes a terminal identifier of a terminal; a communication unit 702, configured to receive n groups of authentication information from a network access device; wherein n is a positive integer, each group of verification information in the n groups of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated by encrypting a target field by the network access equipment by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target field is an authentication password of the terminal or a field randomly generated by network access equipment; a processing unit 701, configured to encrypt an authentication password of the terminal according to an encryption algorithm, and generate a second ciphertext; the processing unit 701 is further configured to determine a target identifier according to a matching result of the second ciphertext and the first ciphertext in the n sets of verification information; the processing unit 701 is further configured to generate feedback information according to the target identifier; the communication unit 702 is further configured to send feedback information to the network access device.

Optionally, the processing unit 701 is specifically configured to: respectively matching the second ciphertext with the first ciphertext in the n groups of verification information, and determining whether the first ciphertext which is the same as the second ciphertext exists or not; if the first ciphertext belongs to the verification information, the verification identifier in the verification information which is the same as the second ciphertext is determined to be the target identifier; if the preset empty mark does not exist, the preset empty mark is determined to be the target mark.

The embodiment of the application provides an authentication device which is used for executing a method required to be executed by any device in the data integrity determination system. The authentication device may be an authentication device according to the present application, or a module in an authentication device; or the chip in the authentication device, or other devices for performing the spatial measurement determination method, which is not limited in the present application.

The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores instructions, when the computer executes the instructions, the computer executes each step in the method flow shown in the method embodiment.

Embodiments of the present application provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the authentication method of the method embodiments described above.

Embodiments of the present application provide a chip comprising a processor and a communication interface coupled to the processor for running a computer program or instructions to implement an authentication method as in the method embodiments described above.

The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: electrical connections having one or more wires, portable computer diskette, hard disk. Random access Memory (Random Access Memory, RAM), read-Only Memory (ROM), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), registers, hard disk, optical fiber, portable compact disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any other form of computer-readable storage medium suitable for use by a person or persons of skill in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an Application SPECIFIC INTEGRATED Circuit (ASIC). In embodiments of the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

Since the apparatus, device, computer readable storage medium, and computer program product in the embodiments of the present application can be applied to the above-mentioned method, the technical effects that can be obtained by the apparatus, device, computer readable storage medium, and computer program product can also refer to the above-mentioned method embodiments, and the embodiments of the present application are not described herein again.

The foregoing is merely illustrative of specific embodiments of the present application, and the scope of the present application is not limited thereto, but any changes or substitutions within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims

1. An authentication method applied to a network access device, the network access device being configured to authenticate a terminal requesting access, the method comprising:

receiving an authentication request from a terminal, wherein the authentication request comprises a terminal identifier of the terminal;

Generating n groups of verification information according to the terminal identification; wherein n is a positive integer, each set of verification information in the n sets of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated after the network access equipment encrypts a target field by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target fields comprise n fields randomly generated by the network access equipment, or n target fields comprise n-1 fields randomly generated by the network access equipment and an authentication password;

The n groups of verification information are sent to the terminal, so that the terminal respectively matches a second ciphertext with a first ciphertext in the n groups of verification information, and whether the first ciphertext identical to the second ciphertext exists or not is determined; if so, determining that the verification identifier in the verification information to which the first ciphertext identical to the second ciphertext belongs is a target identifier; if the target mark does not exist, determining a preset empty mark as the target mark;

Receiving feedback information from the terminal; the feedback information comprises a target identifier; the target mark is a mark determined according to a matching result of the second ciphertext and the first ciphertext; the second ciphertext is generated after the authentication password of the terminal is encrypted according to the encryption algorithm;

and determining whether the terminal passes authentication or not according to the feedback information.

2. The method of claim 1, wherein generating n sets of authentication information based on the terminal identification comprises:

determining the n target fields;

Encrypting the n target fields according to the encryption algorithm to determine n first ciphertexts;

Matching corresponding verification identifiers for each first ciphertext in the n first ciphers;

Generating the n groups of verification information according to the n first ciphertexts and verification identifications corresponding to each first ciphertext in the n first ciphertexts.

3. The method according to claim 2, wherein in case the n target fields include n-1 target fields randomly generated by the network access device and the authentication password, the determining whether the terminal is authenticated according to the feedback information comprises:

determining whether the feedback information comprises a verification identifier corresponding to a first ciphertext generated according to the authentication password;

If so, determining that the terminal authentication passes;

And if not, determining that the terminal authentication is not passed.

4. The method according to claim 2, wherein, in the case that the n target fields include n target fields randomly generated by the network access device, the determining whether the terminal is authenticated according to the feedback information includes:

determining whether the feedback information comprises verification identifiers corresponding to any ciphertext of the n first ciphers;

if not, determining that the terminal authentication passes;

And if so, determining that the terminal authentication is not passed.

5. The method according to claim 3 or 4, characterized in that after said determining that the terminal authentication is passed, the method further comprises:

determining whether the current authentication times of the terminal are larger than a preset value;

if yes, determining that the terminal authentication is successful, indicating the terminal to be accessed to the network access equipment, and ending the authentication process;

if not, regenerating n groups of verification information according to the terminal identification, and sending the n groups of verification information to the terminal.

6. An authentication method applied to a terminal, the terminal being used for requesting access to a network access device, the method comprising:

sending an authentication request to the network access equipment, wherein the authentication request comprises a terminal identifier of the terminal;

receiving n groups of authentication information from the network access device; wherein n is a positive integer, each set of verification information in the n sets of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated after the network access equipment encrypts a target field by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target fields comprise n fields randomly generated by the network access equipment, or n target fields comprise n-1 fields randomly generated by the network access equipment and an authentication password;

Encrypting the authentication password of the terminal according to the encryption algorithm to generate a second ciphertext;

Respectively matching the second ciphertext with the first ciphertext in the n groups of verification information, and determining whether the first ciphertext which is the same as the second ciphertext exists or not;

If so, determining that the verification identifier in the verification information to which the first ciphertext identical to the second ciphertext belongs is a target identifier;

If the target mark does not exist, determining a preset empty mark as the target mark;

Generating feedback information according to the target identifier;

and sending the feedback information to the network access equipment.

7. An authentication apparatus applied to a network access device for authenticating a terminal requesting access, the apparatus comprising: a processing unit and a communication unit;

The communication unit is used for receiving an authentication request from a terminal, wherein the authentication request comprises a terminal identifier of the terminal;

the processing unit is used for generating n groups of verification information according to the terminal identification; wherein n is a positive integer, each set of verification information in the n sets of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated after the network access equipment encrypts a target field by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target fields comprise n fields randomly generated by the network access equipment, or n target fields comprise n-1 fields randomly generated by the network access equipment and an authentication password;

the communication unit is further configured to send the n sets of verification information to the terminal, so that the terminal matches a second ciphertext with a first ciphertext in the n sets of verification information respectively, and determines whether a first ciphertext identical to the second ciphertext exists; if so, determining that the verification identifier in the verification information to which the first ciphertext identical to the second ciphertext belongs is a target identifier; if the target mark does not exist, determining a preset empty mark as the target mark;

The communication unit is further used for receiving feedback information from the terminal; the feedback information comprises a target identifier; the target mark is a mark determined according to a matching result of the second ciphertext and the first ciphertext;

The second ciphertext is generated after the authentication password of the terminal is encrypted according to the encryption algorithm;

and the processing unit is used for determining whether the terminal passes authentication according to the feedback information.

8. The apparatus according to claim 7, wherein the processing unit is specifically configured to:

determining the n target fields;

9. The apparatus of claim 8, wherein the processing unit is further configured to:

If so, determining that the terminal authentication passes;

And if not, determining that the terminal authentication is not passed.

10. The apparatus of claim 9, wherein the processing unit is further configured to:

if not, determining that the terminal authentication passes;

And if so, determining that the terminal authentication is not passed.

11. The apparatus according to claim 9 or 10, wherein the processing unit is further configured to:

if yes, determining that the terminal authentication is successful, enabling the terminal to be accessed to the network access equipment, and ending the authentication process;

if not, according to regenerated n groups of verification information, the communication unit is instructed to send the n groups of verification information to the terminal.

12. An authentication apparatus applied to a terminal for requesting access to a network access device, the apparatus comprising: a processing unit and a communication unit;

the communication unit is configured to send an authentication request to the network access device, where the authentication request includes a terminal identifier of the terminal;

The communication unit is further used for receiving n groups of verification information from the network access equipment; wherein n is a positive integer, each set of verification information in the n sets of verification information comprises a first ciphertext and a verification identifier, the first ciphertext is generated after the network access equipment encrypts a target field by adopting an encryption algorithm, and the first ciphertext corresponds to the verification identifier one by one; the target fields comprise n fields randomly generated by the network access equipment, or n target fields comprise n-1 fields randomly generated by the network access equipment and an authentication password;

the processing unit is used for encrypting the authentication password of the terminal according to the encryption algorithm to generate a second ciphertext;

The processing unit is further configured to match the second ciphertext with the first ciphertext in the n sets of verification information respectively, and determine whether the first ciphertext identical to the second ciphertext exists;

if so, the processing unit is further configured to determine, as a target identifier, a verification identifier in verification information to which the first ciphertext identical to the second ciphertext belongs;

if not, the processing unit is further configured to determine a preset empty identifier as the target identifier;

The processing unit is also used for generating feedback information according to the target identifier;

the communication unit is further configured to send the feedback information to the network access device.

13. An authentication apparatus, comprising: a processor and a communication interface; the communication interface is coupled to the processor for running a computer program or instructions to implement the authentication method as claimed in any one of claims 1-6.

14. A computer readable storage medium having instructions stored therein, characterized in that when executed by a computer, the computer performs the authentication method as claimed in any one of the preceding claims 1-6.