CN116318747A - Method and device for realizing one-key login service - Google Patents
Method and device for realizing one-key login service Download PDFInfo
- Publication number
- CN116318747A CN116318747A CN202211088930.8A CN202211088930A CN116318747A CN 116318747 A CN116318747 A CN 116318747A CN 202211088930 A CN202211088930 A CN 202211088930A CN 116318747 A CN116318747 A CN 116318747A
- Authority
- CN
- China
- Prior art keywords
- application client
- fingerprint information
- terminal equipment
- operation value
- token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the specification provides a method and a device for realizing one-key login service. Before a token is acquired, an application client sends fingerprint information of terminal equipment currently running the application client to an operator server, and the operator server calculates a first operation value according to the fingerprint information; after the token is acquired, the application client sends a first operation value and fingerprint information of terminal equipment currently running the application client to an application server; the application server calculates a second operation value by utilizing the shared symmetric key appointed by the operator server in advance and the acquired fingerprint information of the terminal equipment currently running the application client, if the first operation value is the same as the second operation value, the one-key login verification is successful, otherwise, the one-key login verification fails. According to the embodiment of the specification, the safety of the one-key login service can be improved, and the disclosure of private data of a user can be avoided.
Description
Technical Field
One or more embodiments of the present disclosure relate to network information technology, and in particular, to a method and apparatus for implementing a push-to-talk service.
Background
With the rapid development of networks, various business applications are generated based on the networks. The user can enjoy the corresponding business application, such as watching a movie or purchasing goods, by only downloading an application client, i.e., an application program (APP), of the corresponding business application in the terminal device and registering and logging in through the application client.
In order to facilitate the use of users, a new method for logging in the APP, namely a one-key login method, is currently presented. In the one-key login method, a terminal device such as a mobile phone where an application client is located is embedded with an authentication SDK in advance, when a user requests login, the user communicates with an operator server through the SDK so as to collect a mobile phone number of the user, after the user agrees to authorization, the application client obtains a token (token) called by an interface, the token is transmitted to the application server, and the application server obtains information such as the mobile phone number of the current authorized user from the operator server by using the token, so that the login of the APP is completed.
Referring to fig. 1, in the one-key login service, the user only needs to click the related key of one-key login, and does not need to input a mobile phone number, a user name, a password, a short message verification code and the like, so that the user can complete the login and login process more conveniently and rapidly, the process which may need about 20 seconds originally is shortened to about 2 seconds, and great convenience is brought to the user.
However, the security of the current one-key login service is relatively low, which easily causes disclosure of private data of the user, so a more secure implementation method of the one-key login service is needed.
Disclosure of Invention
One or more embodiments of the present disclosure describe a method and an apparatus for implementing a one-touch login service, which can improve the security of the one-touch login service.
According to a first aspect, a method for implementing a push-to-login service is provided, including:
before acquiring a token, transmitting fingerprint information of terminal equipment currently running the application client to an operator server;
obtaining a first operation value sent by an operator server;
after the token sent by the operator server is obtained, a one-key login confirmation request is sent to the application server, wherein the one-key login confirmation request carries the token, a first operation value and fingerprint information of terminal equipment of the current running application client;
if the login authorization sent by the application server is received, the one-key login is successful.
The sending the fingerprint information of the terminal device currently running the application client to the operator server includes: the fingerprint information of the terminal equipment currently running the application client is carried in a one-key login request or an identity verification request and is sent to an operator server;
And/or the number of the groups of groups,
the obtaining the first operation value sent by the operator server includes: and receiving an authentication passing message carrying the token and the first operation value sent by the operator server, and obtaining the first operation value from the authentication passing message.
Wherein the fingerprint information of the terminal device includes at least one of: the method comprises the steps of an intranet IP address of the terminal equipment, an identifier of a local area network used by the terminal equipment and an identification code of the terminal equipment.
According to a second aspect, there is provided a method for implementing a push-to-login service, including:
receiving a one-key login confirmation request carrying a token sent by an application client; the one-key login confirmation request also carries a first operation value and fingerprint information of terminal equipment currently running the application client;
calculating by utilizing a shared symmetric key agreed with an operator server in advance and fingerprint information of terminal equipment currently running the application client acquired from a one-key login confirmation request, and calculating a second operation value;
judging whether the first operation value carried in the one-key login confirmation request is the same as the calculated second operation value, if so, successful one-key login verification, otherwise, failed one-key login verification.
The fingerprint information of the terminal device includes at least one of: the method comprises the steps of an intranet IP address of the terminal equipment, an identifier of a local area network used by the terminal equipment and an identification code of the terminal equipment.
The performing calculation includes: performing hash calculation;
and/or the number of the groups of groups,
the one-key login confirmation request also carries the IP address of the terminal equipment currently running the application client and the APP ID of the application client; correspondingly, the calculating, by using the shared symmetric key agreed with the operator server in advance, the fingerprint information of the terminal device currently running the application client acquired from the one-key login confirmation request, includes:
and calculating the token acquired from the one-key login confirmation request, fingerprint information of the terminal equipment currently running the application client, the IP address of the terminal equipment and the APP ID by utilizing a shared symmetric key agreed with the operator server in advance.
According to a third aspect, there is provided a method for implementing a push-to-login service, including:
before a token is issued to an application client, fingerprint information of terminal equipment which is transmitted by the application client and runs the application client at present is obtained;
after a token is generated, calculating by utilizing a shared symmetric key which is agreed with an application server in advance and fingerprint information of terminal equipment currently running the application client, and calculating a first operation value;
And sending the generated first operation value to the application client.
The obtaining the fingerprint information of the terminal device running the application client at present, which is sent by the application client, includes:
receiving a one-key login request sent by an application client, and acquiring fingerprint information of terminal equipment which is sent by the application client and runs the application client currently from the one-key login request;
or alternatively, the process may be performed,
and receiving an authentication request for requesting a token from an application client, and acquiring fingerprint information of terminal equipment currently running the application client from the authentication request.
Wherein the performing the calculation includes: performing hash calculation;
and/or the number of the groups of groups,
the method further comprises the steps of: receiving an authentication request sent by an application client, and acquiring an IP address of a terminal device and an APP ID of the application client from the authentication request; correspondingly, the calculating by using the shared symmetric key pre-agreed with the application server, the generated token and the fingerprint information of the terminal equipment currently running the application client comprises the following steps:
and calculating the generated token, fingerprint information of the terminal equipment currently running the application client, the IP address of the terminal equipment and the APP ID by utilizing the shared symmetric key agreed with the application server in advance.
According to a fourth aspect, there is provided an apparatus for implementing a push-to-login service, the apparatus comprising:
the first fingerprint information sending module is configured to send fingerprint information of terminal equipment currently running the application client to an operator server before acquiring a token;
the operation value acquisition module is configured to acquire a first operation value sent by the operator server;
the second fingerprint information sending module is used for sending a one-key login confirmation request to the application server after the token sent by the operator server is obtained, wherein the one-key login confirmation request carries the token, a first operation value and fingerprint information of terminal equipment currently running the application client;
and the login execution module is configured to successfully log in by one key if login authorization sent by the application server is received.
According to a fifth aspect, there is provided an apparatus for implementing a push-to-login service, the apparatus comprising:
the first operation value acquisition module is configured to receive a one-key login confirmation request carrying a token sent by an application client; the one-key login confirmation request also carries a first operation value and fingerprint information of terminal equipment currently running the application client;
the second operation value acquisition module is configured to calculate a second operation value by utilizing a shared symmetric key appointed by an operator server in advance and the fingerprint information of the terminal equipment currently running the application client acquired from the one-key login confirmation request;
And the verification module is configured to judge whether the first operation value carried in the one-key login confirmation request is the same as the calculated second operation value, if so, the one-key login verification is successful, and if not, the one-key login verification fails.
According to a sixth aspect, there is provided an apparatus for implementing a push-to-login service, the apparatus comprising:
the first fingerprint information acquisition module is configured to acquire fingerprint information of terminal equipment which is transmitted by the application client and currently runs the application client before transmitting a token to the application client;
the first operation value calculation module is configured to calculate a first operation value by utilizing a shared symmetric key agreed with an application server in advance and fingerprint information of terminal equipment currently running the application client after the token is generated;
and the first operation value sending module is used for sending the generated first operation value to the application client.
According to a seventh aspect, there is provided a computing device comprising a memory having executable code stored therein and a processor which, when executing the executable code, implements a method as described in any of the embodiments of the present specification.
A combination of one or more embodiments of the present description has at least the following beneficial effects:
1. According to whether the fingerprint information respectively sent to the operator server and the terminal equipment of the application server by the application client is the same or not in different stages (the different stages refer to a first stage before the operator server sends the token to the application client and a second stage after the operator server sends the token to the application client), whether the calculated first operation value and the calculated second operation value are the same or not is judged, so that whether the first operation value and the second operation value are the same or not is judged, and a one-key login confirmation request sent by the terminal equipment X of an attacker is judged, the application server is prevented from providing application services corresponding to the application client for the terminal equipment X of the attacker, and the safety is improved.
2. Signature verification of the server can be performed between the application server and the operator server, so that the legitimacy of the application server and the operator server is further ensured, and the safety of one-key login service is further improved.
3. The application server agrees with the operator server to share the symmetric key. It can be seen that the shared symmetric key used to calculate the operand is stored at the server side, not at the application client or terminal device, thus improving security.
Drawings
In order to more clearly illustrate the embodiments of the present description or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present description, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an operation of a push-to-login service.
Fig. 2 is a schematic diagram of a system architecture to which an embodiment of the present specification applies.
Fig. 3 is a flow chart of a method of implementing a push-to-login service in an application client according to one embodiment of the present description.
Fig. 4 is a flowchart of a method for implementing a push-to-login service in an application server according to one embodiment of the present description.
Fig. 5 is a flow chart of a method of implementing a push to login service in an operator server according to one embodiment of the present description.
Fig. 6 is a flowchart of information interaction between an operator server, an application client, and an application server in cooperation with implementing a one-touch login service according to an embodiment of the present disclosure.
Fig. 7 is a schematic structural diagram of an implementation device of a one-touch login service in an embodiment of the present disclosure.
Fig. 8 is a schematic structural diagram of an implementation device of a one-touch login service according to another embodiment of the present disclosure.
Fig. 9 is a schematic structural diagram of an implementation device of a one-touch login service according to another embodiment of the present disclosure.
Detailed Description
The following describes the scheme provided in the present specification with reference to the drawings.
For ease of understanding the methods provided in this specification, a description of the system architecture to which this specification relates and applies is first provided. As shown in fig. 2, the system architecture mainly includes three network nodes: application clients, application servers and operator servers.
Wherein the application client is installed and running in a terminal device, which may include, but is not limited to, such as: intelligent mobile terminals, intelligent home devices, network devices, wearable devices, intelligent medical devices, PCs (personal computers), etc. The smart mobile terminal may include, for example, a mobile phone, a tablet computer, a notebook computer, a PDA (personal digital assistant), an internet car, etc. The smart home devices may include smart home devices such as smart televisions, smart air conditioners, smart water heaters, smart refrigerators, smart air cleaners, etc., and may also include smart door locks, smart sockets, smart lights, smart cameras, etc. The network devices may include, for example, switches, wireless APs, servers, etc. Wearable devices may include devices such as smart watches, smart glasses, smart bracelets, virtual reality devices, augmented reality devices, mixed reality devices (i.e., devices that can support virtual reality and augmented reality), and so forth. Smart medical devices may include devices such as smart thermometers, smart blood pressure meters, smart blood glucose meters, and the like.
The application client may be various types of applications including, but not limited to, applications such as payment type applications, multimedia play type applications, map type applications, text editing type applications, financial type applications, browser type applications, instant messaging type applications, and the like.
The operator server refers to a service end device of a provider providing network services, and may be a single server or a server group formed by a plurality of servers. The operator server is responsible for providing network services for various applications, such as security authentication, providing a one-touch login to a mobile phone number, etc.
An application server is a server of a specific application, and is specially used for providing corresponding application services for application clients, for example, for application clients such as payment treasures, and is a server for providing payment treasures services.
It should be understood that the number of application clients, application servers, operator servers in fig. 2 is merely illustrative. Any number may be selected and deployed as desired for implementation.
Referring to fig. 2, an application client, an application server, and an operator server interact through a network. The network may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
Because the implementation method of the one-touch login service provided in the present specification relates to 3 network nodes shown in fig. 2, the following describes the processing of the operator server, the application client, and the application server in the one-touch login service respectively through different embodiments.
First, a process of the application client in the one-touch login service is explained.
Fig. 3 is a flow chart of a method of implementing a push-to-login service in an application client according to one embodiment of the present description. Referring to fig. 3, the method includes:
step 301: before the application client acquires the token, the application client sends fingerprint information of terminal equipment currently running the application client to an operator server; wherein the fingerprint information of different terminal devices is different.
Step 303: the application client obtains a first operation value sent by the operator server.
Step 305: after the application client acquires the token sent by the operator server, the application client sends a one-key login confirmation request to the application server, wherein the one-key login confirmation request carries the token, a first operation value and fingerprint information of terminal equipment currently running the application client.
Step 307: and if the application client receives the login authorization sent by the application server, the one-key login is successful.
In existing one-touch login services, situations such as: an attacker will often monitor and attack the link from the operator server to the application client, thereby stealing the token issued by the operator server to the application client by means of its own terminal device X. Then, the attacker can send the token to the application server through the terminal device X by impersonating the legal terminal device Y where the application client is located, because the utilized token is correct, the application server can take the mobile phone number of the terminal device Y where the application client is located from the operator server, thereby causing the application server to misunderstand that the terminal device X from which the token is sent is the terminal device Y where the application client is located, namely, consider the attacker to be the legal user of the application client, thereby providing the corresponding application service for the attacker, such as playing the video data which the legal user has authority to watch or completing the transfer, and the like, thereby bringing security problems to the use of the user and possibly causing the leakage of the private data of the user.
As can be seen from the above-described procedure shown in fig. 3, in the flow of the one-touch login service executed in the application client, a process of performing calculation using fingerprint information of the terminal device to perform verification using the calculated calculation value is added. Since the fingerprint information of different terminal devices is different, if the situation that the attacker emulates the legal terminal device Y by using the terminal device X does not occur, the fingerprint information of the terminal devices respectively sent to the operator server and the application server by the application client is the same in different stages (the different stages refer to a first stage before the operator server issues the token to the application client and a second stage after the operator server issues the token to the application client) in the process shown in fig. 3, so that the first operation value generated by the operator server and the second operation value generated by the application server are the same. In contrast, if the situation that the attacker emulates the legal terminal device Y by using the terminal device X occurs, in the process shown in fig. 3, fingerprint information of the terminal devices respectively sent to the operator server and the application server by the application client are different in different stages, so that the first operation value generated by the operator server and the second operation value generated by the application server are different. The method of the embodiment of the specification can verify by utilizing the characteristic, thereby verifying whether the request is a one-key login confirmation request sent by the terminal equipment X of an attacker, avoiding that an application server provides application services corresponding to an application client for the terminal equipment X of the attacker, and improving the safety.
The processing procedure of the application client shown in fig. 3 will be described in detail with reference to specific embodiments, the processing of the operator server, and the processing of the application server.
First for step 301: before the application client acquires the token, the application client sends fingerprint information of terminal equipment currently running the application client to an operator server.
In one embodiment of the present disclosure, before the application client obtains the token from the carrier server, the application client sends a one-touch login request to the carrier server to perform an initialization operation of one-touch login with the carrier server. Thus, one implementation of this step 301 includes: the application client carries the fingerprint information of the terminal equipment currently running the application client in a one-key login request and sends the fingerprint information to the operator server so as to enable the operator server to acquire the fingerprint information of the terminal equipment currently running the application client.
In another embodiment of the present description, the application client sends an authentication request to the carrier server to request the token before the application client obtains the token from the carrier server. Thus, another implementation of this step 301 includes: the application client carries the fingerprint information of the terminal equipment currently running the application client in an identity verification request and sends the identity verification request to the operator server, so that the operator server obtains the fingerprint information of the terminal equipment currently running the application client.
In yet another embodiment of the present disclosure, a further implementation of step 301 includes: before the token is acquired, the application client sends the fingerprint information of the terminal device currently running the application client to the operator server, carried in other messages, such as a newly defined message.
In the embodiment of the present specification, the fingerprint information of the terminal device may be any information or a combination of several information capable of identifying the terminal device, such as an intranet IP address of the terminal device, an identification of a local area network used by the terminal device, an identification code (such as IMEI, MEID, or UDID) of the terminal device, and so on.
After performing step 301, the operator server obtains the fingerprint information of the terminal device running the application client in the first stage, i.e. before issuing the token to the application client. The operator server performs calculation, such as hash calculation, using the shared symmetric key agreed in advance with the application server and fingerprint information of the terminal device, so as to calculate a first operation value in a first stage.
In one embodiment of the present disclosure, the verification of the one-key login service may be based on verification of the integrity of the server, that is, the integrity calculation, such as hash calculation, is performed on the two servers, that is, the operator server and the application server, respectively, based on the fingerprint information of the terminal device and each key parameter of the current one-key login service, and then the two calculation values are compared. In this way, in the operator server, the IP address of the terminal device and the APP ID of the application client are further obtained from the authentication request sent from the application client; accordingly, the method for calculating the first operation value by the operator server comprises the following steps:
The operator server calculates the generated token, fingerprint information of the terminal device currently running the application client, an IP address of the terminal device and an APP ID by using a shared symmetric key agreed with the application server in advance, thereby calculating a first operation value.
And then, the operator server sends the generated first operation value to the application client.
Next, for step 303: the application client obtains a first operation value sent by the operator server.
Here, the operator server may send the generated first operand together with the token to the application client in an authentication passing message. Thus, in this step 303, the application client receives the authentication passing message carrying the token and the first operand sent from the operator server, and obtains the first operand from the authentication passing message.
Next for step 305: after the application client acquires the token sent by the operator server, the application client sends a one-key login confirmation request to the application server, wherein the one-key login confirmation request carries the token, a first operation value and fingerprint information of terminal equipment currently running the application client.
It should be noted that, if the case that the attacker steals the token by using the terminal device X does not occur, the terminal device currently running the application client in step 305 is the same terminal device as the terminal device currently running the application client in step 301, and then the fingerprint information of the terminal device currently running the application client sent to the application server in step 305 is the same as the fingerprint information of the terminal device currently running the application client sent to the operator server in step 301. In contrast, if the attacker steals the token by using the terminal device X, the terminal device currently running the application client in step 305 is two different terminal devices from the terminal device currently running the application client in step 301, and the fingerprint information of the terminal device currently running the application client sent to the application server in step 305 is different from the fingerprint information of the terminal device currently running the application client sent to the operator server in step 301.
After receiving the one-key login confirmation request, the application server acquires the token, the first operation value and the fingerprint information of the terminal equipment of the current running application client in the second stage (namely after the token is issued to the application client). The application server may perform calculation, such as hash calculation, using the shared symmetric key agreed with the operator server in advance and the acquired fingerprint information of the terminal device, so as to calculate the second operation value in the second stage.
In one embodiment of the present disclosure, the verification of the one-key login service may be based on verification of the integrity of the server, that is, the integrity calculation, such as hash calculation, is performed on the two servers, that is, the operator server and the application server, respectively, based on the fingerprint information of the terminal device and each key parameter of the current one-key login service, and then the two calculation values are compared. Thus, the method of calculating the second operand in the application server includes:
the application server calculates the token acquired from the one-key login confirmation request, fingerprint information of the terminal device currently running the application client, an IP address of the terminal device, and an APP ID by using a shared symmetric key agreed with the operator server in advance, thereby calculating a second operation value.
Then, the application server judges whether the first operation value carried in the one-key login confirmation request is the same as the calculated second operation value, wherein,
if the terminal device is the same as the terminal device of the current running application client in step 305, the fingerprint information of the terminal device is the same as the terminal device of the current running application client in step 301, and the condition that an attacker steals the token does not occur, the one-key login verification is successful, and the application server acquires the mobile phone number of the terminal device from the operator server and then issues login authorization to the application client;
If the terminal device running the application client in step 305 is different from the terminal device running the application client in step 301, the fingerprint information of the terminal device is different, and if an attacker steals the token, the one-key login verification fails.
Next for step 307: and if the application client receives the login authorization sent by the application server, the one-key login is successful.
In the embodiment of the present description, the application server agrees with the operator server to share the symmetric key. It can be seen that the shared symmetric key used to calculate the operand is stored at the server side, not at the application client or terminal device, thus improving security.
The following describes the relevant processing of the application server in the one-touch login service in the embodiment of the present specification.
Fig. 4 is a flowchart of a method for implementing a push-to-login service in an application server according to one embodiment of the present description. Referring to fig. 4, the method includes:
step 401: the application server receives a one-key login confirmation request carrying a token sent by an application client; the one-key login confirmation request also carries a first operation value and fingerprint information of the terminal equipment currently running the application client.
For an understanding and explanation of this step 401, reference is made to the explanation of step 305 described above.
The first operand is calculated by the operator server using the fingerprint information of the terminal device of the running application client acquired in the first phase. In this step 401, the application server obtains fingerprint information of the terminal device running the application client in the second stage.
Step 403: the application server calculates a second operation value by using the shared symmetric key agreed with the operator server in advance and the fingerprint information of the terminal equipment currently running the application client acquired from the one-key login confirmation request.
Referring to the description of step 305 above, the process of step 403 may include: the application server calculates, for example, hash calculation, the token acquired from the one-key login confirmation request, fingerprint information of the terminal device currently running the application client, an IP address of the terminal device, and an APP ID by using a shared symmetric key agreed with the operator server in advance, thereby calculating a second operation value.
Step 405: the application server judges whether the first operation value carried in the one-key login confirmation request is the same as the calculated second operation value, if so, the one-key login verification is successful, and if not, the one-key login verification is failed.
For an understanding and explanation of this step 405, reference is made to the explanation of step 305 above.
In step 405, if the one-key login authentication is successful, the signature authentication of the server may be performed between the application server and the operator server, so as to further ensure the legitimacy of the application server and the operator server, and further improve the security of the one-key login service. The method can be embodied in the following two aspects:
in one aspect, signature verification may be performed on the application server by the operator server to verify the legitimacy of the application server. The specific implementation process comprises the following steps: after the one-key login verification is successful, the application server sends a number acquisition request to the operator server, wherein the application server can sign the number acquisition request by using a shared symmetric key which is agreed with the operator server in advance as 'apphmac', so that the operator server can verify whether the signature is correct or not based on the 'apphmac' which is agreed with the application server in advance and stored by the operator server, namely, the legitimacy of the application server is verified, and if the signature verification is successful, the operator server provides the mobile phone number of the terminal equipment to the application server.
On the other hand, signature verification may be performed on the operator server by the application server in order to verify the validity of the operator server. The specific implementation process comprises the following steps: when the operator server provides the mobile phone number of the terminal device to the application server, the shared symmetric key agreed with the application server in advance can be recorded as 'apphmac' to sign the mobile phone number of the provided terminal device, so that the application server can verify whether the signature is correct or not based on the 'apphmac' which is stored by the application server and is agreed with the operator server in advance, namely, the legitimacy of the operator server is verified, and if the signature verification is successful, the application server issues login authorization to the application client.
The following describes the relevant processing of the operator server in the one-touch login service in the embodiment of the present specification.
Fig. 5 is a flow chart of a method of implementing a push to login service in an operator server according to one embodiment of the present description. Referring to fig. 5, the method includes:
step 501: before issuing a token to an application client, an operator server obtains fingerprint information of terminal equipment which is sent by the application client and currently runs the application client.
The relevant description of this step 501 may be found in the relevant description of step 301.
For example, the process of this step 501 includes:
the method comprises the steps that an operator server receives a one-key login request sent by an application client, and fingerprint information of terminal equipment running the application client at present and sent by the application client is obtained from the one-key login request;
or alternatively, the process may be performed,
the operator server receives an authentication request for requesting a token from an application client, and obtains fingerprint information of terminal equipment currently running the application client from the authentication request.
Step 503: after the token is generated, the operator server calculates a first operation value by using the shared symmetric key agreed with the application server in advance and the fingerprint information of the terminal equipment currently running the application client.
The relevant description of this step 503 can be found in the relevant description of step 301.
For example, the operator server receives an authentication request sent by the application client, and acquires the IP address of the terminal device and the APP ID of the application client from the authentication request; the process of this step 503 includes:
and calculating the generated token, fingerprint information of the terminal equipment currently running the application client, the IP address of the terminal equipment and the APP ID by utilizing the shared symmetric key agreed with the application server in advance.
Step 505: the operator server sends the generated first operation value to the application client.
The relevant description of this step 505 can be found in the relevant description of step 303.
The implementation method of the one-key login service is described below in combination with the cooperation of the application client, the application server and the operator server. Referring to fig. 6, the method includes:
step 601: the application client sends a one-key login request carrying the APP ID to the operator server so as to facilitate the initialization process of one-key login with the operator server.
Step 603: the operator server sends the generated session key to the application client.
Step 605: the application client gets the user authorization, i.e. the user clicks a one-touch login key on the screen.
Step 607: the application client sends an identity verification request to the operator server by using the session key so as to request a token; the authentication request carries APP ID, time stamp, IP address and fingerprint information of terminal equipment of the current running application client.
Here, the IP address carried in the authentication request is: the IP address of the terminal device where the application client is located may include an IPv4 address and an IPv6 address.
Step 609: after receiving the authentication request, the operator server generates a token, and hashes fingerprint information of a terminal device currently running the application client, an IP address of the terminal device and an APP ID carried in the generated token and the authentication request by using a shared symmetric key agreed with the application server in advance to obtain a first operation value.
Step 611: and the operator server transmits the token and the first operation value to the application client.
Step 613: the application client sends a one-key login confirmation request to the application server, wherein the request carries a token, an IP address of the terminal equipment, an APP ID, a first operation value and fingerprint information of the terminal equipment currently running the application client.
Step 615: the application server performs hash calculation on the token acquired from the one-key login confirmation request, fingerprint information of the terminal equipment currently running the application client, an IP address of the terminal equipment and an APP ID by using a shared symmetric key agreed with the operator server in advance, so as to obtain a second operation value.
Step 617: the application server judges whether the first operation value in the one-key login confirmation request is the same as the calculated second operation value, if so, step 619 is executed if the one-key login verification is successful, otherwise, the one-key login verification fails, and the current flow is ended.
Step 619: the application server signs the number acquisition request using a shared symmetric key "apphmac" previously agreed with the operator server, and then transmits to the operator server.
Step 621: the operator server verifies whether the signature is correct or not based on the 'apphmac' which is stored by the operator server and is pre-agreed with the application server, namely, the legitimacy of the application server is verified, and if the signature verification is successful, the operator server signs the mobile phone number of the provided terminal device by using the shared symmetric key 'apphmac' which is pre-agreed with the application server and then sends the mobile phone number to the application server.
Step 623: the application server verifies whether the signature is correct or not based on the 'apphmac' which is stored by the application server and is pre-agreed with the operator server, namely, the legitimacy of the operator server is verified, and if the signature verification is successful, login authorization is issued to the application client.
In one embodiment of the present disclosure, a device for implementing a one-touch login service is provided, where the device is disposed in an application client, and referring to fig. 7, the device includes:
a first fingerprint information sending module 701 configured to send, to an operator server, fingerprint information of a terminal device currently running the application client before acquiring the token;
The operation value obtaining module 702 is configured to obtain a first operation value sent by the operator server;
the second fingerprint information sending module 703 sends a one-key login confirmation request to the application server after acquiring the token sent by the operator server, where the one-key login confirmation request carries the token, the first operand and the fingerprint information of the terminal device currently running the application client;
the login execution module 704 is configured to successfully log in by one key if a login authorization sent by the application server is received.
In one embodiment of the present description apparatus shown in fig. 7, the first fingerprint information transmission module 701 is configured to perform: and carrying the fingerprint information of the terminal equipment currently running the application client in a one-key login request or an identity verification request and sending the fingerprint information to an operator server.
In one embodiment of the apparatus of the present specification shown in fig. 7, the operand acquisition module 702 is configured to execute: and receiving an authentication passing message carrying the token and the first operation value sent by the operator server, and obtaining the first operation value from the authentication passing message.
In one embodiment of the apparatus of the present specification shown in fig. 7, the fingerprint information of the terminal device includes at least one of the following: the method comprises the steps of an intranet IP address of the terminal equipment, an identifier of a local area network used by the terminal equipment and an identification code of the terminal equipment.
In an embodiment of the present disclosure, a device for implementing a one-touch login service is provided, where the device is disposed in an application server, and referring to fig. 8, the device includes:
a first operand acquisition module 801 configured to receive a one-touch login confirmation request carrying a token sent from an application client; the one-key login confirmation request also carries a first operation value and fingerprint information of terminal equipment currently running the application client;
a second operand acquisition module 802 configured to calculate a second operand by using the shared symmetric key agreed with the operator server in advance and the fingerprint information of the terminal device currently running the application client acquired from the one-key login confirmation request;
the verification module 803 is configured to determine whether the first operation value carried in the one-key login confirmation request is the same as the calculated second operation value, if so, the one-key login verification is successful, otherwise, the one-key login verification fails.
In one embodiment of the apparatus of the present specification shown in fig. 8, the fingerprint information of the terminal device includes at least one of the following: the method comprises the steps of an intranet IP address of the terminal equipment, an identifier of a local area network used by the terminal equipment and an identification code of the terminal equipment.
In one embodiment of the apparatus of the present specification shown in fig. 8, the second operand acquisition module 802 performs hash computation.
In one embodiment of the apparatus of the present specification shown in fig. 8, the one-touch login confirmation request further carries an IP address of the terminal device currently running the application client and an APP ID of the application client; accordingly, the second operand acquisition module 802 is configured to perform operations comprising:
and calculating the token acquired from the one-key login confirmation request, fingerprint information of the terminal equipment currently running the application client, the IP address of the terminal equipment and the APP ID by utilizing a shared symmetric key agreed with the operator server in advance.
In an embodiment of the present disclosure, a device for implementing a one-key login service is provided, where the device is disposed in an operator server, and referring to fig. 9, the device includes:
the first fingerprint information obtaining module 901 is configured to obtain fingerprint information of a terminal device running the application client currently sent by the application client before issuing a token to the application client;
the first operand calculation module 902 is configured to calculate, after the token is generated, a first operand by using a shared symmetric key agreed in advance with the application server and fingerprint information of the terminal device currently running the application client;
The first operand transmitting module 903 transmits the generated first operand to the application client.
In one embodiment of the present description apparatus shown in fig. 9, the first fingerprint information acquisition module 901 is configured to perform:
and receiving a one-key login request sent by the application client, and acquiring fingerprint information of terminal equipment which is sent by the application client and runs the application client currently from the one-key login request.
In one embodiment of the present description apparatus shown in fig. 9, the first fingerprint information acquisition module 901 is configured to perform: and receiving an authentication request for requesting a token from an application client, and acquiring fingerprint information of terminal equipment currently running the application client from the authentication request.
In one embodiment of the apparatus of the present specification shown in fig. 9, the first operand calculation module 902 performs a hash calculation.
In one embodiment of the present description apparatus shown in fig. 9, the first operand calculation module 902 is configured to execute:
receiving an authentication request sent by an application client, and acquiring an IP address of a terminal device and an APP ID of the application client from the authentication request;
And calculating the generated token, fingerprint information of the terminal equipment currently running the application client, the IP address of the terminal equipment and the APP ID by utilizing the shared symmetric key agreed with the application server in advance.
An embodiment of the present specification provides a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of the embodiments of the specification. An embodiment of the present specification provides a computing device including a memory having executable code stored therein and a processor that, when executing the executable code, performs a method of any of the embodiments of the present specification.
It should be understood that the structures illustrated in the embodiments of the present specification do not constitute a particular limitation on the apparatus of the embodiments of the present specification. In other embodiments of the specification, the apparatus may include more or less components than illustrated, or certain components may be combined, or certain components may be split, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The content of information interaction and execution process between the modules in the device and the system is based on the same concept as the method embodiment of the present specification, and specific content can be referred to the description in the method embodiment of the present specification, which is not repeated herein.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in hardware, software, a pendant, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.
Claims (13)
1. The implementation method of the one-key login service comprises the following steps:
before acquiring a token, transmitting fingerprint information of terminal equipment currently running the application client to an operator server;
obtaining a first operation value sent by an operator server;
after the token sent by the operator server is obtained, a one-key login confirmation request is sent to the application server, wherein the one-key login confirmation request carries the token, a first operation value and fingerprint information of terminal equipment of the current running application client;
if the login authorization sent by the application server is received, the one-key login is successful.
2. The method of claim 1, wherein the transmitting fingerprint information of the terminal device currently running the application client to the operator server includes: the fingerprint information of the terminal equipment currently running the application client is carried in a one-key login request or an identity verification request and is sent to an operator server;
and/or the number of the groups of groups,
the obtaining the first operation value sent by the operator server includes: and receiving an authentication passing message carrying the token and the first operation value sent by the operator server, and obtaining the first operation value from the authentication passing message.
3. The method of claim 1, wherein,
the fingerprint information of the terminal device includes at least one of: the method comprises the steps of an intranet IP address of the terminal equipment, an identifier of a local area network used by the terminal equipment and an identification code of the terminal equipment.
4. The implementation method of the one-key login service comprises the following steps:
receiving a one-key login confirmation request carrying a token sent by an application client; the one-key login confirmation request also carries a first operation value and fingerprint information of terminal equipment currently running the application client;
acquiring a first operation value from a one-key login confirmation request and fingerprint information of terminal equipment currently running the application client;
calculating by utilizing a shared symmetric key appointed by an operator server in advance and fingerprint information of terminal equipment currently running the application client, and calculating a second operation value;
and judging whether the first operation value is the same as the second operation value, if so, successfully performing one-key login verification, and otherwise, failing one-key login verification.
5. The method of claim 4, wherein,
the fingerprint information of the terminal device includes at least one of: the method comprises the steps of an intranet IP address of the terminal equipment, an identifier of a local area network used by the terminal equipment and an identification code of the terminal equipment.
6. The method of claim 3, wherein,
the performing calculation includes: performing hash calculation;
and/or the number of the groups of groups,
the one-key login confirmation request also carries the IP address of the terminal equipment currently running the application client and the APP ID of the application client; correspondingly, the calculating by utilizing the shared symmetric key pre-agreed with the operator server and the fingerprint information of the terminal equipment currently running the application client comprises the following steps:
acquiring a token, an IP address of terminal equipment and an APP ID of the application client from a one-key login confirmation request;
and calculating the acquired token, fingerprint information of the terminal equipment currently running the application client, the IP address of the terminal equipment and the APPID by utilizing a shared symmetric key agreed with an operator server in advance.
7. The implementation method of the one-key login service comprises the following steps:
before a token is issued to an application client, fingerprint information of terminal equipment which is transmitted by the application client and runs the application client at present is obtained;
after a token is generated, calculating by utilizing a shared symmetric key which is agreed with an application server in advance and fingerprint information of terminal equipment currently running the application client, and calculating a first operation value;
And sending the generated first operation value to the application client.
8. The method of claim 7, wherein the obtaining the fingerprint information of the terminal device currently running the application client from the application client includes:
receiving a one-key login request sent by an application client, and acquiring fingerprint information of terminal equipment which is sent by the application client and runs the application client currently from the one-key login request;
or alternatively, the process may be performed,
and receiving an authentication request for requesting a token from an application client, and acquiring fingerprint information of terminal equipment currently running the application client from the authentication request.
9. The method of claim 7, wherein the performing the calculation comprises: performing hash calculation;
and/or the number of the groups of groups,
the method further comprises the steps of: receiving an authentication request sent by an application client, and acquiring an IP address of a terminal device and an APP ID of the application client from the authentication request; correspondingly, the calculating by using the shared symmetric key pre-agreed with the application server, the generated token and the fingerprint information of the terminal equipment currently running the application client comprises the following steps:
And calculating the generated token, fingerprint information of the terminal equipment currently running the application client, the IP address of the terminal equipment and the APPID by utilizing the shared symmetric key agreed with the application server in advance.
10. An implementation device of one-key login service, the device comprising:
the first fingerprint information sending module is configured to send fingerprint information of terminal equipment currently running the application client to an operator server before acquiring a token;
the operation value acquisition module is configured to acquire a first operation value sent by the operator server;
the second fingerprint information sending module is used for sending a one-key login confirmation request to the application server after the token sent by the operator server is obtained, wherein the one-key login confirmation request carries the token, a first operation value and fingerprint information of terminal equipment currently running the application client;
and the login execution module is configured to successfully log in by one key if login authorization sent by the application server is received.
11. An implementation device of one-key login service, the device comprising:
the first operation value acquisition module is configured to receive a one-key login confirmation request carrying a token sent by an application client; the one-key login confirmation request also carries a first operation value and fingerprint information of terminal equipment currently running the application client; acquiring a first operation value from a one-key login confirmation request and fingerprint information of terminal equipment currently running the application client;
The second operation value acquisition module is configured to calculate by utilizing a shared symmetric key appointed by an operator server in advance and fingerprint information of terminal equipment currently running the application client, and calculate a second operation value;
and the verification module is configured to judge whether the first operation value is the same as the second operation value, if so, the one-key login verification is successful, and if not, the one-key login verification fails.
12. An implementation device of one-key login service, the device comprising:
the first fingerprint information acquisition module is configured to acquire fingerprint information of terminal equipment which is transmitted by the application client and currently runs the application client before transmitting a token to the application client;
the first operation value calculation module is configured to calculate a first operation value by utilizing a shared symmetric key agreed with an application server in advance and fingerprint information of terminal equipment currently running the application client after the token is generated;
and the first operation value sending module is used for sending the generated first operation value to the application client.
13. A computing device comprising a memory having executable code stored therein and a processor, which when executing the executable code, implements the method of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211088930.8A CN116318747A (en) | 2022-09-07 | 2022-09-07 | Method and device for realizing one-key login service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211088930.8A CN116318747A (en) | 2022-09-07 | 2022-09-07 | Method and device for realizing one-key login service |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116318747A true CN116318747A (en) | 2023-06-23 |
Family
ID=86792874
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211088930.8A Pending CN116318747A (en) | 2022-09-07 | 2022-09-07 | Method and device for realizing one-key login service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116318747A (en) |
-
2022
- 2022-09-07 CN CN202211088930.8A patent/CN116318747A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4673364B2 (en) | Method for verifying first ID and second ID of entity | |
| US8819253B2 (en) | Network message generation for automated authentication | |
| CN102201915B (en) | Terminal authentication method and device based on single sign-on | |
| US9787478B2 (en) | Service provider certificate management | |
| US9548975B2 (en) | Authentication method, authentication system, and service delivery server | |
| CN103685139A (en) | Authentication and authorization processing method and device | |
| CN111783068A (en) | Device authentication method, system, electronic device and storage medium | |
| CN110247917B (en) | Method and apparatus for authenticating identity | |
| CN113922982B (en) | Login method, electronic equipment and computer readable storage medium | |
| CN114390524B (en) | Method and device for realizing one-key login service | |
| CN111404695A (en) | Token request verification method and device | |
| CN113746811A (en) | Login method, device, equipment and readable storage medium | |
| CN113993127A (en) | Method and device for realizing one-key login service | |
| CN115150072A (en) | Cloud network issuing authentication method, equipment, device and storage medium | |
| CN114158046B (en) | Method and device for realizing one-key login service | |
| CN117336092A (en) | Client login method and device, electronic equipment and storage medium | |
| CN116647345A (en) | Method and device for generating permission token, storage medium and computer equipment | |
| CN114679276B (en) | Identity authentication method and device of time-based one-time password algorithm | |
| CN115801287A (en) | Signature authentication method and device | |
| CN116318747A (en) | Method and device for realizing one-key login service | |
| CN114158047B (en) | Method and device for realizing one-key login service | |
| CN114764507A (en) | Method and device for realizing resource access, electronic equipment and storage medium | |
| CN116318746A (en) | Method and device for realizing one-key login service | |
| CN116318755A (en) | Method and device for realizing one-key login service | |
| CN114697137B (en) | Application program login method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |