CN116318866A - Method and system for authenticating login of trusted user by zero-trust terminal - Google Patents
Method and system for authenticating login of trusted user by zero-trust terminal Download PDFInfo
- Publication number
- CN116318866A CN116318866A CN202310115868.5A CN202310115868A CN116318866A CN 116318866 A CN116318866 A CN 116318866A CN 202310115868 A CN202310115868 A CN 202310115868A CN 116318866 A CN116318866 A CN 116318866A
- Authority
- CN
- China
- Prior art keywords
- trust
- user
- terminal
- zero
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method for authenticating login verification of a trusted user by a zero-trust terminal, which comprises the following steps: in response to binding the system end user with the authentication card; the server side unifies the system user and the zero trust authorized user; and further verifying the zero trust authorized user through the identity authentication card, and performing application access authorization on the terminal. The technical scheme of the invention mainly considers reducing the workload of the authorized trust user of the zero trust client created and managed by the server, avoiding the situation that the user cannot log in due to forgetting complex account names and passwords, and improving the safety coefficient of authentication of the authorized trust user; the system user is also a zero trust client on the terminal to authorize the trust user, the safety of the trust user verification is further improved by means of the identity authentication card, and the application access authorization is carried out on the terminal through the identity authentication card, so that the management and control of the application access of the third party equipment are enhanced.
Description
Technical Field
The invention belongs to the technical field of authorization security, and particularly relates to a method and a system for authenticating login verification of an authorized trust user of a zero trust terminal.
Background
Zero trust inherits the security principle of 'never trust and always verify', and processes the data access and authentication verification between an access subject and an access object. The trust evaluation engine continuously carries out trust evaluation, judges whether the access control strategy needs to be changed, and timely informs the access agent if the access control strategy needs to be changed, so that the protection of the data resource is rapidly implemented. Compared with the boundary safety model, the zero trust network can better adapt to the requirement of future network safety protection and protect important data.
In order to reduce the workload of the authorized trust user of the zero trust client newly built and managed by the server, the situation that the user cannot log in due to forgetting complicated account names and passwords is avoided, and the security coefficient of the authentication of the authorized trust user is improved.
In view of this, it is very significant to provide a method and system for authenticating login of a trusted user by a zero-trust terminal.
Disclosure of Invention
In order to solve the problems that an existing server newly establishes and manages an authorized trust user of a zero trust client, has large workload, has lower security coefficient of authentication of the authorized trust user and the like, the invention provides a method and a system for login authentication of the authorized trust user of a zero trust terminal, which are used for solving the technical defect problems.
In a first aspect, the present invention provides a method for authenticating login verification of a trusted user by a zero-trust terminal, the method comprising the steps of:
in response to binding the system end user with the authentication card;
the server side unifies the system user and the zero trust authorized user;
and further verifying the zero trust authorized user through the identity authentication card, and performing application access authorization on the terminal.
Preferably, the binding association between the system end user and the identification card is responded, and the binding association specifically comprises the following steps:
after the zero trust client is installed, reporting a unique identifier uuid, ip of the terminal and a system user name to the server;
the manager logs in the server side to authorize the user to log in the user as a zero trust client side, generates a random initial password, inserts a USB Key of identity authentication, and binds a unique terminal identifier, a trust user and a device serial number Key sn of the USB Key;
switching a login manager sysadmin and carrying out application access authorization on the terminal, writing an authorization information key serial number, a terminal unique identifier uuid and an authorization identifier auth 1 into the Ukey, and subtracting 1 from the total authorization point number of the server.
Further preferably, the server unifies the system user with the zero-trust authorized user, and specifically includes:
using the equipment serial number key sn as a salt and md5 as an encryption key, then using the encryption key to perform sm4 encryption on the password to generate an encryption password, and finally storing the binding information serial number key sn, the terminal uuid, the zero-trust user name and the encryption password into a database;
and (3) concatenating the uuid of the terminal with the ip of the server, encrypting with md5 to generate an encryption key, performing sm4 encryption on the authorization information by using the encryption key to generate authorization encryption information authinfo, writing the authorization encryption information authinfo into a private area of the Ukey, subtracting 1 from the total authorization point number of the server side, and recording the authorized information into a database by the server side.
Further preferably, the authentication card is used for further verifying the zero trust authorized user, and specifically includes:
the terminal logs in the zero trust client to input the account name and the password, and the account name and the password are uploaded to the server after clicking the login;
after receiving the login request of the zero trust client, the server checks the uuid, the account name and the password, if the verification is correct, further checks whether a binding Key exists, and if the binding USB Key exists, returns a binding identification code and a binding sequence number Key sn.
Further preferably, the method further comprises:
after receiving the binding identification, the client side prompts the input of a PIN code by the bullet frame, and simultaneously detects whether the Key is inserted, and if the Key is detected to be inserted, the PIN code is verified locally;
after the PIN code passes verification, uploading the account name, the password, the terminal uuid and the USB key serial number key sn, and further verifying whether the binding information is matched or not by the server.
Further preferably, the method further comprises: if the verification is completed, entering a zero-trust client-side main interface, at the moment, checking authorization information in the identity authentication card Ukey, if the authorization of the terminal exists, allowing access to the application, otherwise, only executing other operations for modifying the password, and after the authorization exists, entering the zero-trust client-side end-click application, and establishing a tunnel with the gateway to access the application.
In a second aspect, an embodiment of the present invention further provides a system for authenticating login verification of a trusted user by using a zero-trust terminal, where the system includes:
a binding association module for binding association between the system end user and the identification card in response to the user;
the unifying module is used for unifying the system user and the zero trust authorized user by the server side;
the verification module is used for further verifying the zero-trust authorized user through the identity authentication card;
the communication module is used for carrying out encryption communication between the terminal client and the server;
and the authorization module is used for authorizing the terminal by the server, checking the authorization information in the Ukey by the terminal client, and allowing the terminal client to enter a specific application access interface.
Further preferably, the method further comprises:
the processing module is used for reporting unique identifiers uuid, ip and system user names of the terminal to the server after the zero trust client is installed; the manager logs in the server end to authorize the user as a zero trust client to log in the user, generates a random initial password, inserts a USB Key of identity authentication, binds the trust user with a device serial number Key sn of the USB Key, and authorizes the terminal;
the encryption module is used for taking the equipment serial number key sn as a salt and md5 as an encryption key, then carrying out sm4 encryption on the password by using the encryption key to generate an encryption password, and finally storing the binding information serial number key sn, the terminal uuid, the zero-trust user name and the encryption password into a database; after the uuid of the terminal is connected with the ip of the server in series, the md5 encryption is carried out, an encryption key is generated, sm4 encryption is carried out on authorization information by using the encryption key to generate authorization encryption information authinfo, the authorization encryption information is written into a private area of the Ukey, the total authorization point number of the server side is reduced by 1, and meanwhile, the server side records the authorized information into a database;
the verification module is used for verifying the uuid, the account name and the password after receiving the login request of the zero trust client, further checking whether a binding Key exists if the verification is correct, and returning a binding identification code and a binding sequence number Key sn if the binding USB Key exists;
the detection module is used for prompting the input of the PIN code by the bullet box after the client receives the binding identification, detecting whether the Key is inserted or not at the same time, and locally verifying the PIN code if the Key is detected to be inserted; after the PIN code passes verification, uploading a signaling account name, a password, a terminal uuid and a USB key serial number key sn, and further verifying whether the binding information is matched by the server;
and the authorization module is used for entering a zero-trust client interface after the client verifies the binding information, checking the authorization information, including a Key serial number, a terminal unique identifier and an authorization mark, and detecting whether the terminal is authorized to access the application.
In a third aspect, an embodiment of the present invention provides an electronic device, including: one or more processors; and storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method as described in any of the implementations of the first aspect.
In a fourth aspect, embodiments of the present invention provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method as described in any of the implementations of the first aspect.
Compared with the prior art, the invention has the beneficial effects that:
(1) According to the invention, by introducing the USB Key of identity authentication, double authentication of USB Key password authentication and trusted user password authentication is realized, authentication of authorized trusted users of the zero-trust client is enhanced, and meanwhile, the zero-trust server unifies system users and terminal zero-trust users, so that workload of newly-built management terminal zero-trust users is avoided;
(2) According to the invention, the USB Key of identity authentication is introduced, and application access authorization is realized on the terminal equipment by utilizing the USB Key, so that the management and control of application access of the third party terminal equipment are enhanced;
(3) The technical scheme of the invention mainly considers reducing the workload of the authorized trust user of the zero trust client created and managed by the server, avoiding the situation that the user cannot log in due to forgetting complex account names and passwords, and improving the safety coefficient of authentication of the authorized trust user; the binding association between the system terminal user and the identity authentication card is realized, and after the binding association, the server side unifies the system user and the zero trust authorized user, namely, the system user is also the zero trust client authorized trusted user on the terminal, and the security of the trusted user verification is further improved by means of the identity authentication card.
Drawings
The accompanying drawings are included to provide a further understanding of the embodiments and are incorporated in and constitute a part of this specification. The drawings illustrate embodiments and together with the description serve to explain the principles of the invention. Many of the intended advantages of other embodiments and embodiments will be readily appreciated as they become better understood by reference to the following detailed description. The elements of the drawings are not necessarily to scale relative to each other. Like reference numerals designate corresponding similar parts.
FIG. 1 is an exemplary device frame pattern to which an embodiment of the present invention may be applied;
FIG. 2 is a flow chart of a method for zero trust terminal authorization trust user login verification according to an embodiment of the invention;
FIG. 3 is a schematic diagram of the architecture of a method for zero trust terminal authorization trust user login verification according to an embodiment of the invention;
FIG. 4 is a schematic diagram of an interface actually applied in a method for log-in verification of a zero-trust terminal authorized trust user according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a system for zero trust terminal authorization trust user login verification according to an embodiment of the invention;
fig. 6 is a schematic structural diagram of a computer device suitable for use in implementing an embodiment of the invention.
Detailed Description
In the following detailed description, reference is made to the accompanying drawings, which form a part hereof, and in which is shown by way of illustration specific embodiments in which the invention may be practiced. For this, directional terms, such as "top", "bottom", "left", "right", "upper", "lower", and the like, are used with reference to the orientation of the described figures. Because components of embodiments can be positioned in a number of different orientations, the directional terminology is used for purposes of illustration and is in no way limiting. It is to be understood that other embodiments may be utilized or logical changes may be made without departing from the scope of the present invention. The following detailed description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is defined by the appended claims.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 1 illustrates an exemplary system architecture 100 for a method of processing information or an apparatus for processing information to which embodiments of the present invention may be applied.
As shown in fig. 1, a system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as a web browser application, a shopping class application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc., may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be various electronic devices with communication capabilities including, but not limited to, smartphones, tablet computers, laptop and desktop computers, and the like.
The server 105 may be a server that provides various services, such as a background information processing server that processes verification request information transmitted by the terminal devices 101, 102, 103. The background information processing server may analyze the received verification request information and obtain a processing result (for example, verification success information for characterizing that the verification request is a legal request).
It should be noted that, the method for processing information provided by the embodiment of the present invention is generally performed by the server 105, and accordingly, the device for processing information is generally disposed in the server 105. In addition, the method for transmitting information provided by the embodiment of the present invention is generally performed by the terminal devices 101, 102, 103, and accordingly, the means for transmitting information is generally provided in the terminal devices 101, 102, 103.
The server may be hardware or software. When the server is hardware, the server may be implemented as a distributed server cluster formed by a plurality of servers, or may be implemented as a single server. When the server is software, it may be implemented as a plurality of software or software modules (for example, to provide a distributed service), or may be implemented as a single software or a plurality of software modules, which are not specifically limited herein.
According to the technical scheme, the identity authentication card is introduced to be associated with the zero-trust authorized trust user, the authentication safety coefficient of the trust user is improved, the system user is unified with the zero-trust authorized user, the workload of the server side for managing the trust user is reduced, and the terminal client does not need to memorize complex trust user names and passwords. The technical scheme of the invention can be operated and applied on the client and the server.
In a first aspect, fig. 2 shows that an embodiment of the present invention discloses a method for login verification of a trusted user authorized by a zero-trust terminal, and as shown in fig. 2, the method includes the following steps:
s101, responding to binding and associating a system terminal user with an identity authentication card;
specifically, the binding association specifically includes:
s11, after the zero trust client is installed, reporting unique identifiers uuid, ip and system user names of the terminal to the server;
s12, the manager logs in the server side to authorize the user to log in the user as a zero-trust client side, generates a random initial password, inserts a USB Key for identity authentication, and binds the trusted user with a device serial number Key sn of the USB Key;
s13, switching a login manager sysadmin and carrying out application access authorization on the terminal, writing an authorization information key serial number, a terminal unique identifier uuid and an authorization identifier auth 1 into the Ukey, and subtracting 1 from the total authorization point number of the server.
S102, unifying a system user and a zero trust authorized user by a server;
further, the method specifically comprises the following steps: using the equipment serial number key sn as a salt and md5 as an encryption key, then using the encryption key to perform sm4 encryption on the password to generate an encryption password, and finally storing the binding information serial number key sn, the terminal uuid, the zero-trust user name and the encryption password into a database;
the switching manager sysadmin logs in the server to authorize the application access to the registered terminal, and specifically comprises the following steps: after the uuid of the terminal is connected with the ip of the server in series, md5 encryption is carried out to generate an encryption key, sm4 encryption is carried out on authorization information by using the encryption key to generate authorization encryption information authinfo, the authorization encryption information authinfo is written into a private area of the Ukey, the total authorization point number of the server side is reduced by 1, and meanwhile, the server side records the authorized information into a database;
specifically, the authorization information includes "key: 202212296587uuid: e02b2a52f730b 254 d07f138054fde0bb & auth:1", where key represents a device serial number of the identification card, uuid represents a unique identifier of the terminal, auth represents an authorization flag of the terminal, and a private area is self-restriction of hardware, and can be read after a PIN code must be verified.
S103, the zero trust authorized user is further verified through the identity authentication card, and application access authorization is conducted on the terminal.
Specifically, the method comprises the following steps: s13, the terminal logs in the zero trust client to input the account name and the password, and the account name and the password are uploaded to the server after the terminal clicks on the login;
s14, after receiving a login request of the zero trust client, the server checks the uuid, the account name and the password, if the verification is correct, further checks whether a binding Key exists, and if the binding USB Key exists, returns a binding identification code and a binding sequence number Key sn;
s15, after receiving the binding identification, the client side prompts the input of a PIN code by the bullet box, and simultaneously detects whether the Key is inserted, and if the Key is detected to be inserted, the PIN code is verified locally;
s16, after the PIN code passes verification, uploading a signaling account name, a password, a terminal uuid and a USB key serial number key sn, and further verifying whether the binding information is matched by the server;
s17, after the binding information verification is completed, continuing to verify the authorization information of the Key, and detecting whether the terminal equipment is authorized to allow access to the application;
s18, entering a zero-trust client side main interface if verification is completed, checking authorization information in the identity authentication card Ukey at the moment, allowing access to the application if authorization of the terminal exists, otherwise, only executing other operations for modifying the password, entering the zero-trust client side end-click application after authorization exists, and establishing a tunnel with the gateway to access the application.
As a preferred embodiment, referring to fig. 3 and fig. 4, the steps of operating and applying on the client and the server in this embodiment specifically include:
1. the zero trust client is installed, a unique identifier uuid, ip of the terminal is reported, and a system user name is given to the server side;
2. the server login manager performs specific authorization, which system user of which terminal is authorized to be the authorized trust user of the zero trust client, namely the zero trust client login user, and generates a random initial password;
3. logging in an administrator account at a server side, inserting a USB Key for identity authentication, binding a trusted user with a device serial number Key sn of the USB Key, taking the Key serial number Key as a salt, md5 (key+ "cy-tech") as an encryption Key, then using the encryption Key to perform sm4 encryption sm4 (password) on the password to generate an encryption password, and finally storing the binding information Key serial number, a terminal uuid, a zero-trust user name and the password into a database;
4. the method comprises the steps that a terminal logs in a zero trust client, an account name and a password are input, clicking is carried out, the account name and the password are uploaded, and a terminal uuid is sent to a server;
5. after receiving a client login request, the server checks the uuid, the account name and the password, if the verification is correct, checks whether a binding Key exists, and if the binding USB Key exists, returns a binding identification code and a binding Key serial number;
6. after receiving the binding identification, the client side prompts the input of a PIN code by the bullet frame, and simultaneously detects whether the Key is inserted, and if the Key is inserted, the PIN code is verified locally;
after the PIN code passes verification, uploading a signaling account, a password and a terminal uuid and a Ukey serial number, and verifying whether the binding information is matched by a server;
8. if the binding information verification is completed, verifying whether the authorization information in the identity authentication card is matched with the terminal;
9. and entering a zero-trust client clicking application, and if the terminal is authorized, establishing a tunnel with the gateway to access the application.
In a second aspect, the embodiment of the present invention further discloses a system for login verification of a trusted user authorized by a zero-trust terminal, as shown in fig. 5, the system includes: binding association module 51, unification module 52, communication module 53, authorization module 54, processing module 55, encryption module 56, verification module 57, detection module 58, and authorization module 59.
In a specific embodiment, the binding association module 51 is configured to respond to binding association of both the system end user and the identification card; the unifying module 52 is configured to unify the system user and the zero-trust authorized user at the server side; the communication module 53 is used for carrying out encrypted communication between the terminal client and the server; the authorization module 54 is configured to authorize the terminal by the server, and verify the authorization information in the Ukey by the terminal client to allow the terminal to enter a specific application access interface; the processing module 55 is configured to report, after the zero trust client is installed, a unique identifier uuid, ip and a system user name of the terminal to the server; the manager logs in the server end to authorize the user as a zero trust client to log in the user, generates a random initial password, inserts a USB Key of identity authentication, binds the trust user with a device serial number Key sn of the USB Key, and authorizes the terminal; the encryption module 56 is configured to use the device serial number key sn as a salt, md5 as an encryption key, then use the encryption key to perform sm4 encryption on the password to generate an encryption password, and finally store the binding information serial number key sn, the terminal uuid, the zero-trust user name and the encryption password into a database; after the uuid of the terminal is connected with the ip of the server in series, the md5 encryption is carried out, an encryption key is generated, sm4 encryption is carried out on authorization information by using the encryption key to generate authorization encryption information authinfo, the authorization encryption information is written into a private area of the Ukey, the total authorization point number of the server side is reduced by 1, and meanwhile, the server side records the authorized information into a database; the verification module 57 is configured to further verify the zero-trust authorized user through the identity authentication card, after receiving a login request of the zero-trust client, verify the uuid, the account name and the password, if the verification is correct, further check whether a binding Key exists, and if the binding USB Key exists, return a binding identification code and a binding sequence number Key sn; the detection module 58 is configured to, after receiving the binding identifier, prompt the user to enter a PIN code by using the bullet box, and detect whether the Key is inserted, and if yes, verify the PIN code locally; after the PIN code passes verification, uploading a signaling account name, a password, a terminal uuid and a USB key serial number key sn, and further verifying whether the binding information is matched by the server; and the authorization module 59 enters a zero-trust client interface after the client verifies the binding information, verifies the authorization information, comprises a Key serial number, a terminal unique identifier and an authorization mark, and detects whether the terminal is authorized to access the application.
In a specific embodiment, the communication module 53 is configured to perform secure encrypted communication between the client and the server, and the client and the server mutually authenticate each other by adopting certificate mutual authentication. Specifically, the client and the server establish an encrypted connection after the mutual authentication of the certificates is completed, and the data structure of the communication between the client and the server is as follows:
message header:
device id message id segment index hash type hash value timestamp retention word identifying high byte low byte device id of character communication version
Identification characters: the beginning of the message, the unfixed string "smsgb";
communication version: communication version information;
high byte, low byte: recording the length of the whole message, including a message header and a message body;
setting id: a unique identifier of the terminal;
message id: a message command of the request;
segment index: segment index of the message;
hash type: the hash type of the message body;
hash value: the value of the message body after hash calculation is used for checking the integrity of the message;
timestamp: taking the current time value for subsequent encryption and decryption;
reserved words: temporarily leaving unused;
message body
Command value data length len data content data (encrypted data)
Message tail
"smsge" specific character string
Data content data encryption step in message body:
1) Fixed static password timestamp string into key algorithm
2) Then making sm3 hash on algorithm to obtain a 32-bit key hmac_key, and making md5 on hmac_key to obtain a 16-bit encryption key hmac_key16
3) Sm4 encryption of the content in the message body is performed using hmac key16 as a key.
The technical scheme of the invention mainly considers reducing the workload of the authorized trust user of the zero trust client created and managed by the server, avoiding the situation that the user cannot log in due to forgetting complex account names and passwords, and improving the safety coefficient of authentication of the authorized trust user; the binding association between the system terminal user and the identity authentication card is realized, and after the binding association, the server side unifies the system user and the zero trust authorized user, namely, the system user is also the zero trust client authorized trusted user on the terminal, and the security of the trusted user verification is further improved by means of the identity authentication card.
By introducing the USB Key of identity authentication, double authentication of USB Key password authentication and trusted user password authentication is realized, authentication of authorizing a trusted user to a zero-trust client is enhanced, the terminal is authorized by using the USB Key of identity authentication, management and control of application access by third party equipment are enhanced, and meanwhile, a zero-trust server unifies a system user and a terminal zero-trust user, so that workload of newly-built management terminal zero-trust users is avoided.
Referring now to fig. 6, there is illustrated a schematic diagram of a computer apparatus 600 suitable for use in an electronic device (e.g., a server or terminal device as illustrated in fig. 1) for implementing an embodiment of the present invention. The electronic device shown in fig. 6 is only an example and should not be construed as limiting the functionality and scope of use of the embodiments of the invention.
As shown in fig. 6, the computer apparatus 600 includes a Central Processing Unit (CPU) 601 and a Graphics Processor (GPU) 602, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 603 or a program loaded from a storage section 609 into a Random Access Memory (RAM) 606. In the RAM 604, various programs and data required for the operation of the apparatus 600 are also stored. The CPU 601, GPU602, ROM 603, and RAM 604 are connected to each other through a bus 605. An input/output (I/O) interface 606 is also connected to the bus 605.
The following components are connected to the I/O interface 606: an input portion 607 including a keyboard, a mouse, and the like; an output portion 608 including a speaker, such as a Liquid Crystal Display (LCD), etc.; a storage portion 609 including a hard disk and the like; and a communication section 610 including a network interface card such as a LAN card, a modem, or the like. The communication section 610 performs communication processing via a network such as the internet. The drive 611 may also be connected to the I/O interface 606 as needed. A removable medium 612 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 611 as necessary, so that a computer program read out therefrom is mounted into the storage section 609 as necessary.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via the communication portion 610, and/or installed from the removable medium 612. The above-described functions defined in the method of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 601 and a Graphics Processor (GPU) 602.
It should be noted that the computer readable medium according to the present invention may be a computer readable signal medium or a computer readable medium, or any combination of the two. The computer readable medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor apparatus, device, or means, or a combination of any of the foregoing. More specific examples of the computer-readable medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution apparatus, device, or apparatus. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may be any computer readable medium that is not a computer readable medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution apparatus, device, or apparatus. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based devices which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present invention may be implemented in software or in hardware. The described modules may also be provided in a processor.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the electronic device described in the above embodiment; or may exist alone without being incorporated into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: in response to binding the system end user with the authentication card; the server side unifies the system user and the zero trust authorized user; and further verifying the zero trust authorized user through the identity authentication card, and performing application access authorization on the terminal.
The above description is only illustrative of the preferred embodiments of the present invention and of the principles of the technology employed. It will be appreciated by persons skilled in the art that the scope of the invention referred to in the present invention is not limited to the specific combinations of the technical features described above, but also covers other technical features formed by any combination of the technical features described above or their equivalents without departing from the inventive concept described above. Such as the above-mentioned features and the technical features disclosed in the present invention (but not limited to) having similar functions are replaced with each other.
Claims (10)
1. A method for authorizing login verification of a trusted user by a zero-trust terminal is characterized by comprising the following steps:
in response to binding the system end user with the authentication card;
the server side unifies the system user and the zero trust authorized user;
and further verifying the zero trust authorized user through the identity authentication card, and performing application access authorization on the terminal.
2. The method for zero trust terminal authorization trust user login verification according to claim 1, wherein in response to binding the system terminal user with the identification card, the method specifically comprises:
after the zero trust client is installed, reporting a unique identifier uuid, ip of the terminal and a system user name to the server;
the manager logs in the server side to authorize the user to log in the user as a zero trust client side, generates a random initial password, inserts a USB Key of identity authentication, and binds a unique terminal identifier, a trust user and a device serial number Key sn of the USB Key;
switching a login manager sysadmin and carrying out application access authorization on the terminal, writing an authorization information key serial number, a terminal unique identifier uuid and an authorization identifier auth 1 into the Ukey, and subtracting 1 from the total authorization point number of the server.
3. The method for log-in verification of zero-trust terminal authorized trust user according to claim 2, wherein the server unifies the system user with the zero-trust authorized user, specifically comprising:
using the equipment serial number key sn as a salt and md5 as an encryption key, then using the encryption key to perform sm4 encryption on the password to generate an encryption password, and finally storing the binding information serial number key sn, the terminal uuid, the zero-trust user name and the encryption password into a database;
and (3) concatenating the uuid of the terminal with the ip of the server, encrypting with md5 to generate an encryption key, performing sm4 encryption on the authorization information by using the encryption key to generate authorization encryption information authinfo, writing the authorization encryption information authinfo into a private area of the Ukey, subtracting 1 from the total authorization point number of the server side, and recording the authorized information into a database by the server side.
4. A method for authenticating a trusted user login by a zero-trust terminal according to claim 3, wherein the authentication of the zero-trust authorized user by the authentication card further comprises:
the terminal logs in the zero trust client to input the account name and the password, and the account name and the password are uploaded to the server after clicking the login;
after receiving the login request of the zero trust client, the server checks the uuid, the account name and the password, if the verification is correct, further checks whether a binding Key exists, and if the binding USB Key exists, returns a binding identification code and a binding sequence number Key sn.
5. The method for zero trust terminal authorization trust user login verification of claim 4, further comprising:
after receiving the binding identification, the client side prompts the input of a PIN code by the bullet frame, and simultaneously detects whether the Key is inserted, and if the Key is detected to be inserted, the PIN code is verified locally;
after the PIN code passes verification, uploading the account name, the password, the terminal uuid and the USB key serial number key sn, and further verifying whether the binding information is matched or not by the server.
6. The method for zero trust terminal authorization trust user login verification according to claim 5, further comprising:
if the verification is completed, entering a zero-trust client-side main interface, at the moment, checking authorization information in the identity authentication card Ukey, if the authorization of the terminal exists, allowing access to the application, otherwise, only executing other operations for modifying the password, and after the authorization exists, entering the zero-trust client-side end-click application, and establishing a tunnel with the gateway to access the application.
7. A system for zero trust terminal authorization trust user login verification, the system comprising:
a binding association module for binding association between the system end user and the identification card in response to the user;
the unifying module is used for unifying the system user and the zero trust authorized user by the server side;
the verification module is used for further verifying the zero-trust authorized user through the identity authentication card;
the communication module is used for carrying out encryption communication between the terminal client and the server;
and the authorization module is used for authorizing the terminal by the server, checking the authorization information in the Ukey by the terminal client, and allowing the terminal client to enter a specific application access interface.
8. The system for zero trust terminal authorization trust user login verification of claim 7, further comprising:
the processing module is used for reporting unique identifiers uuid, ip and system user names of the terminal to the server after the zero trust client is installed; the manager logs in the server end to authorize the user as a zero trust client to log in the user, generates a random initial password, inserts a USB Key of identity authentication, binds the trust user with a device serial number Key sn of the USB Key, and authorizes the terminal;
the encryption module is used for taking the equipment serial number key sn as a salt and md5 as an encryption key, then carrying out sm4 encryption on the password by using the encryption key to generate an encryption password, and finally storing the binding information serial number key sn, the terminal uuid, the zero-trust user name and the encryption password into a database; after the uuid of the terminal is connected with the ip of the server in series, the md5 encryption is carried out, an encryption key is generated, sm4 encryption is carried out on authorization information by using the encryption key to generate authorization encryption information authinfo, the authorization encryption information is written into a private area of the Ukey, the total authorization point number of the server side is reduced by 1, and meanwhile, the server side records the authorized information into a database;
the verification module is used for verifying the uuid, the account name and the password after receiving the login request of the zero trust client, further checking whether a binding Key exists if the verification is correct, and returning a binding identification code and a binding sequence number Key sn if the binding USB Key exists;
the detection module is used for prompting the input of the PIN code by the bullet box after the client receives the binding identification, detecting whether the Key is inserted or not at the same time, and locally verifying the PIN code if the Key is detected to be inserted; after the PIN code passes verification, uploading a signaling account name, a password, a terminal uuid and a USB key serial number key sn, and further verifying whether the binding information is matched by the server;
and the authorization module is used for entering a zero-trust client interface after the client verifies the binding information, checking the authorization information, including a Key serial number, a terminal unique identifier and an authorization mark, and detecting whether the terminal is authorized to access the application.
9. An electronic device, comprising:
one or more processors;
a storage means for storing one or more programs;
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1 to 6.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310115868.5A CN116318866A (en) | 2023-02-08 | 2023-02-08 | Method and system for authenticating login of trusted user by zero-trust terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310115868.5A CN116318866A (en) | 2023-02-08 | 2023-02-08 | Method and system for authenticating login of trusted user by zero-trust terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116318866A true CN116318866A (en) | 2023-06-23 |
Family
ID=86796950
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310115868.5A Pending CN116318866A (en) | 2023-02-08 | 2023-02-08 | Method and system for authenticating login of trusted user by zero-trust terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116318866A (en) |
-
2023
- 2023-02-08 CN CN202310115868.5A patent/CN116318866A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108259438B (en) | Authentication method and device based on block chain technology | |
| US6438550B1 (en) | Method and apparatus for client authentication and application configuration via smart cards | |
| CN109274652B (en) | Identity information verification system, method and device and computer storage medium | |
| US8220032B2 (en) | Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith | |
| US10164963B2 (en) | Enforcing server authentication based on a hardware token | |
| US10270757B2 (en) | Managing exchanges of sensitive data | |
| US9112854B1 (en) | Secure communication between applications on untrusted platforms | |
| US20160373414A1 (en) | Handshake offload | |
| US10122689B2 (en) | Load balancing with handshake offload | |
| CN107124431A (en) | Method for authenticating, device, computer-readable recording medium and right discriminating system | |
| CN111262889A (en) | Authority authentication method, device, equipment and medium for cloud service | |
| US10694330B2 (en) | Validating mobile applications for accessing regulated content | |
| CN108234509A (en) | FIDO authenticators, Verification System and method based on TEE and PKI certificates | |
| CN111818088A (en) | Authorization mode management method and device, computer equipment and readable storage medium | |
| CN111147525A (en) | Authentication method, system, server and storage medium based on API gateway | |
| CN115580413B (en) | Zero-trust multi-party data fusion calculation method and device | |
| WO2019178763A1 (en) | Certificate importing method and terminal | |
| US20060248578A1 (en) | Method, system, and program product for connecting a client to a network | |
| US20190132304A1 (en) | Loopback verification of multi-factor authentication | |
| Bilal et al. | Assessment of secure OpenID‐based DAAA protocol for avoiding session hijacking in web applications | |
| US20240113898A1 (en) | Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity | |
| CN116318866A (en) | Method and system for authenticating login of trusted user by zero-trust terminal | |
| CN110659476A (en) | Method and apparatus for resetting password | |
| KR102534012B1 (en) | System and method for authenticating security level of content provider | |
| US20220337584A1 (en) | Information processing device, information processing method, and non-transitory computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |