CN116664124A - Online authorization method, device, electronic equipment and storage medium - Google Patents
Online authorization method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116664124A CN116664124A CN202310205026.9A CN202310205026A CN116664124A CN 116664124 A CN116664124 A CN 116664124A CN 202310205026 A CN202310205026 A CN 202310205026A CN 116664124 A CN116664124 A CN 116664124A
- Authority
- CN
- China
- Prior art keywords
- dynamic password
- online
- password
- online transaction
- account
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 166
- 238000000034 method Methods 0.000 title claims abstract description 45
- 230000003068 static effect Effects 0.000 claims abstract description 124
- 238000012795 verification Methods 0.000 claims abstract description 62
- 230000004044 response Effects 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims 2
- 230000006870 function Effects 0.000 description 6
- 241000700605 Viruses Species 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000004927 fusion Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000002860 competitive effect Effects 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000001815 facial effect Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000002156 mixing Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- ZRHANBBTXQZFSP-UHFFFAOYSA-M potassium;4-amino-3,5,6-trichloropyridine-2-carboxylate Chemical compound [K+].NC1=C(Cl)C(Cl)=NC(C([O-])=O)=C1Cl ZRHANBBTXQZFSP-UHFFFAOYSA-M 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 210000001747 pupil Anatomy 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000002791 soaking Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Accounting & Taxation (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The embodiment of the application discloses an online authorization method, an online authorization device, electronic equipment and a storage medium. Verifying the online login request of the online transaction client, and determining that the online transaction client is successfully logged in under the condition that the verification is passed; responding to an authorization request sent by an online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification of the account to be verified and the dynamic password; receiving the combined dynamic password from the online transaction client and verifying the combined dynamic password; and under the condition that the combined dynamic password passes verification, authorizing the authorization request of the account to be verified. The embodiment of the application improves the security of online authorization.
Description
Technical Field
Embodiments of the present application relate to communications technologies, and in particular, to an online authorization method, an online authorization device, an electronic device, and a storage medium.
Background
With the wide application and rapid popularization of electronic information technology, online transaction is increasingly applied with the advantages of rapidness, convenience and the like, however, the online transaction mode has systematic safety problems due to the characteristics of openness and convenience of the online transaction mode to clients.
In the prior art, the security of online transactions is generally ensured by setting a static password or a dynamic password. However, static passwords or dynamic passwords are easily broken, resulting in less secure authorization of online transactions.
Disclosure of Invention
The application provides an online authorization method, an online authorization device, electronic equipment and a storage medium, so as to improve the security of online authorization.
In a first aspect, an embodiment of the present application provides an online authorization method, where the online authorization method includes:
verifying the online login request of the online transaction client, and determining that the online transaction client is successfully logged in under the condition that the verification is passed;
responding to an authorization request sent by an online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification of the account to be verified and the dynamic password;
receiving the combined dynamic password from the online transaction client and verifying the combined dynamic password;
and under the condition that the combined dynamic password passes verification, authorizing the authorization request of the account to be verified.
In a second aspect, an embodiment of the present application further provides an online authorization device, where the online authorization device includes:
The login request verification module is used for verifying the online login request of the online transaction client and determining that the online transaction client is successfully logged in under the condition that the online login request passes the verification;
the authorization request response module is used for responding to the authorization request sent by the online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification and the dynamic password of the account to be verified;
the combined dynamic password verification module is used for receiving the combined dynamic password from the online transaction client and verifying the combined dynamic password;
and the authorization request response module is used for authorizing the authorization request of the account to be verified under the condition that the combined dynamic password verification passes.
In a third aspect, an embodiment of the present application further provides an electronic device, including:
one or more processors;
a storage means for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement any of the online authorization methods provided by the embodiments of the present application.
In a fourth aspect, embodiments of the present application also provide a storage medium comprising computer-executable instructions that, when executed by a computer processor, are configured to perform any of the online authorization methods provided by the embodiments of the present application.
The method and the system verify the online login request of the online transaction client, and determine that the online transaction client is successfully logged in under the condition that the online login request passes the verification; responding to an authorization request sent by an online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification of the account to be verified and the dynamic password; receiving the combined dynamic password from the online transaction client and verifying the combined dynamic password; and under the condition that the combined dynamic password passes verification, authorizing the authorization request of the account to be verified. The security of online transaction authorization is improved by verifying the login request and the authorization request, and the online transaction client generates a combined dynamic password for the account to be verified according to the static identification of the account to be verified and the dynamic password by sending the dynamic password to the online transaction client, and the static identification is added in the dynamic password, so that the dynamic password cannot be authorized even if intercepted, and the security of the combined dynamic password is improved. Therefore, by the technical scheme of the application, the problem that the static password or the combined dynamic password is easy to crack, so that the security of the online transaction authorization is low is solved, and the effect of improving the security of the online transaction authorization is achieved.
Drawings
FIG. 1 is a flow chart of an online authorization method according to a first embodiment of the application;
FIG. 2 is a flow chart of an online authorization method according to a second embodiment of the application;
FIG. 3 is a flow chart of an online authorization method according to a third embodiment of the application;
FIG. 4 is a schematic diagram of an online authorization device according to a fourth embodiment of the application;
fig. 5 is a schematic structural diagram of an electronic device in a fifth embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first" and "second" and the like in the description and the claims of the present application and the above drawings are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of an online authorization method according to an embodiment of the present application, where the embodiment is applicable to authorization of operation rights in an online transaction system, and the method may be performed by an online authorization device, which may be implemented by software and/or hardware and specifically configured in an online transaction server.
Referring to fig. 1, the online authorization method specifically includes the following steps:
s110, verifying the online login request of the online transaction client, and determining that the online transaction client is successfully logged in under the condition that the online login request passes the verification.
The online login request may be a login request sent by the online transaction client to the online transaction server for logging into the online transaction system. In particular, the online login request of the online transaction client may include an account to be authenticated and a static password. After receiving an online login request of an online transaction client, the online transaction server verifies the account to be verified and the static password in the login request, if the static password in the login request is the same as the static password stored in the online transaction server in advance by the account to be verified, the verification is confirmed to be passed, and the online transaction client is confirmed to be successfully logged in; otherwise, the verification is not passed, and login failure information of the online transaction client is returned. For example, the login failure times of the same online transaction client may be limited, for example, 3 times, and after the login failure times exceed the limit times, the online transaction client is not allowed to log into the online transaction system where the online login request is located, so as to improve the security of the online transaction system.
S120, responding to the authorization request sent by the online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification and the dynamic password of the account to be verified.
The authorization request may be a request for online transaction operations by the online transaction client, for applying for operations on a transaction service in the online transaction system. Specifically, the online transaction client sends an authorization request to the online transaction server before performing a certain business operation, and the online transaction server responds to the authorization request after receiving the authorization request sent by the online transaction client, specifically, generates a dynamic password according to the authorization request. The dynamic password may be a dynamic password generated by the online transaction server based on a time-synchronized hardware token. Illustratively, the dynamic password may be an 8-bit dynamic number. Specifically, the dynamic password can be replaced at regular time, and the dynamic password is effective at one time. For example, the hardware token may change the dynamic password every 60 seconds.
Based on the time synchronous hardware token, the online transaction server detects the clock offset of the token when authentication is carried out each time, and the time record of the token is adjusted continuously correspondingly, so that the synchronization of the token and the online transaction server is ensured, and normal use is ensured. However, due to different working environments of the password card, uncertain offset and damage of clock pulses are easy to occur under the conditions of magnetic field, high temperature, high pressure, vibration or soaking, and the like, so that better protection is required for time synchronization-losing equipment, and for the password card losing time synchronization, remote synchronization can be performed through a technology (10 minutes before and after) of increasing offset, so that the password card can be ensured to continue to be used. Dynamic passwords avoid some of the disadvantages associated with traditional static-based passwords. The most important advantage of dynamic passwords over static passwords is that they are not vulnerable to replay attacks. Specifically, a potential intruder cannot misuse the dynamic password to log into the online transaction server or conduct online transactions, because the dynamic password is not valid after use; furthermore, a user using the same password for multiple systems will not make all systems vulnerable if one of the dynamic passwords is obtained by a potential intruder. Dynamic passwords are intended to ensure that a session is not intercepted or that no knowledge simulation of unpredictable data is generated during a previous session, thereby further reducing the hacked face.
After the online transaction server generates the dynamic password, the dynamic password is sent to the online transaction client. The static identifier may be identification information corresponding to the account to be authenticated, for generating a combined dynamic password. By way of example, the static information may be a password or image information, etc. The account to be verified may be an account that the online transaction client logs in online. And after receiving the dynamic password, the online transaction client generates a combined dynamic password for the account to be verified according to the static identification of the account to be verified, the dynamic password and a generation rule of the combined dynamic password. Illustratively, the generation rule of the combined dynamic password may be a combination rule of a static identification and a dynamic password. The generation rule of the combined dynamic password can encrypt the static identifier and the dynamic password through a preset function to obtain the combined dynamic password.
Optionally, a power-on password acquisition request of the hardware password token is sent to the online transaction client before the dynamic password is generated in response to the authorization request sent by the online transaction client, and after the power-on password passes verification, the dynamic password is sent to the account to be verified.
The power-on password of the hardware password card is used for determining whether to generate a dynamic password or not, and the security of the power-on password of the hardware password card is ensured. The starting password of the hardware password card can be a preset password in the online transaction system and is sent to an online transaction client in the online transaction system.
S130, receiving the combined dynamic password from the online transaction client and verifying the combined dynamic password.
The online transaction client generates a combined dynamic password and sends the combined dynamic password to the online transaction server. And after receiving the combined dynamic password, the online transaction server verifies the combined dynamic password according to the sent dynamic password. For example, the static identification and the dynamic password in the combined dynamic password can be extracted according to the generation rule of the combined dynamic password, and verification can be performed according to the stored dynamic password and the stored static identification of the account to be verified. The verification of the combined dynamic password may be performed by performing inverse operation according to a preset function to obtain a dynamic password and a static identifier in the combined dynamic password, and verifying the obtained static identifier and the dynamic password according to the stored dynamic password and the stored static identifier of the account to be verified respectively to verify the combined dynamic password.
And S140, under the condition that the combined dynamic password verification is passed, authorizing the authorization request of the account to be verified.
And the combined dynamic password passes verification, namely the combined dynamic password is correct, and is used for determining that the authorization request of the account to be verified is authorized. After the authorization request of the account to be verified is authorized, the account to be verified has the operation authority of the authorized service.
Informationized construction has progressed rapidly in recent years, and network construction, software development and software application have been advanced. The provincial domain centralization of computer application is realized, a great amount of emerging services are realized, and the competitive strength is enhanced. It should also be appreciated that existing online transaction systems generally place importance on new functional implementations of business applications, and the security requirements of online transaction systems are not high, so that many online transaction systems are mostly hard (strong applications) and soft (weak security), and some vulnerabilities exist and may be attacked. This must therefore be kept highly vigilant, increasing the level of security in the field of online transactions as a whole.
For example, the online transaction system can use a dual server hot backup mode to ensure service security. In order to protect sensitive equipment in the network, a firewall may be provided in the online transaction system for providing authentication, access control, security audit, etc. functions at the network layer. The invasion of external viruses is tightly prevented, the external software or copied software is uniformly subjected to virus detection on a special machine, the virus is removed and then is tried out, and data backup is needed before the virus is tried out.
Illustratively, the online transaction system checks the transmitted message to determine the integrity of the message, checks whether the channel device that initiated the transaction is registered, whether the transaction identity remains consistent with the channel, and checks whether a key field of the message exists to determine the legitimacy of the message. And replacing keys for important data in different links of the transmission process, and encrypting the important data in the whole process.
Illustratively, the online transaction system builds a database on the bare device that is not easily deleted and modified illegally. And establishing an independent application library, independently setting a system library, putting user management of the database in the system library, strictly managing passwords in the database, and mixing numbers, letters and case letters for use, wherein a certain time interval can be regulated to be changed, so that the reliability of the passwords is improved.
Real-time backup of the important table is carried out in the daytime of the online transaction system, full-quantity backup of the database is automatically carried out at the end of the day, and the backed-up data can be remotely placed, so that remote backup work is realized. By these measures, the data recovery process is performed in preparation for unexpected failure of the system.
According to the technical scheme, the online login request of the online transaction client is verified, and the online transaction client is determined to be successfully logged in under the condition that the verification is passed; responding to an authorization request sent by an online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification of the account to be verified and the dynamic password; receiving the combined dynamic password from the online transaction client and verifying the combined dynamic password; and under the condition that the combined dynamic password passes verification, authorizing the authorization request of the account to be verified. The security of online transaction authorization is improved by verifying the login request and the authorization request, and the online transaction client generates a combined dynamic password for the account to be verified according to the static identification of the account to be verified and the dynamic password by sending the dynamic password to the online transaction client, and the static identification is added in the dynamic password, so that the dynamic password cannot be authorized even if intercepted, and the security of the combined dynamic password is improved. Therefore, by the technical scheme of the application, the problem that the static password or the combined dynamic password is easy to crack, so that the security of the online transaction authorization is low is solved, and the effect of improving the security of the online transaction authorization is achieved.
In an alternative embodiment, generating a dynamic password in response to an authorization request sent by an online transaction client includes: responding to an authorization request sent by an online transaction client, and determining a target authorization level to which an account to be verified belongs from preset candidate authorization levels according to the authorization request; determining whether the account to be verified belongs to an authorized account according to the target authorization level; if yes, generating a dynamic password.
The preset candidate authorization levels may be authorization levels preset for accounts to be verified with different levels, and are used for limiting authorization rights, that is, each candidate authorization level corresponds to a different authorization level. The target authorization level may be a candidate authorization level corresponding to an authorization request for the account to be authenticated. In order to limit the authorization limits of the accounts to be verified, different online transaction roles can be allocated to different accounts to be verified, and the different online transaction roles correspond to corresponding authorization levels. One account to be authenticated may serve multiple roles, and one role may also be played by multiple accounts to be authenticated. Specifically, a configuration table may be stored in the online transaction server, for storing roles and authorization levels corresponding to the account to be verified.
The authorizable account may be an account to be authenticated that may be authorized. The online transaction client side needs to check the authority which can be authorized in advance before entering all the service menus, and if the online transaction client side accesses the service menu which is not authorized, the system prompts the unauthorized use. For example, when the target authorization level of the online transaction client is a system administrator, the online transaction client can only maintain the server, monitor and regulate the operation performance of the server, maintain the computer operating system, ensure the efficient and smooth operation of the server, and simultaneously ensure the reliability and smoothness of network communication, and prohibit any service processing. Determining a target authorization level of the account to be verified requesting authorization according to the authorization request, and generating a dynamic password if the target authorization level belongs to the authorization level of the account to be verified and the account to be verified belongs to the authorized account; otherwise, determining that the account to be verified does not belong to the authorized account, refusing to generate the dynamic password, returning warning information, and warning the user to check the authorization request.
Determining a target authorization level to which the account to be verified belongs from preset candidate authorization levels according to an authorization request by responding to the authorization request sent by the online transaction client; determining whether the account to be verified belongs to an authorized account according to the target authorization level; if so, generating a dynamic password, determining whether the account to be verified belongs to an authorized account or not through a target authorization level before generating the dynamic password, limiting the access right of the account to be verified, and improving the safety of the safe transaction.
In an alternative embodiment. Generating a dynamic password in response to an authorization request sent by an online transaction client, including: responding to an authorization request sent by an online transaction client, and if the authorization request corresponds to the authorization right to be authorized as a single right, determining whether the authorization right to be authorized is authorized; if yes, refusing the authorization; otherwise, generating a dynamic password.
The uniqueness authority may be a single account to be verified access restriction authority, i.e. the authority allows only one account to be verified to be authorized within the same time period. If the right to be authorized corresponding to the authorization request is the single right, determining whether the right to be authorized is authorized, namely judging whether the right to be authorized is requested and authorized to other accounts. If yes, namely the right to be authorized is authorized to other accounts, rejecting the authorization request of the account to be verified; if not, namely the right to be authorized is not authorized to other accounts, generating a dynamic password.
For important online transaction services, especially online transaction services with strict precedence requirements, and tamper-proof data, the online transaction services are locked. For example, for an online transaction service that needs to be checked, an online transaction account that checks an online transaction service must wait for an online transaction account that the online transaction service has to go out of service, and after the online transaction service is unlocked, the online transaction service can be authorized to enter an operation interface of the online transaction service, and at the same time, the online transaction service is locked, so that the atomicity of the online transaction service is ensured. In consideration of the situation that the online transaction account is abnormally withdrawn (such as power-off of a terminal, etc.), the online transaction service is abnormally kept in a locked state, and an unlocked menu can be designed for a system administrator.
Responding to an authorization request sent by an online transaction client, and if the authorization request corresponds to the authorization right to be authorized as a single right, determining whether the authorization right to be authorized is authorized; if yes, refusing the authorization; otherwise, the dynamic password is generated, so that the atomicity of the right to be authorized can be ensured, after the right to be authorized is authorized, other accounts to be verified cannot be authorized, the data of the online transaction corresponding to the right to be authorized cannot be tampered halfway, and the safety of the online transaction data is improved.
In an alternative embodiment, before verifying the online login request of the online transaction client, the method further comprises: it is determined whether the internet protocol address IP address that sent the online login request is a loginfolable address.
The internet protocol address (Internet Protocol Address, IP address) may be the IP address of the online traffic client that sent the online login request. The registrable address may be an IP address that may be accessed to the online transaction server. To ensure the security of the online transaction system, the online transaction server may maintain a secure address table, and access to the online transaction server may be only possible at the IP address in the maintained secure address table. When an online login request of an online transaction client is received, judging whether an IP address of the online transaction client which sends online login is a login-capable address or not, if yes, verifying the online login request of the online transaction client when the IP address and the port number are required to be configured correctly, and further, verifying the online login request of the online transaction client when the IP address and the port number are configured correctly; otherwise, rejecting the online login request and generating an illegal access log.
By determining whether the IP address of the Internet protocol address sending the online login request is a login address, the online transaction system is prevented from being logged in by an illegal IP address, and the safety of the online transaction system is ensured.
Example two
Fig. 2 is a flowchart of a flowchart method of an online authorization method according to a second embodiment of the present application, and the technical solution of this embodiment is further refined based on the technical solution.
Further, "verify combined dynamic password", is refined as: extracting a static identifier and a dynamic password from the combined dynamic password according to a preset generation rule of the combined dynamic password; the static identification is the unique identification information of the owner of the account to be verified; respectively judging whether the static identification and the dynamic password are correct or not; if the static information and the dynamic password are correct, determining that the combined dynamic password passes verification so as to verify the combined dynamic password.
Referring to fig. 2, an online authorization method includes:
s210, verifying the online login request of the online transaction client, and determining that the online transaction client is successfully logged in under the condition that the online login request passes the verification.
S220, responding to the authorization request sent by the online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification and the dynamic password of the account to be verified.
S230, receiving the combined dynamic password from the online transaction client.
S240, extracting a static identifier and a dynamic password from the combined dynamic password according to a preset generation rule of the combined dynamic password; the static identification is unique identification information of the owner of the account to be authenticated.
The preset generation rule of the combined dynamic password can be a preset combined dynamic password generation rule which is required to be set in advance and is used for generating the combined dynamic password according to the static identification and the dynamic password and extracting the static identification and the dynamic password from the combined dynamic password. The static identification may be unique identification information of the owner of the account to be authenticated. By way of example, the static identification information may be image feature information of the owner of the account to be authenticated, for example, the image feature information may be facial image features, pupil image features, fingerprint image features, or the like. The static identification information may also be a preset password, for example. For example, the preset password may be an 8-bit number. Specifically, the generation rule of the combined dynamic password can be set through a configuration table, and the generation mechanism of the combined dynamic password can be changed at any time, so that the safety of the combined dynamic password is further improved. After the generation rule of the combined dynamic password changes, the combined dynamic password is sent to the online transaction client in a ciphertext mode, so that information synchronization is ensured.
Illustratively, the preset generation rule may be a combination of a static identifier and a dynamic password. For example, the preset generation rule may be to sequentially combine the static identifier and the dynamic password. For example, when the static identification information may be a preset password, each bit or a plurality of bits of the preset password may be sequentially inserted into the dynamic password, specifically, even digits in the combined dynamic password are static passwords, and odd digits are dynamic passwords. The combination mode of the static identifier and the dynamic password can be set according to habit or requirement, and the application is not limited in particular. If the preset generation rule is to take the combination of the static identification and the dynamic password, the static identification and the dynamic password can be obtained by correspondingly extracting the data according to the combination rule after the combination dynamic password is received.
For example, the preset generation rule may be a fusion of a static identifier and a dynamic password. For example, the preset generation rule may be to fuse the static identifier and the dynamic password according to a preset algorithm or function. If the preset generation rule is fusion of the static identifier and the dynamic password, the static identifier and the dynamic password can be obtained according to inverse operation of the preset generation rule after the combined dynamic password is received.
S250, judging whether the static identification and the dynamic password are correct or not respectively.
And comparing whether the static identification extracted from the combined dynamic password is the same as the pre-stored static identification or not according to the static identification stored in the online transaction server in advance of the account to be verified, if so, determining that the static identification is correct, otherwise, determining that the static identification is incorrect.
And comparing whether the dynamic password extracted from the combined dynamic password is the same as the dynamic password recorded by the online transaction server or not according to the dynamic password recorded by the online transaction server and sent to the online transaction client, judging whether the dynamic password is in the effective time or not, if the dynamic password is the same and in the effective time, determining that the dynamic password is correct, otherwise, the dynamic password is incorrect.
For example, the static identifier can be judged first, and the dynamic password is continuously judged under the condition that the static identifier is correct; in the case that the static identification is incorrect, the dynamic password does not need to be judged. Since the verification of the subsequent combined dynamic password requires that both the static information and the dynamic password are correct, the combined dynamic password is incorrect as long as one of the static information and the dynamic password is incorrect, so that under the condition that the static information is incorrect, the correctness of the dynamic password is unnecessary to judge, the meaningless calculation can be reduced without judging the correctness of the dynamic password, and the operation resource is saved.
And S260, if the static information and the dynamic password are correct, determining that the combined dynamic password passes verification.
If the static information and the dynamic password are both correct, the combined dynamic password verification can be determined to pass, otherwise if any one of the static information and the dynamic password is incorrect, the combined dynamic password verification can be determined to not pass.
S270, under the condition that the combined dynamic password verification is passed, authorizing the authorization request of the account to be verified.
According to the technical scheme, the static identification and the dynamic password are extracted from the combined dynamic password by adopting a preset generation rule of the combined dynamic password; the static identification is the unique identification information of the owner of the account to be verified; respectively judging whether the static identification and the dynamic password are correct or not; if the static information and the dynamic password are both correct, determining that the combined dynamic password passes verification, increasing the safety of the combined dynamic password through the static identification, and when the static information and the dynamic password are both correct, determining that the combined dynamic password passes verification, so that the combined dynamic password cannot be obtained even if the dynamic password is intercepted, and the safety of subsequent online transaction authorization cannot be improved through verification of the combined dynamic password.
Example III
Fig. 3 is a flowchart of a flowchart method of an online authorization method according to a third embodiment of the present application, where the technical solution of the present embodiment is further refined on the basis of the technical solution described above.
Further, the online login request of the online transaction client is verified, and the online login request is refined into: extracting a static password of an account to be verified from an online login request of an online transaction client; the static passwords comprise account passwords and date passwords; the date password is dynamically adjusted according to the current date; respectively judging whether the account password and the date password are correct; if the account password and the date password are both correct, determining that the online login request is verified to pass, so as to verify the online login request.
Referring to fig. 3, an online authorization method includes:
s310, extracting a static password of an account to be verified from an online login request of an online transaction client; the static passwords comprise account passwords and date passwords; the date password is dynamically adjusted according to the current date.
The static password can be a password of an account to be verified in the online login request, specifically, the static password comprises an account password and a date password, and the date password is dynamically adjusted according to the current date. The date password is the current date, and the date password format can be preset. By way of example, the date password may be 8 bits, generated in the form of a year, month, and day. For example, the date password may be 20230223. The account password is a password preset for the account to be verified. The account password can be limited in setting to improve the security of the account password, i.e. the account password must not be less than 6 bits, must contain numbers and letters, and cannot be the birthday of the user to whom the account to be authenticated belongs.
S320, judging whether the account password and the date password are correct or not respectively.
And extracting the account password and the date password from the static password according to a static password generation rule stored in the online transaction server in advance. By way of example, the static password generation rule may be a hybrid of account passwords and date passwords. For example, each bit of the date password is fixed as a designated bit in the static password, respectively. Specifically, the static password generation rule can be set through a configuration table, and the generation mechanism of the static password can be changed at any time, so that the security of the static password is further improved, and the account to be verified cannot be logged in even under the condition of acquiring the account password. After the static password generation rule changes, the static password is sent to the online transaction client in a ciphertext mode, so that information synchronization is ensured.
Comparing the account password with the account password of the account to be verified stored in the online transaction server, if the account password is the same, the account password is correct, otherwise, the account password is incorrect; and comparing the date password with the current date in the online transaction server, if the date password is the same, the date password is correct, and otherwise, the date password is incorrect.
For example, the account password can be judged first, and the date password is continuously judged under the condition that the account password is correct; in the case that the account password is incorrect, it is not necessary to judge the date password. Since the account password and the date password are both correct in the subsequent verification of the static password, the static password is incorrect as long as one of the account password and the date password is incorrect, so that under the condition that the account password is incorrect, the correctness of the date password is unnecessary to judge, and meaningless calculation can be reduced without judging the correctness of the date password, and the operation resource is saved.
S330, if the account password and the date password are correct, determining that the verification of the online login request is passed.
If the account password and the date password are both correct, the passing of static password verification can be determined, and the passing of online login request verification is determined; otherwise, if any one of the account password and the date password is incorrect, the static password verification is determined to be not passed, and the online login request verification is determined to be not passed.
And S340, under the condition that the verification is passed, determining that the online transaction client login is successful.
S350, responding to the authorization request sent by the online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification and the dynamic password of the account to be verified.
S360, receiving the combined dynamic password from the online transaction client and verifying the combined dynamic password.
And S370, authorizing the authorization request of the account to be verified under the condition that the combined dynamic password verification is passed.
According to the technical scheme, the static password of the account to be verified is extracted from the online login request of the online transaction client; the static passwords comprise account passwords and date passwords; the date password is dynamically adjusted according to the current date; respectively judging whether the account password and the date password are correct; if the account password and the date password are both correct, the online login request is determined to pass verification, and the corresponding account to be verified cannot be logged in even if the account password is leaked by adding the date password into the static password, so that the login security is improved, the login log of the account to be verified is conveniently recorded through the date password, and subsequent inquiry, audit and the like are facilitated.
Example IV
Fig. 4 is a schematic structural diagram of an online authorization device according to a fourth embodiment of the present application, where the embodiment is applicable to authorizing operation rights in an online transaction system, and the online authorization device is configured on an online transaction server, and the specific structure of the online authorization device is as follows:
a login request verification module 410, configured to verify an online login request of the online transaction client, and determine that the online transaction client is successfully logged in if the online login request passes the verification;
the authorization request response module 420 is configured to generate a dynamic password in response to an authorization request sent by the online transaction client, send the dynamic password to the online transaction client, and generate a combined dynamic password for the account to be verified by the online transaction client according to the static identifier and the dynamic password of the account to be verified;
a combined dynamic password authentication module 430 for receiving the combined dynamic password from the online transaction client and authenticating the combined dynamic password;
and the authorization request response module 440 is configured to authorize an authorization request of the account to be verified if the combined dynamic password verification passes.
According to the technical scheme, the online login request of the online transaction client is verified, and the online transaction client is determined to be successfully logged in under the condition that the verification is passed; responding to an authorization request sent by an online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification of the account to be verified and the dynamic password; receiving the combined dynamic password from the online transaction client and verifying the combined dynamic password; and under the condition that the combined dynamic password passes verification, authorizing the authorization request of the account to be verified. The security of online transaction authorization is improved by verifying the login request and the authorization request, and the online transaction client generates a combined dynamic password for the account to be verified according to the static identification of the account to be verified and the dynamic password by sending the dynamic password to the online transaction client, and the static identification is added in the dynamic password, so that the dynamic password cannot be authorized even if intercepted, and the security of the combined dynamic password is improved. Therefore, by the technical scheme of the application, the problem that the static password or the combined dynamic password is easy to crack, so that the security of the online transaction authorization is low is solved, and the effect of improving the security of the online transaction authorization is achieved.
Optionally, the combined dynamic password authentication module 430 includes:
the combined dynamic password splitting unit is used for extracting a static identifier and a dynamic password from the combined dynamic password according to a preset generation rule of the combined dynamic password; the static identification is the unique identification information of the owner of the account to be verified;
the independent verification unit is used for judging whether the static identifier and the dynamic password are correct or not respectively;
and the combined dynamic password judging unit is used for determining that the combined dynamic password passes verification if the static information and the dynamic password are correct.
Optionally, the authorization request response module 420 includes:
the target authorization level determining unit is used for responding to an authorization request sent by the online transaction client and determining the target authorization level to which the account to be verified belongs from preset candidate authorization levels according to the authorization request;
the system comprises an authorized account determining unit, a verification unit and a verification unit, wherein the authorized account determining unit is used for determining whether an account to be verified belongs to an authorized account according to a target authorization level;
and the dynamic password generating unit is used for generating the dynamic password if the dynamic password is generated.
Optionally, the authorization request response module 420 includes:
the system comprises a uniqueness authority determining unit, a processing unit and a processing unit, wherein the uniqueness authority determining unit is used for responding to an authorization request sent by an online transaction client, and determining whether the authority to be authorized is authorized if the authority to be authorized corresponding to the authorization request is the uniqueness authority;
An authorization determining unit, configured to reject authorization if yes; otherwise, generating a dynamic password.
Optionally, the login request verification module 410 includes:
the static password extraction unit is used for extracting the static password of the account to be verified from the online login request of the online transaction client; the static passwords comprise account passwords and date passwords; the date password is dynamically adjusted according to the current date;
the static password judging unit is used for judging whether the account password and the date password are correct or not respectively;
and the static password verification unit is used for determining that the online login request passes verification if the account password and the date password are correct.
Optionally, the online authorization device further includes:
the login address judging module is used for determining whether the IP address sending the online login request is a login address.
The online authorization device provided by the embodiment of the application can execute the online authorization method provided by any embodiment of the application, and has the corresponding functional modules and beneficial effects of executing the online authorization method.
Example five
Fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present application, as shown in fig. 5, the electronic device includes a processor 510, a memory 520, an input device 530, and an output device 540; the number of processors 510 in the electronic device may be one or more, one processor 510 being taken as an example in fig. 5; the processor 510, memory 520, input device 530, and output device 540 in the electronic device may be connected by a bus or other means, for example in fig. 5.
The memory 520 serves as a computer readable storage medium, and may be used to store software programs, computer executable programs, and modules, such as program instructions/modules (e.g., the login request authentication module 410, the authorization request response module 420, the combined dynamic password authentication module 430, and the authorization request response module 440) corresponding to the online authorization method in the embodiment of the present application. The processor 510 executes various functional applications and data processing of the electronic device by running software programs, instructions and modules stored in the memory 520, i.e., implements the online authorization method described above.
Memory 520 may include primarily a program storage area and a data storage area, wherein the program storage area may store an operating system, at least one application program required for functionality; the storage data area may store data created according to the use of the terminal, etc. In addition, memory 520 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, memory 520 may further include memory located remotely from processor 510, which may be connected to the electronic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input means 530 may be used to receive input character information and to generate key signal inputs related to user settings and function control of the electronic device. The output 540 may include a display device such as a display screen.
Example six
A sixth embodiment of the present application also provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method of online authorization, the method comprising: verifying the online login request of the online transaction client, and determining that the online transaction client is successfully logged in under the condition that the verification is passed; responding to an authorization request sent by an online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification of the account to be verified and the dynamic password; receiving the combined dynamic password from the online transaction client and verifying the combined dynamic password; and under the condition that the combined dynamic password passes verification, authorizing the authorization request of the account to be verified.
Of course, the storage medium containing the computer executable instructions provided in the embodiments of the present application is not limited to the above-described method operations, but may also perform the related operations in the online authorization method provided in any embodiment of the present application.
From the above description of embodiments, it will be clear to a person skilled in the art that the present application may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, etc., and include several instructions for causing an electronic device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present application.
It should be noted that, in the above-mentioned embodiments of the search apparatus, each unit and module included are only divided according to the functional logic, but not limited to the above-mentioned division, as long as the corresponding functions can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present application.
Note that the above is only a preferred embodiment of the present application and the technical principle applied. It will be understood by those skilled in the art that the present application is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the application. Therefore, while the application has been described in connection with the above embodiments, the application is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the application, which is set forth in the following claims.
Claims (10)
1. An online authorization method, comprising:
verifying an online login request of an online transaction client, and determining that the online transaction client is successfully logged in under the condition that the online login request passes the verification;
responding to an authorization request sent by the online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification of the account to be verified and the dynamic password;
Receiving the combined dynamic password from the online transaction client and verifying the combined dynamic password;
and under the condition that the combined dynamic password verification is passed, authorizing the authorization request of the account to be verified.
2. The method of claim 1, wherein said verifying said combined dynamic password comprises:
extracting the static identification and the dynamic password from the combined dynamic password according to a preset generation rule of the combined dynamic password; the static identification is unique identification information of an owner of the account to be verified;
respectively judging whether the static identifier and the dynamic password are correct or not;
and if the static information and the dynamic password are both correct, determining that the combined dynamic password passes verification.
3. The method of claim 1, wherein generating a dynamic password in response to an authorization request sent by the online transaction client comprises:
responding to an authorization request sent by the online transaction client, and determining a target authorization level to which an account to be verified belongs from preset candidate authorization levels according to the authorization request;
Determining whether the account to be verified belongs to an authorized account according to the target authorization level;
if yes, the dynamic password is generated.
4. The method of claim 1, wherein generating a dynamic password in response to an authorization request sent by the online transaction client comprises:
responding to an authorization request sent by the online transaction client, and if the authorization request corresponds to the authorization right to be authorized as the singleness right, determining whether the authorization right to be authorized is authorized;
if yes, refusing the authorization; otherwise, generating a dynamic password.
5. The method of claim 1, wherein validating the online login request of the online transaction client comprises:
extracting a static password of an account to be verified from an online login request of an online transaction client; the static password comprises an account password and a date password; the date password is dynamically adjusted according to the current date;
respectively judging whether the account password and the date password are correct or not;
and if the account password and the date password are correct, determining that the verification of the online login request is passed.
6. The method of claim 1, further comprising, prior to validating the online login request of the online transaction client:
It is determined whether the internet protocol address IP address that sent the online login request is a loginfolable address.
7. An online authorization device, comprising:
the login request verification module is used for verifying an online login request of the online transaction client and determining that the online transaction client is successfully logged in under the condition that the online login request passes the verification;
the authorization request response module is used for responding to the authorization request sent by the online transaction client, generating a dynamic password, sending the dynamic password to the online transaction client, and generating a combined dynamic password for the account to be verified by the online transaction client according to the static identification of the account to be verified and the dynamic password;
the combined dynamic password verification module is used for receiving the combined dynamic password from the online transaction client and verifying the combined dynamic password;
and the authorization request response module is used for authorizing the authorization request of the account to be authenticated under the condition that the combined dynamic password authentication passes.
8. The apparatus of claim 7, wherein the combined dynamic password authentication module comprises:
The combined dynamic password splitting unit is used for extracting the static identifier and the dynamic password from the combined dynamic password by adopting a preset generation rule of the combined dynamic password; the static identification is unique identification information of an owner of the account to be verified;
the independent verification unit is used for judging whether the static identifier and the dynamic password are correct or not respectively;
and the combined dynamic password judging unit is used for determining that the combined dynamic password passes verification if the static information and the dynamic password are both correct.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the online authorization method of any of claims 1-6 when the program is executed by the processor.
10. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements an online authorization method according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310205026.9A CN116664124A (en) | 2023-03-06 | 2023-03-06 | Online authorization method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310205026.9A CN116664124A (en) | 2023-03-06 | 2023-03-06 | Online authorization method, device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116664124A true CN116664124A (en) | 2023-08-29 |
Family
ID=87723037
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310205026.9A Pending CN116664124A (en) | 2023-03-06 | 2023-03-06 | Online authorization method, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116664124A (en) |
-
2023
- 2023-03-06 CN CN202310205026.9A patent/CN116664124A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9166966B2 (en) | Apparatus and method for handling transaction tokens | |
| US8572689B2 (en) | Apparatus and method for making access decision using exceptions | |
| US8572686B2 (en) | Method and apparatus for object transaction session validation | |
| US8726339B2 (en) | Method and apparatus for emergency session validation | |
| US8572714B2 (en) | Apparatus and method for determining subject assurance level | |
| US8752123B2 (en) | Apparatus and method for performing data tokenization | |
| US8752124B2 (en) | Apparatus and method for performing real-time authentication using subject token combinations | |
| CN112000951B (en) | Access method, device, system, electronic equipment and storage medium | |
| US8806602B2 (en) | Apparatus and method for performing end-to-end encryption | |
| US8752157B2 (en) | Method and apparatus for third party session validation | |
| US8572690B2 (en) | Apparatus and method for performing session validation to access confidential resources | |
| US9954853B2 (en) | Network security | |
| JP2007280393A (en) | Device and method for controlling computer login | |
| US8572724B2 (en) | Method and apparatus for network session validation | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| US8584202B2 (en) | Apparatus and method for determining environment integrity levels | |
| CN113872992A (en) | Method for realizing strong security authentication of remote Web access in BMC system | |
| CN110971609A (en) | Anti-cloning method of DRM client certificate, storage medium and electronic equipment | |
| US8584201B2 (en) | Method and apparatus for session validation to access from uncontrolled devices | |
| US8572688B2 (en) | Method and apparatus for session validation to access third party resources | |
| JP6842951B2 (en) | Unauthorized access detectors, programs and methods | |
| CN109639695A (en) | Dynamic identity authentication method, electronic equipment and storage medium based on mutual trust framework | |
| US9159065B2 (en) | Method and apparatus for object security session validation | |
| CN116664124A (en) | Online authorization method, device, electronic equipment and storage medium | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |