CN116707961A - User authentication method, computer device, and computer storage medium - Google Patents

User authentication method, computer device, and computer storage medium Download PDF

Info

Publication number
CN116707961A
CN116707961A CN202310793196.3A CN202310793196A CN116707961A CN 116707961 A CN116707961 A CN 116707961A CN 202310793196 A CN202310793196 A CN 202310793196A CN 116707961 A CN116707961 A CN 116707961A
Authority
CN
China
Prior art keywords
target
authentication
user
authentication credential
target client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310793196.3A
Other languages
Chinese (zh)
Inventor
殷伟
郭炳梁
余敏文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Shenxinfu Information Security Co ltd
Original Assignee
Shenzhen Shenxinfu Information Security Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Shenxinfu Information Security Co ltd filed Critical Shenzhen Shenxinfu Information Security Co ltd
Priority to CN202310793196.3A priority Critical patent/CN116707961A/en
Publication of CN116707961A publication Critical patent/CN116707961A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The embodiment of the application discloses a user authentication method, computer equipment and a computer storage medium. The server side can acquire first target data according to the key identification sent by the target client side, generate first authentication credentials according to the first target data, verify an authentication request message sent by the target client side, establish connection with the target client side when verification passes, compare and check the first authentication credentials and the second authentication credentials when the second authentication credentials sent by the target client side based on the connection are received, and enable online service for the target client side when verification passes. Therefore, when authenticating the identity of the user, the server automatically authenticates the user according to the authentication credentials generated locally and the authentication credentials sent by the client without inputting information such as a user name and a password, and the user is noninductive, so that the input operation of the user is reduced, the user authentication flow is simplified for the user, and the user experience can be improved.

Description

User authentication method, computer device, and computer storage medium
Technical Field
The embodiment of the application relates to the field of network security, in particular to a user authentication method, computer equipment and a computer storage medium.
Background
Zero trust is a concept of preventing data from leaking from an organization's trusted network, i.e., never trusted, and always verified. The main flow technology comprises a software definition boundary SDP, namely before a client accesses a hidden asset, a trust connection is established through SPA single package authorization, and access control to a user is realized by adopting a minimum authorization strategy.
In the related technology, when a client needs to access a server, SPA single package authorization authentication is firstly carried out, authentication information is required to be input by a user during the single package authorization authentication, and identity authentication is carried out continuously after authentication is passed, namely, a user inputs a user name and a password on the client, the client sends the user name and the password to the server, and the server authenticates the user name and the password. After both pass, the session between the client and the server can be online. In the process, the user of the client needs to perform identity authentication after performing SPA single-package authorization authentication, namely, the user input during single-package authorization authentication and the user input during identity authentication are required to be performed twice, so that the user operation is excessive, the authentication process is complicated, and the user experience is affected.
Disclosure of Invention
The embodiment of the application provides a user authentication method, computer equipment and a computer storage medium, which are used for simplifying a user authentication process and reducing user operation.
The first aspect of the embodiment of the application provides a user authentication method, which is applied to a server, and comprises the following steps:
receiving an authentication request message and a key identification sent by a target client, verifying the authentication request message, and establishing connection with the target client when the authentication request message passes the verification;
acquiring first target data according to the key identification, and generating a first authentication credential based on the first target data;
receiving a second authentication credential sent by the target client based on the connection;
and comparing and checking the first authentication credential with the second authentication credential, and enabling online service for the target client when the checking is passed.
A second aspect of an embodiment of the present application provides a user authentication method, where the method is applied to a target client, and the method includes:
sending an authentication request message and a key identifier to a server, wherein the authentication request message is used for verifying the authentication request message by the server, and the key identifier is used for generating a first authentication credential by the server;
establishing connection with the server when the authentication request message passes verification;
And acquiring a second authentication credential, and sending the second authentication credential to the server based on the connection, so that the server performs comparison and verification on the first authentication credential and the second authentication credential, and enables online service for the target client when verification is passed.
A third aspect of an embodiment of the present application provides a computer device comprising a memory storing a computer program and a processor implementing the method of the first or second aspect when the processor executes the computer program.
A fourth aspect of the embodiments of the present application provides a computer storage medium having stored therein instructions which, when executed on a computer, cause the computer to perform the method of the first or second aspect described above.
From the above technical solutions, the embodiment of the present application has the following advantages:
the server side can acquire first target data according to the key identification sent by the target client side, generate first authentication credentials according to the first target data, verify an authentication request message sent by the target client side, establish connection with the target client side when verification passes, compare and check the first authentication credentials and the second authentication credentials when the second authentication credentials sent by the target client side based on the connection are received, and enable online service for the target client side when verification passes. Therefore, when authenticating the identity of the user, the server automatically authenticates the user according to the authentication credentials generated locally and the authentication credentials sent by the client without inputting information such as a user name and a password, and the user is noninductive, so that the input operation of the user is reduced, the user authentication flow is simplified for the user, and the user experience can be improved.
Drawings
FIG. 1 is a flow chart of a user authentication method according to an embodiment of the present application;
FIG. 2 is a flowchart of another user authentication method according to an embodiment of the present application;
FIG. 3 is a flowchart of another user authentication method according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a display style of a login interface of a target client according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a display style of a user authentication flow prompt of a target client according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a computer device according to an embodiment of the present application;
FIG. 7 is a schematic diagram of another configuration of a computer device according to an embodiment of the present application;
FIG. 8 is a schematic diagram of another configuration of a computer device according to an embodiment of the present application;
fig. 9 is a schematic diagram of another structure of a computer device according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides a user authentication method, computer equipment and a computer storage medium, which are used for simplifying a user authentication process and reducing user operation.
Referring to fig. 1, an embodiment of a user authentication method in an embodiment of the present application includes:
101. receiving an authentication request message and a key identification sent by a target client, verifying the authentication request message, and establishing connection with the target client when the authentication request message passes the verification;
The method of this embodiment may be applied to a server, which may be a server of a software defined boundary SDP product, comprising an SDP control center and a proxy gateway. The software defined boundary (softwaredefined perimeter, SDP) is a security framework for resource access management built based on the zero trust (ZeroTrust) concept.
Correspondingly, the software defined boundary SDP product further comprises a client terminal, and the user can log in and access to the server terminal on the client terminal, and use the online service provided by the server terminal, but before the online service is required to pass the user authentication of the server terminal. When a target user inputs an access instruction to the service of the server on the target client to instruct the target client to access the service of the server, the target client can send an authentication request message and a key identification to the server, the server verifies the authentication request message and establishes connection with the target client when the authentication request message passes the verification.
102. Acquiring first target data according to the key identification, and generating a first authentication credential based on the first target data;
the server may be configured to generate a first authentication credential, and specifically, the server obtains first target data according to the key identifier, and generates the first authentication credential based on the first target data. The first authentication credential may be used to verify the legitimacy of the identity of the target client.
103. Receiving a second authentication credential sent by the target client based on the connection;
the target client also sends a second authentication credential to the server, which the server receives based on the connection with the target client established in the previous step, the second authentication credential being usable to verify the validity of the identity of the target client.
104. Comparing and checking the first authentication credential with the second authentication credential, and enabling online service for the target client when the checking is passed;
after the first authentication credential is generated and the second authentication credential sent by the target client is received, the server may perform a comparison check on the first authentication credential and the second authentication credential, and enable online service for the target client when the verification is passed, so as to allow the target client to access the service of the server.
In this embodiment, the server may obtain the first target data according to the key identifier sent by the target client and generate the first authentication credential according to the first target data, verify the authentication request packet sent by the target client, establish a connection with the target client when the verification passes, and when receiving the second authentication credential sent by the target client based on the connection, perform a comparison check on the first authentication credential and the second authentication credential, and enable the online service for the target client if the verification passes. Therefore, when authenticating the identity of the user, the server automatically authenticates the user according to the authentication credentials generated locally and the authentication credentials sent by the client without inputting information such as a user name and a password, and the user is noninductive, so that the input operation of the user is reduced, the user authentication flow is simplified for the user, and the user experience can be improved.
The present application also proposes another embodiment of the user authentication method based on the same inventive concept as the embodiment shown in fig. 1 described above. Referring to fig. 2, another embodiment of a user authentication method according to an embodiment of the present application includes:
201. sending an authentication request message and a key identifier to a server, wherein the authentication request message is used for verifying the authentication request message by the server, and the key identifier is used for generating a first authentication credential by the server;
the method of this embodiment is applicable to a target client, which may be a client of a software defined boundary SDP product, comprising an arbitrary SDP connection initiating host. The target client can send an authentication request message to the server, wherein the authentication request message is used for verifying the authentication request message by the server, and the key identification is used for generating a first authentication credential by the server.
202. Establishing connection with the server when the authentication request message passes verification;
when the server verifies that the authentication request message passes, the server may establish a connection with the target client, where the connection may be a connection established based on a reliable communication connection protocol, such as a TCP connection established based on a TCP protocol. The data transmission is carried out based on the connection established by the reliable communication connection protocol, so that the transmitted data can be ensured not to be lost or the probability of data packet loss can be reduced.
203. Acquiring a second authentication credential, and sending the second authentication credential to the server based on the connection, so that the server performs comparison and verification on the first authentication credential and the second authentication credential, and enables online service for the target client when verification is passed;
the target client further acquires a second authentication credential, and sends the second authentication credential to the server based on the connection with the server established in the previous step, so that the server performs comparison and verification on the first authentication credential and the second authentication credential, and enables online service to the target client when the verification passes, and the target client can access the service of the server.
In this embodiment, the target client sends an authentication request message and a key identifier to the server, when the server verifies the authentication request message, the key identifier is used for generating a first authentication credential by the server, and the target client also sends a second authentication credential to the server based on the connection with the server, so that the server performs comparison verification on the first authentication credential and the second authentication credential, and if the verification passes, the online service is started for the target client. Therefore, when authenticating the identity of the user, the client automatically transmits authentication credentials without inputting information such as a user name and a password, and the server automatically authenticates the user according to the locally generated authentication credentials and the authentication credentials transmitted by the client.
Embodiments of the present application will be described in further detail below on the basis of the embodiments shown in fig. 1 and 2 described above. Referring to fig. 3, another embodiment of a user authentication method according to an embodiment of the present application includes:
301. the method comprises the steps that a target client receives access setting information input by a target user, wherein the access setting information comprises access address information, a target key and a key identifier of the target key;
a big function of the software defined boundary SDP product is to establish a trust connection through the SPA single package authorization, so that an administrator of the provider of the software defined boundary SDP product can enable the SPA single package authorization on the server side and send the SPA knock key identifier and the SPA knock key to the target user through the out-of-band channel. Thus, in this embodiment, the target key may be a SPA knock key, and the key identifier may be a SPA knock key identifier. The target user may log into the client using the SPA knock key identification and the SPA knock key.
Because the SPA knocking key is transmitted through the out-of-band channel, the in-band channel (namely the channel for transmitting service data) cannot transmit the SPA knocking key and the hash data thereof, an attacker cannot acquire the SPA knocking key in modes of man-in-the-middle spoofing, rainbow table blasting and the like, cannot forge the authentication evidence through the same algorithm and key, and the security of the authentication evidence is improved.
In this embodiment, when a service provided by a service end needs to be accessed, a target user may input access setting information on a target client, where the access setting information includes access address information and a target key obtained before and a key identifier (such as an SPA knock key and an SPA knock key identifier) of the target key, and then the target client may connect to the service end to be accessed by the target user according to the access setting information.
For example, as shown in fig. 4, the target client displays a login interface, the login interface displays each input box of the access setting information, if the target user inputs or selects the access address in the 1 st input box, inputs the SPA knock key identifier in the 2 nd input box, inputs the SPA knock key in the 3 rd input box, the target client obtains the access setting information, and connects the service end corresponding to the access address according to the access setting information.
302. The target client determines the server to be accessed according to the access address information, and determines user identifiers mutually bound with the key identifiers of the target keys;
in this embodiment, the key identifier and the user identifier establish a binding relationship, that is, each key identifier binds one user identifier, and the target client can save the binding relationship. Thus, upon receiving a key identification entered by a user, the target client may determine the user identification to which the key identification is bound, which may be used by the server to generate a first authentication credential or by the target client to generate a second authentication credential.
Further, when generating the authentication request message, the target client may encrypt the device identifier of the target client and the user identifier by using the target key based on an encryption algorithm to obtain the authentication request message, and send the authentication request message to the server corresponding to the access address information input by the target user. The encryption algorithm may be a cryptographic algorithm, such as SM1, SM2, SM3, SM4, or other algorithms besides a cryptographic algorithm.
303. The target client sends an authentication request message and a key identification to the server;
the target client can determine the server corresponding to the access address information input by the target user, and then sends an authentication request message and a key identification to the server so that the server can verify the authentication request message. The authentication request message may be an SPA single packet authorization authentication request message.
For example, the target client and the server may transmit data based on a UDP transport protocol, such as transmitting an authentication request message to the server based on the UDP transport protocol. However, this is not a reliable transmission, and the transmitted data is prone to packet loss, so that a reliable connection needs to be established in a subsequent step.
304. The server side verifies the authentication request message, and establishes connection with the target client side when the authentication request message passes the verification;
the server side stores the key identification corresponding to each key, and when the key identification sent by the target client side is received, the server side can determine the target key corresponding to the key identification. Therefore, when receiving the authentication request message sent by the target client, the server can determine a decryption algorithm corresponding to the encryption algorithm of the authentication request message, and decrypt the authentication request message by using the target key according to the decryption algorithm to obtain the device identifier and the user identifier because the authentication request message is obtained by encrypting the device identifier of the target client and the user identifier of the target user by using the target key by the target client according to the encryption algorithm.
The server performs validity verification on the authentication request message, and the verification content includes but is not limited to replay verification, forgery verification, user identification verification, device identification verification, etc., and the verification mode of the authentication request message is not limited in this embodiment.
In this embodiment, when a connection with a target client is established, a TCP connection may be established based on a TCP communication protocol, and a TLS encrypted tunnel may be established based on a transport layer security protocol (TransportLayer Security, TLS) on the basis of the TCP connection, and a second authentication credential sent by the target client to a server may be transmitted in the TLS encrypted tunnel, so that an attacker cannot acquire the second authentication credential in a manner of man-in-the-middle spoofing or the like, thereby improving security of authentication credential transmission.
When the server passes the verification of the authentication request message, the target client can display prompt information to prompt the authentication request message to pass the verification. As shown in fig. 5, the interface of the target client displays the word "SPA single packet authorization authentication passes, in the security-free environment detection", which indicates that the SPA single packet authorization authentication has passed, and that verification of the authentication credentials is underway.
305. The server side obtains first target data according to the key identification and generates a first authentication credential based on the first target data;
after receiving the key identifier sent by the target client, the server may obtain first target data for generating the first authentication credential according to the key identifier. Specifically, the server may determine a target key corresponding to the key identifier, obtain a first timestamp, and generate a first authentication credential according to the target key, the first timestamp, a device identifier obtained by decrypting the authentication request message, and a user identifier. The first authentication credential may be used to verify the identity legitimacy of the target client.
The first timestamp may be a point in time when the server generates the first authentication credential. For example, after the server side obtains the information such as the user identifier, the device identifier, the target key, and the like, the server side generates the first authentication credential by combining the information and the current time point.
In addition, the target client can also generate a random number and send the random number to the server, and the server uses the random number and data such as the user identifier, the equipment identifier, the target key, the first timestamp and the like to generate the first authentication credential. The present embodiment does not limit the type of data used to generate the first authentication credential.
306. The target client acquires a second authentication credential and sends the second authentication credential to the server based on the connection;
in this embodiment, the target client obtains the second authentication credential in a plurality of ways. One way to obtain the second authentication credential may be that the target client generates the second authentication credential based on second target data, the second target data comprising a device identification of the target client, a user identification of a target user logged in at the target client, a target key, and a second timestamp, so that the client may generate the second authentication credential based on the device identification of the target client, the user identification of the target user, the target key, and the second timestamp.
Wherein the second timestamp may be a point in time when the target client generates the second authentication credential. For example, after the target client acquires the information such as the user identifier, the device identifier, the target key, and the like, the second authentication credential is generated in combination with the information and the current time point.
In addition, the target client may also generate a random number, and generate a second authentication credential using the random number and data such as the user identifier, the device identifier, the target key, the second timestamp, and the like. The present embodiment does not limit the type of data used to generate the second authentication credential.
Another way for the target client to obtain the second authentication credential may be that the second authentication credential is generated by the other client based on the user identifier, the device identifier of the other client, the key, and the timestamp, and the target user downloads the second authentication credential from the other client and uploads the second authentication credential to the target client, or the user instructs the host where the other client is located to send the second authentication credential to the host where the target client is located, so that the target client obtains the second authentication credential. The manner in which the target client obtains the second authentication credential is not limited in this embodiment.
In this embodiment, the server may convert the first timestamp into a dynamic password according to the TOTP algorithm, and then apply the dynamic password to generate the first authentication credential. Similarly, the target client may also convert the second timestamp into a dynamic password according to the TOTP algorithm, and apply the dynamic password to generate the second authentication credential. The TOTP (Time-based one-Time password) algorithm is a Time-based one-Time password algorithm that calculates a one-Time password from a pre-shared key and a current Time. Based on the characteristic of the TOTP algorithm, if the time interval between the two time stamps is smaller than the preset time length (such as 30 s), the dynamic passwords corresponding to the two time stamps are consistent according to the calculation of the TOTP algorithm. Therefore, when the device identifier, the user identifier, the target key, and the dynamic password corresponding to the timestamp are all identical, the first authentication credential generated by the server and the second authentication credential generated by the target client are identical.
Therefore, in this embodiment, the server generates the first authentication credential based on the device identifier, the user identifier, the target key and the first timestamp, which may be obtained by encrypting and hashing a dynamic password corresponding to the device identifier, the user identifier and the first timestamp by using the target key based on an encryption algorithm. The encryption algorithm may be a cryptographic algorithm or may be an algorithm other than a cryptographic algorithm.
Similarly, the target client generates the second authentication credential based on the device identifier, the user identifier, the target key and the second timestamp, where the method may be to encrypt and hash the dynamic password corresponding to the device identifier, the user identifier and the second timestamp by using the target key based on an encryption algorithm to obtain the second authentication credential.
307. The server side compares and verifies the first authentication credentials with the second authentication credentials, and enables online service for the target client side when verification is passed;
in this embodiment, the manner of comparing and checking the first authentication credential and the second authentication credential by the server may be to determine whether the second authentication credential is the same as the first authentication credential, and if so, determine that the second authentication credential sent by the target client passes the check, and allow the target client to access the service provided by the server; if the second authentication credentials are different, determining that the second authentication credentials sent by the target client do not pass the verification, and not allowing the target client to access the service provided by the server.
As mentioned above, the second authentication credential is generated from the second target data, and thus, the case where the second authentication credential is identical to the first authentication credential includes: the device identifier included in the second target data is the same as the device identifier of the target client, the user identifier included in the second target data is the same as the user identifier of the target user, the key included in the second target data is the same as the target key, and the time interval between the second timestamp included in the second target data and the first timestamp is smaller than the preset duration. That is, the authentication credentials generated by the target client and the server according to the same device identifier, the same user identifier, the same key, and a timestamp with a time interval less than the preset duration are the same.
Correspondingly, the case that the second authentication credential is different from the first authentication credential includes: the device identifier included in the second target data is different from the device identifier of the target client, or the user identifier included in the second target data is different from the user identifier of the target user, or the key included in the second target data is different from the target key, or the time interval between the second timestamp included in the second target data and the first timestamp is greater than the preset duration. That is, as long as the device identification for generating the first authentication credential is inconsistent with the device identification for generating the second authentication credential, or the user identification is inconsistent, or the key is inconsistent, or the time interval of the time stamp is greater than the preset duration, the finally generated first authentication credential and the second authentication credential are different. Therefore, the user identity of the client can be authenticated according to the authentication credentials, and whether the user identity of the client is legal or not can be conveniently and rapidly authenticated.
For example, in the case that the user identity of the client is legal, the target client generates a second authentication credential according to its own device identifier, a user identifier bound to a key identifier input by the user, a key input by the user, and a second timestamp, and meanwhile, the device identifier, the user identifier, and the key identifier are also sent to the server, the server also generates a first authentication credential according to the device identifier, a key corresponding to the user identifier and the key identifier (i.e., a key input by the user at the target client), and a first timestamp, where a time interval between the first timestamp and the second timestamp is less than a preset time period (e.g., 30 s), and then the second authentication credential generated by the target client is consistent with the first authentication credential generated by the server.
When the second authentication credential of the target client is stolen, the illegal user uses the second authentication credential on other clients, and the other clients also send the device identification of the illegal user to the server, so that the server generates the first authentication credential according to the device identification of the other clients and the user identification of the illegal user, instead of generating the first authentication credential according to the device identification of the target client and the user identification of the target user. Obviously, at this time, the second authentication credential is different from the first authentication credential generated by the server, and the server may determine that the verification is not passed, and not allow the illegal user to use the service of the server.
In addition, even though the device identifier and the user identifier are the same, the time interval between the time stamp for generating the first authentication credential and the time stamp for generating the second authentication credential is greater than a preset duration, and the finally generated first authentication credential and the second authentication credential sent by the client may be different. Therefore, the authentication credentials are time-efficient, and illegal users can be prevented from accessing the server by using the expired authentication credentials.
In this embodiment, only the authentication credential may be checked, or the login environment of the target client may be checked while the authentication credential is checked. Specifically, the server side can perform comparison and verification on the first authentication credential and the second authentication credential, and verify the environment information of the login environment of the target client side; when the verification of the first authentication credential and the second authentication credential is passed and the verification of the environmental information of the login environment of the target client is passed, enabling online service for the target client; when the verification of the first authentication evidence and the second authentication evidence is passed but the verification of the environment information of the login environment of the target client is not passed, the user identity authentication can be continued because the login environment of the client is not trusted, namely, first prompt information is returned to the target client, the first prompt information is used for prompting the user of the target client to input account information so as to carry out the user identity authentication, the target client sends the account information of the user to the server, the server authenticates the account information of the user, and online service is started for the target client when the authentication is passed; and when the verification of the first authentication credential and the second authentication credential is not passed, returning second prompt information to the target client, wherein the second prompt information is used for prompting that the verification of the second authentication credential is not passed, and the user cannot use the service of the server.
The verification of the environment information of the login environment of the client may be, but is not limited to, verification of environment information of multiple login environments such as network information, terminal information, and process information of the client.
308. The target client logs out the account logged in by the target user on the target client according to the account log-out operation of the user, and the locally stored second authentication credentials are cleared;
in this embodiment, the user may log out the account logged in by the target user on the target client, and then the target client logs out the account logged in by the target user on the target client according to the account log-out operation of the user. Meanwhile, in order to ensure that the authentication credentials are not revealed or stolen, the locally stored second authentication credentials can be cleared, and the authentication credentials are regenerated when the server needs to be logged in next time.
309. The target client sends corresponding account logout information to the server;
310. the server side clears a first authentication credential corresponding to the account of the target user according to the account cancellation information;
the target client side also sends account logout information to the server side, wherein the account logout information is used for indicating that the target user logout the account logged in on the target client side, so that the server side can determine the account logout of the target user and clear the first authentication credentials corresponding to the account of the target user, and the storage space is saved.
311. The target client receives the access setting information input by the target user again, and returns to the execution step 302;
after the account number of the target user is logged out, when the target user wants to log in again, the target user inputs access setting information, and the target client returns to execute the step 302, and the user authentication process is completed with the server according to the step, that is, the target client will send the authentication request message and the key identifier to the server again, and the server returns to execute the step 304, continues to verify the authentication request message and execute the subsequent steps, and enables the online service for the target client when the authentication credentials pass verification.
In this embodiment, the second authentication credential of the target client may be used once in the validity period or may be used multiple times in the validity period. Therefore, after the second authentication credential is used for the first time and the connection between the target client and the server is established, if the connection between the subsequent target client and the server is disconnected and the target user needs to access the service of the server, the target user can input a login operation on the target client, for example, a login interface of the target client displays a one-key login button, the user clicks the button, and the target client sends the second authentication credential to the server (for example, the second authentication credential can be sent through a UDP packet), so that the server continues to compare and check the first authentication credential and the second authentication credential, and enables online service for the target client when the verification passes.
In this embodiment, each key identifier is bound with a user identifier, i.e. a "one person and one code", so that it can be ensured that the key identifier of the user is illegally used by other users after being stolen, i.e. when the client finds that the key identifier input by the illegitimate user has no binding relation with the user identifier, the user can be determined to be an illegitimate user. Of course, the key identifier bound to the user identifier of each user may be plural, and one key identifier is used at each login, i.e. "one code at a time". There may be a plurality of key identifications bound to each user's user identification, and each terminal of the user uses one key identification, i.e. "one-end one-code". The present embodiment is not limited herein as long as it is ensured that each key identification corresponds to only the user identification of one user.
In the related technical scheme, for user authentication, SPA single package authentication, first authentication (such as account login by using a user name and a password) and MFA authentication (such as short message authentication code authentication) need to be completed, and 3 times of authentication needs to be performed. Compared with the related technical scheme, the application only needs to finish SPA single package authentication and MFA authentication for user authentication, does not need to log in account of user name and password, and only needs to go through authentication for 2 times, thereby greatly simplifying user authentication flow, reducing user operation and improving user experience.
The user authentication method in the embodiment of the present application is described above, and the computer device in the embodiment of the present application is described below, where the computer device is applied to a server. Referring to fig. 6, an embodiment of a computer device according to an embodiment of the present application includes:
a receiving unit 601, configured to receive an authentication request message and a key identifier sent by a target client;
a verification unit 602, configured to verify the authentication request packet, and establish a connection with the target client when the authentication request packet passes the verification;
a generating unit 603, configured to obtain first target data according to the key identifier, and generate a first authentication credential based on the first target data;
the receiving unit 601 is further configured to receive a second authentication credential sent by the target client based on the connection;
and a verification unit 604, configured to perform a comparison verification on the first authentication credential and the second authentication credential, and enable online service for the target client when the verification passes.
In a preferred implementation manner of this embodiment, the authentication request message is obtained by encrypting, by the target client, a device identifier of the target client and a user identifier of a target user logged in to the target client according to an encryption algorithm;
The generating unit 603 is specifically configured to determine a target key corresponding to the key identifier, and obtain a first timestamp; decrypting the authentication request message by using the target key according to a decryption algorithm corresponding to the encryption algorithm of the authentication request message to obtain the equipment identifier of the target client and the user identifier of the target user; the first authentication credential is generated based on the device identification of the target client, the user identification of the target user, the target key, and the first timestamp.
In a preferred implementation manner of this embodiment, the verification unit 604 is specifically configured to determine whether the second authentication credential is the same as the first authentication credential; if the authentication credentials are the same, determining that the second authentication credentials pass verification; if not, determining that the second authentication credential is not checked.
In a preferred implementation manner of this embodiment, the second authentication credential is generated according to second target data;
the case where the second authentication credential is the same as the first authentication credential includes:
the equipment identifier included in the second target data is the same as the equipment identifier of the target client, the user identifier included in the second target data is the same as the user identifier of the target user, the secret key included in the second target data is the same as the target secret key, and the time interval between the second time stamp included in the second target data and the first time stamp is smaller than a preset duration;
The second authentication credential being different from the first authentication credential includes:
the device identifier included in the second target data is different from the device identifier of the target client, or the user identifier included in the second target data is different from the user identifier of the target user, or the key included in the second target data is different from the target key, or the time interval between the second timestamp included in the second target data and the first timestamp is greater than a preset duration.
In a preferred implementation manner of this embodiment, the receiving unit 601 is further configured to receive an account logout message sent by the target client, where the account logout message is used to indicate that the target user logout an account logged in on the target client;
the computer device further comprises:
a clearing unit 605, configured to clear a first authentication credential corresponding to the account of the target user according to the account cancellation information;
the verification unit 602 is further configured to return to performing the step of verifying the authentication request packet when receiving the authentication request packet and the key identifier sent by the target client again.
In a preferred implementation manner of this embodiment, the verification unit 604 is specifically configured to perform a comparison verification on the first authentication credential and the second authentication credential, and perform a verification on environment information of a login environment of the target client; when the verification of the first authentication credential and the second authentication credential is passed and the verification of the environmental information of the login environment of the target client is passed, enabling online service for the target client; when the verification of the first authentication evidence and the second authentication evidence is passed but the verification of the environment information of the login environment of the target client is not passed, returning first prompt information to the target client, wherein the first prompt information is used for prompting a user of the target client to input account information so as to perform user identity authentication; and when the verification of the first authentication credential and the second authentication credential fails, returning second prompt information to the target client, wherein the second prompt information is used for prompting that the verification of the second authentication credential fails.
In a preferred implementation manner of this embodiment, after the connection with the target client is disconnected, the receiving unit 601 is further configured to receive the second authentication credential sent by the target client, and the verification unit 604 is further configured to perform a comparison verification on the first authentication credential and the second authentication credential, and enable an online service for the target client when the verification passes.
In this embodiment, the operations performed by the units in the computer device are similar to those described in the embodiments shown in fig. 1 and 3, and are not repeated here.
In this embodiment, the server may obtain the first target data according to the key identifier sent by the target client and generate the first authentication credential according to the first target data, verify the authentication request packet sent by the target client, establish a connection with the target client when the verification passes, and when receiving the second authentication credential sent by the target client based on the connection, perform a comparison check on the first authentication credential and the second authentication credential, and enable the online service for the target client if the verification passes. Therefore, when authenticating the identity of the user, the server automatically authenticates the user according to the authentication credentials generated locally and the authentication credentials sent by the client without inputting information such as a user name and a password, and the user is noninductive, so that the input operation of the user is reduced, the user authentication flow is simplified for the user, and the user experience can be improved.
The following describes a computer device in an embodiment of the present application, where the computer device is applied to a target client. Referring to fig. 7, an embodiment of a computer device according to an embodiment of the present application includes:
a sending unit 701, configured to send an authentication request packet and a key identifier to a server, where the authentication request packet is used by the server to verify the authentication request packet, and the key identifier is used by the server to generate a first authentication credential;
a setting unit 702, configured to set up a connection with the server when the authentication request packet passes verification;
an acquisition unit 703 configured to acquire a second authentication credential;
the sending unit 701 is further configured to send the second authentication credential to the server based on the connection, so that the server performs comparison verification on the first authentication credential and the second authentication credential, and enables online service for the target client when the verification is passed.
In a preferred implementation manner of this embodiment, the obtaining unit 703 is specifically configured to receive access setting information input by a target user, where the access setting information includes access address information, a target key, and a key identifier of the target key; determining the server to be accessed according to the access address information, and determining user identifiers mutually bound with the key identifiers of the target keys; and obtaining a second timestamp, and generating the second authentication credential based on the device identification of the target client, the user identification, the target key and the second timestamp.
In a preferred implementation of this embodiment, the computer device further includes:
a logout unit 704, configured to logout an account logged in by the target user on the target client according to a logout operation of the account of the user, and clear the locally stored second authentication credential;
the sending unit 701 is further configured to send corresponding account logout information to the server, where the account logout information is used to indicate that the target user logout an account logged in on the target client;
the obtaining unit 703 is further configured to, when receiving the access setting information input by the target user again, return to performing the step of determining the server to be accessed according to the access address information, and determining a user identifier that is mutually bound to a key identifier of the target key.
In a preferred implementation manner of this embodiment, the sending unit 701 is specifically configured to encrypt, based on an encryption algorithm, the device identifier of the target client and the user identifier by using the target key, to obtain the authentication request packet, and send the authentication request packet to the server.
In a preferred implementation manner of this embodiment, after the connection with the server is disconnected, the sending unit 701 is further configured to receive a login operation input by the target user, and send the second authentication credential to the server according to the login operation, so that the server performs a comparison check on the first authentication credential and the second authentication credential, and enables online service for the target client when the check passes.
In this embodiment, the operations performed by the units in the computer device are similar to those described in the embodiments shown in fig. 2 and 3, and are not repeated here.
In this embodiment, the target client sends an authentication request message and a key identifier to the server, when the server verifies the authentication request message, the key identifier is used for generating a first authentication credential by the server, and the target client also sends a second authentication credential to the server based on the connection with the server, so that the server performs comparison verification on the first authentication credential and the second authentication credential, and if the verification passes, the online service is started for the target client. Therefore, when authenticating the identity of the user, the client automatically transmits authentication credentials without inputting information such as a user name and a password, and the server automatically authenticates the user according to the locally generated authentication credentials and the authentication credentials transmitted by the client.
In the following, a description will be given of a computer device in an embodiment of the present application, where the computer device is applied to a server, referring to fig. 8, and one embodiment of the computer device in an embodiment of the present application includes:
The computer device 800 may include one or more central processing units (central processingunits, CPU) 801 and memory 805, with one or more application programs or data stored in the memory 805.
Wherein the memory 805 may be volatile storage or persistent storage. The program stored in the memory 805 may include one or more modules, each of which may include a series of instruction operations in a computer device. Still further, the central processor 801 may be arranged to communicate with a memory 805 to execute a series of instruction operations in the memory 805 on the computer device 800.
The computer device 800 may also include one or more power supplies 802, one or more wired or wireless network interfaces 803, one or more input/output interfaces 804, and/or one or more operating systems, such as WindowsServerTM, macOSXTM, unixTM, linuxTM, freeBSDTM, etc.
The central processor 801 may perform the operations performed by the computer device in the embodiments shown in fig. 1 and 3, and will not be described in detail herein.
In the following, a description will be given of a computer device in an embodiment of the present application, where the computer device is applied to a server, referring to fig. 9, and one embodiment of the computer device in an embodiment of the present application includes:
The computer device 900 may include one or more central processing units (central processingunits, CPU) 901 and memory 905, with one or more applications or data stored in the memory 905.
Wherein the memory 905 may be volatile storage or persistent storage. The program stored in memory 905 may include one or more modules, each of which may include a series of instruction operations in a computer device. Still further, the central processor 901 may be arranged to communicate with the memory 905 to execute a series of instruction operations in the memory 905 on the computer device 900.
The computer device 900 may also include one or more power supplies 902, one or more wired or wireless network interfaces 903, one or more input output interfaces 904, and/or one or more operating systems, such as WindowsServerTM, macOSXTM, unixTM, linuxTM, freeBSDTM, etc.
The central processor 901 may perform the operations performed by the computer device in the embodiments shown in fig. 2 and 3, and detailed descriptions thereof are omitted herein.
The embodiment of the application also provides a computer storage medium, wherein one embodiment comprises: the computer storage medium has stored therein instructions which, when executed on a computer, cause the computer to perform the operations performed by the computer device in the embodiments shown in fig. 1 and 3 described above.
The embodiment of the application also provides a computer storage medium, wherein one embodiment comprises: the computer storage medium has stored therein instructions which, when executed on a computer, cause the computer to perform the operations performed by the computer device in the embodiments shown in fig. 2 and 3 described above.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

Claims (14)

1. A user authentication method, wherein the method is applied to a server, and the method comprises:
receiving an authentication request message and a key identification sent by a target client, verifying the authentication request message, and establishing connection with the target client when the authentication request message passes the verification;
acquiring first target data according to the key identification, and generating a first authentication credential based on the first target data;
receiving a second authentication credential sent by the target client based on the connection;
and comparing and checking the first authentication credential with the second authentication credential, and enabling online service for the target client when the checking is passed.
2. The method according to claim 1, wherein the authentication request message is obtained by encrypting, by the target client, a device identifier of the target client and a user identifier of a target user logged in to the target client according to an encryption algorithm;
the obtaining the first target data according to the key identifier includes:
determining a target key corresponding to the key identification, and acquiring a first timestamp;
decrypting the authentication request message by using the target key according to a decryption algorithm corresponding to the encryption algorithm of the authentication request message to obtain the equipment identifier of the target client and the user identifier of the target user;
The generating a first authentication credential based on the first target data includes:
the first authentication credential is generated based on the device identification of the target client, the user identification of the target user, the target key, and the first timestamp.
3. The method of claim 2, wherein the comparing the first authentication credential to the second authentication credential comprises:
judging whether the second authentication credential is identical to the first authentication credential;
if the authentication credentials are the same, determining that the second authentication credentials pass verification;
if not, determining that the second authentication credential is not checked.
4. The method of claim 3, wherein the second authentication credential is generated from second target data;
the case where the second authentication credential is the same as the first authentication credential includes:
the equipment identifier included in the second target data is the same as the equipment identifier of the target client, the user identifier included in the second target data is the same as the user identifier of the target user, the secret key included in the second target data is the same as the target secret key, and the time interval between the second time stamp included in the second target data and the first time stamp is smaller than a preset duration;
The second authentication credential being different from the first authentication credential includes:
the device identifier included in the second target data is different from the device identifier of the target client, or the user identifier included in the second target data is different from the user identifier of the target user, or the key included in the second target data is different from the target key, or the time interval between the second timestamp included in the second target data and the first timestamp is greater than a preset duration.
5. The method according to claim 1, wherein the method further comprises:
receiving an account logout message sent by the target client, wherein the account logout message is used for indicating that the target user logout an account logged in on the target client;
clearing a first authentication credential corresponding to the account of the target user according to the account cancellation information;
and when the authentication request message and the key identification sent by the target client are received again, returning to execute the step of verifying the authentication request message.
6. The method of claim 1, wherein the comparing the first authentication credential to the second authentication credential comprises:
Comparing and checking the first authentication evidence with the second authentication evidence, and checking the environment information of the login environment of the target client;
when the verification of the first authentication credential and the second authentication credential is passed and the verification of the environmental information of the login environment of the target client is passed, enabling online service for the target client;
when the verification of the first authentication evidence and the second authentication evidence is passed but the verification of the environment information of the login environment of the target client is not passed, returning first prompt information to the target client, wherein the first prompt information is used for prompting a user of the target client to input account information so as to perform user identity authentication;
and when the verification of the first authentication credential and the second authentication credential fails, returning second prompt information to the target client, wherein the second prompt information is used for prompting that the verification of the second authentication credential fails.
7. The method according to any of claims 1 to 6, wherein after the disconnection from the target client, the method further comprises:
and receiving the second authentication credential sent by the target client, comparing and checking the first authentication credential with the second authentication credential, and enabling online service for the target client when the checking is passed.
8. A method of user authentication, the method being applied to a target client, the method comprising:
sending an authentication request message and a key identifier to a server, wherein the authentication request message is used for verifying the authentication request message by the server, and the key identifier is used for generating a first authentication credential by the server;
establishing connection with the server when the authentication request message passes verification;
and acquiring a second authentication credential, and sending the second authentication credential to the server based on the connection, so that the server performs comparison and verification on the first authentication credential and the second authentication credential, and enables online service for the target client when verification is passed.
9. The method of claim 8, wherein the obtaining the second authentication credential comprises:
receiving access setting information input by a target user, wherein the access setting information comprises access address information, a target key and a key identifier of the target key;
determining the server to be accessed according to the access address information, and determining user identifiers mutually bound with the key identifiers of the target keys;
And obtaining a second timestamp, and generating the second authentication credential based on the device identification of the target client, the user identification, the target key and the second timestamp.
10. The method according to claim 9, wherein the method further comprises:
logging out an account number logged in by the target user on the target client according to the account number logging-out operation of the user;
clearing the locally stored second authentication credentials, and sending corresponding account logout information to the server, wherein the account logout information is used for indicating that the target user logout an account logged in on the target client;
and when the access setting information input by the target user is received again, returning to the step of executing the step of determining the server to be accessed according to the access address information and determining the user identification mutually bound with the key identification of the target key.
11. The method of claim 8, wherein the sending the authentication request message to the server includes:
and encrypting the equipment identifier of the target client and the user identifier by using the target key based on an encryption algorithm to obtain the authentication request message, and sending the authentication request message to the server.
12. The method according to any of claims 8 to 11, wherein after the disconnection from the server, the method further comprises:
and receiving login operation input by the target user, and sending the second authentication credential to the server according to the login operation, so that the server performs comparison and verification on the first authentication credential and the second authentication credential, and enables online service for the target client when verification is passed.
13. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the method of any one of claims 1 to 7 when executing the computer program; alternatively, the processor, when executing the computer program, implements the method of any of claims 8 to 12.
14. A computer storage medium having instructions stored therein, which when executed on a computer, cause the computer to perform the method of any of claims 1 to 7; or cause the computer to perform the method of any one of claims 8 to 12.
CN202310793196.3A 2023-06-29 2023-06-29 User authentication method, computer device, and computer storage medium Pending CN116707961A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310793196.3A CN116707961A (en) 2023-06-29 2023-06-29 User authentication method, computer device, and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310793196.3A CN116707961A (en) 2023-06-29 2023-06-29 User authentication method, computer device, and computer storage medium

Publications (1)

Publication Number Publication Date
CN116707961A true CN116707961A (en) 2023-09-05

Family

ID=87845038

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310793196.3A Pending CN116707961A (en) 2023-06-29 2023-06-29 User authentication method, computer device, and computer storage medium

Country Status (1)

Country Link
CN (1) CN116707961A (en)

Similar Documents

Publication Publication Date Title
CN109561066B (en) Data processing method and device, terminal and access point computer
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
US10142297B2 (en) Secure communication method and apparatus
CN107040513B (en) Trusted access authentication processing method, user terminal and server
KR101265873B1 (en) Distributed single sign-on service
US20090019528A1 (en) Method for realizing network access authentication
US20120284506A1 (en) Methods and apparatus for preventing crimeware attacks
Chattaraj et al. A new two-server authentication and key agreement protocol for accessing secure cloud services
CN109167802B (en) Method, server and terminal for preventing session hijacking
CN108243176B (en) Data transmission method and device
CN103236931B (en) A kind of auth method based on TPM and system and relevant device
WO2005025125A1 (en) Device authentication system
CN111770088A (en) Data authentication method, device, electronic equipment and computer readable storage medium
CN112235235A (en) SDP authentication protocol implementation method based on state cryptographic algorithm
CN103391292A (en) Mobile-application-oriented safe login method, system and device
JP2020526146A (en) Symmetric mutual authentication method between first application and second application
CN112312393A (en) 5G application access authentication method and 5G application access authentication network architecture
CN102333085B (en) Security network authentication system and method
US8498617B2 (en) Method for enrolling a user terminal in a wireless local area network
CN111800378A (en) Login authentication method, device, system and storage medium
CN110138558B (en) Transmission method and device of session key and computer-readable storage medium
US20140237627A1 (en) Protecting data in a mobile environment
KR102219086B1 (en) HMAC-based source authentication and secret key sharing method and system for Unnamed Aerial vehicle systems
CN111901303A (en) Device authentication method and apparatus, storage medium, and electronic apparatus
CN114513339A (en) Security authentication method, system and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination