CN117336092A - Client login method and device, electronic equipment and storage medium - Google Patents
Client login method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117336092A CN117336092A CN202311478566.0A CN202311478566A CN117336092A CN 117336092 A CN117336092 A CN 117336092A CN 202311478566 A CN202311478566 A CN 202311478566A CN 117336092 A CN117336092 A CN 117336092A
- Authority
- CN
- China
- Prior art keywords
- key
- signature
- user
- management center
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 77
- 230000008569 process Effects 0.000 claims abstract description 30
- 238000012795 verification Methods 0.000 claims description 63
- 238000004590 computer program Methods 0.000 claims description 16
- 239000012634 fragment Substances 0.000 claims description 9
- 230000011218 segmentation Effects 0.000 claims description 7
- 230000003213 activating effect Effects 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 14
- 230000003993 interaction Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
Abstract
The invention discloses a client login method, a client login device, electronic equipment and a storage medium, wherein the client login method comprises the following steps: when the client is logged in, the web terminal is logged in and authenticated through the key management, so that the security of the web terminal proxy logged in the client can be confirmed, and the security and reliability of signature information can be improved by combining the key management center to participate in the signature process. The first challenge value is signed based on the slicing key and the key management center to obtain a collaborative signature, and the collaborative signature is signed based on the slicing key, so that the collaborative signature can be checked based on the slicing key, after the signature checking is passed, the web side is indicated to pass the authentication of the key management center, so that the web side can proxy the client side to log in, the client side can log in based on the logged-in web side user information, the client side and the web side do not need to input a login password, the information leakage risk caused by user access is greatly reduced, and the user privacy is protected.
Description
Technical Field
The present invention relates to the field of identity authentication technologies, and in particular, to a client login method, a client login device, an electronic device, and a storage medium.
Background
In order to access a service system, a Browser is usually adopted by a Browser/Server (BS/Server) structure mode, and in this structure, a Browser is used to access an access interface of the service system, and a very small part of transaction logic is implemented at the front end (i.e. web end) of the Browser, and main transaction logic is implemented at the Server end.
However, the browser is used for local authentication through password or third party login, but the login state of the browser is managed by the management background of the browser, which is easy to cause the operation behavior of the user to be monitored by a browser manufacturer or other institutions, the user information is intercepted, the interception is easy to cause the leakage of security information such as login password and the storage of cookies, and potential safety hazards are brought to the login of a service system.
Disclosure of Invention
The invention provides a client login method for solving the problem of client login.
In a first aspect, the present invention provides a client login method, applied to a web end in a client login system, where the client login system further includes an authentication system and a key management center, the web end and the key management center interact with each other through the authentication system, and the client login method includes:
When detecting an operation of logging in a client by a user, acquiring a first challenge value from the key management center based on a user identification provided by the user;
invoking a slicing key locally stored in the web terminal according to key decryption information provided by a user, wherein the slicing key is an SM9 slicing key generated by a key management center according to the identity of the user;
signing the first challenge value based on the segmentation key and the key management center to obtain a cooperative signature;
sending the collaborative signature to the authentication system by the fragment key for signature verification;
after the signature verification passes, the client login is successful.
In a second aspect, the present invention provides a client login system, including a web terminal, an authentication system, and a key management center, where the web terminal interacts with the key management center via the authentication system, and the web terminal includes:
the challenge value acquisition module is used for acquiring a first challenge value from the key management center based on a user identifier provided by a user when detecting the operation of logging in the client by the user;
the system comprises a split key calling module, a web terminal and a server, wherein the split key calling module is used for calling a split key locally stored in the web terminal according to key decryption information provided by a user, and the split key is an SM9 split key generated by a key management center according to the identity of the user;
The signature module is used for signing the first challenge value based on the segmentation key and the key management center to obtain a collaborative signature;
the signature verification module is used for sending the fragment key and the collaborative signature to the authentication system for signature verification;
and the login module is used for successfully logging in the client after the verification sign passes.
In a third aspect, the present invention provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the client login method according to the first aspect of the present invention.
In a fourth aspect, the present invention provides a computer readable storage medium storing computer instructions for causing a processor to implement the client login method according to the first aspect of the present invention.
The client login method provided by the embodiment of the invention is applied to a web end in a client login system, wherein the client login system further comprises an authentication system and a key management center, a first challenge value is obtained from the key management center based on a user identification provided by a user, and the web end and the key management center interact through the authentication system; calling a slicing key locally stored at the web terminal according to the key decryption information of the user, wherein the slicing key is an SM9 slicing key generated by a key management center according to the identity of the user; signing the first challenge value based on the shard key and the cooperative key management center to obtain a cooperative signature; the segmentation key and the collaborative signature are sent to an authentication system for signature verification; after the verification is passed, the client login is successful.
When logging in the client, the first challenge value corresponding to the web terminal is generated through the key management center, so that the security is higher, and the web terminal extracts the slicing key locally stored by the web terminal according to the key decryption information provided by the user so as to subsequently use the slicing key to authenticate the web terminal. The first challenge value is signed based on the segmentation key and the key management center, and the security and reliability of signature information can be improved by combining the key management center to participate in the signing process. Because the collaborative signature is signed based on the slicing key, the web terminal can sign the collaborative signature on the authentication system terminal based on the slicing key, and after the signature is checked, the web terminal is proved to pass the authentication of the authentication system, so that the web terminal can proxy the client terminal to log in, the client terminal can log in based on the logged-in web terminal user information, and the login password is not required to be input into the client terminal and the web terminal.
In the login process of the client, on one hand, the authentication process of the web terminal is used for replacing the client login, user management and authentication are not required to be carried out on the client, and the development of a client system is reduced; on the other hand, when the web terminal is authenticated, the password authentication mode of the authentication system of the web terminal is stripped, the web terminal is authenticated by adopting a slicing key and through a key management center, which is equivalent to local authentication, and the login of the client terminal is also equivalent to local login, so that the risk of information leakage caused by user access is greatly reduced, and the privacy of the user is protected.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a client login method according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of a client login system according to a first embodiment of the present invention;
fig. 3 is a schematic diagram of a process for generating an SM9 slicing key according to a first embodiment of the present invention;
FIG. 4 is a schematic diagram of a client authentication login process according to an embodiment of the present invention;
fig. 5 is a flowchart of a client login method according to a second embodiment of the present invention;
fig. 6 is a schematic diagram of a process of authenticating a web login to a client login according to a second embodiment of the present invention;
FIG. 7 is a schematic diagram of a web-end structure according to a third embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
Example 1
Fig. 1 is a flowchart of a client login method according to an embodiment of the present invention, where the embodiment is applicable to a case where a client performs secure login, the method may be applied to a client login system, the client login system may be implemented in hardware and/or software, and the client login system may be configured in an electronic device.
Fig. 2 is a schematic diagram of a client login system, and as shown in fig. 2, the client login system of this embodiment includes a web terminal 10, an authentication system 11 of the web terminal 10, and a key management center 12, which are sequentially connected. Authentication system 11 is an IAM ((Identity and Access Management) authentication and access management) system. The web terminal 10 is a browser client, that is, a browser front end, and the browser in this embodiment is a national-security browser, which is a browser supporting the national-security SSL protocol and the encryption certificate, and the web terminal 10 performs information interaction with the key management center 12 through the authentication system 11, but it should be noted that, in the information interaction process between the web terminal 10 and the key management center 12, the information is transmitted in an encrypted manner, the authentication system 11 mainly plays a role in information transmission, the authentication system 11 cannot read the content of the information transmitted by the two, and in the following description, when the interaction process between the web terminal 10 and the key management center 12 is involved, for brevity, there may be a situation that the interaction between the web terminal 10 and the key management center 12 is directly described without referring to the authentication system 11, which is omitted.
The invention realizes information security management based on SM9 identification cryptographic algorithm, and the SM9 identification cryptographic algorithm is an asymmetric cryptographic algorithm and is mainly used for identity authentication of users. For example, in this embodiment, the web end may send the identity to the key management center, and the key generation center of the key management center uses the SM9 identity cryptography algorithm and the identity to generate a new shard key, and sends the new shard key to the web end. The shard key includes a public key and a private key, both of which are present in pairs. In the asymmetric algorithm, the data encrypted by the public key can be decrypted by the corresponding private key, and the private key is only known by the receiver (web end) so as to ensure the security of data transmission.
The generation element of the slicing key here includes: the method comprises the steps of web end, key management center and user identification, when any one of the identification and web end (such as web end of different equipment identification) changes, the obtained slicing keys are different, and the slicing keys have uniqueness.
As shown in fig. 1, the client login method includes:
s101, when detecting operation of logging in a client by a user, acquiring a first challenge value from a key management center based on a user identification provided by the user.
The client is a client of a business system, such as a client of a network disk, a client of a chat tool, and a client of a mailbox. The web end and the client end are both installed on a computer, for example, the web end and the client end can be installed on the same computer. The operation of the user logging in the client may be when the login interface of the client of the service system is opened or when the client icon of the computer desktop is double-clicked, the web side may consider that the operation of the user logging in the client is detected.
Optionally, obtaining the first challenge value from the key management center based on the user identification provided by the user includes: generating a login authentication request based on a user identification provided by a user; sending a login authentication request to an authentication system, requesting a first challenge value from a key management center and returning the first challenge value to a web end when the authentication system receives the login authentication request; a first challenge value returned by the authentication system is received. The authentication system may store the first challenge value upon receipt, such that the first challenge value is one of the elements of signing the collaborative signature during a subsequent signing process. The user identification may be a biometric feature of the user, such as an iris, fingerprint, face, etc. The user identification may also be identity information, such as an identity card, a phone number, etc., or may be an SM9 shard key. Depending on the identity-related information employed by the user in registering the web account.
In the prior art, identity authentication is usually performed by sending a user identifier to an authentication system of an application back end of a web end, after authentication is successful, i.e. the web end can successfully log in, for example, a fingerprint of a third party can correspond to the identity of the third party, and log in after matching is completed, but this easily causes information leakage.
In this step, when detecting an operation of a user to log in the client, the web terminal is not yet logged in.
The key management center returns a first challenge value after receiving a request to authenticate the system, the return of the first challenge value meaning that the web is to be verified. The key management center is equivalent to a password production and management center with a reliable carrier, and the information security can be improved by authenticating the web terminal through the key management center. The first challenge value is generated by the key management center, but not any machine-generated numerical value can be used as the challenge value, so that when the web terminal receives the first challenge value, the web terminal can also verify the information source of the first challenge value to judge whether the first challenge value is the first challenge value sent by the key management center, and particularly, the data interaction can be carried out in a fragmentation key encryption mode.
In addition, the first challenge value is a random challenge value, and may include a symbol, a number, a letter, and the like, that is, the first challenge value corresponding to the authentication request sent by the web terminal is different and random each time, so as to avoid that some data monitors acquire sending rules or specific data of the challenge value at the web terminal, and further, the fixed challenge value or the regular challenge value is adopted to influence information security.
The web side may be stored encrypted locally on the web side after receiving the first challenge value.
S102, calling a slicing key locally stored by the web terminal according to key decryption information provided by a user.
The split key is an SM9 split key generated by the key management center according to the identity of the user. Optionally, the generating process of the slicing key includes: acquiring biological characteristics and identity of a user; verifying biological characteristics; after verification, requesting a key from a key management center based on the identity, generating a component key by the key management center according to the identity, and sending the component key to the web terminal; the sharding key is received and stored locally in encryption at the web end.
In order to clearly illustrate the process of generating the SM9 split key, referring to fig. 3, fig. 3 is a schematic diagram illustrating the process of generating the SM9 split key, where, as shown in fig. 3, the web terminal initiates authentication, sends a Token obtaining request to the key management center through the authentication system, the key management center returns the Token to the authentication system, establishes a session, and then the authentication system verifies the identity of the user through biometric identification; after verification is successful, the authentication system returns authentication Ticket and Token to the web terminal. The web end selects the identity mark and token of the user to request to download the SM9 split key, after the identity mark and token are sent to the key management center, the key management center repeatedly eliminates the identity mark, performs token verification and the like, generates the split key after confirming that the request is a normal request, returns the SM9 split key, and is encrypted and stored by the web end, so that the SM9 split key downloading flow is ended.
After the web side obtains the target key, the interaction of the content related to the target key can be performed through the target key and the key management center, namely, the target key can be used as a key for information interaction between the key management center and the web side.
Since the sharding key is stored locally on the web side in an encrypted manner, it is necessary to decrypt the sharding key based on key decryption information provided by the user when the sharding key is to be invoked. Specifically, the key decryption information includes at least one of a decryption password and a biometric feature, and invoking a shard key locally stored on the web side according to the key decryption information provided by the user includes: obtaining key decryption information provided by a user; when the key decryption information is a personal identification code, acquiring a slicing key locally stored in the web terminal based on the personal identification code; when the key decryption information is biometric, a shard key matching the biometric is determined locally at the web end.
The personal identification code PIN (Personal Identification Number) is a digital code for authentication. It typically consists of 4 to 6 digits, which are used to prove the identity of a user and authorize him to access a protected computer system or application. Therefore, the identity of the current user can be verified through the personal identification code, and when the verification passes, the corresponding slicing key of the user can be called.
The slicing key is called through the key decryption information provided by the user, and the slicing key corresponding to the user (identity) can be called on the premise of determining the identity of the user, but not the slicing key can be called by any other user.
In an alternative embodiment, the biometric feature is a fingerprint, and the obtaining of the key decryption information provided by the user comprises: the fingerprint acquisition device is activated by the authentication system to acquire the user's fingerprint as key decryption information for the user. For example, the fingerprint may be a user mouse that captures a user fingerprint when the mouse fingerprint capture driver is activated.
S103, signing the first challenge value based on the slicing key collaborative key management center to obtain a collaborative signature.
The sharded key is a "key" when the web end performs information secret interaction with the key management center, so that the challenge value can be signed based on the sharded key, so that the authentication center can authenticate the web end. The key management center is provided with a complete key hardware carrier, and the key management center is adopted to participate in the signing process, so that the reliability and the safety of the signing information can be improved.
The key management center is provided with a complete key hardware carrier, and has a safer and more reliable environment compared with the web end, so that the embodiment sets two signatures, one signature is completed locally on the web end and is generally sent to the key management center for completion, and the reliability and the safety of signature information are improved by adopting a slicing signature mode.
And S104, sending the fragment key and the collaborative signature to the authentication system for signature verification.
Because the collaborative signature is signed by the slicing key, the collaborative signature can be checked by the slicing key.
The split key includes a public key and a private key existing in pairs, and in general, the private key in the split key is used for signature operation during signature, and the public key in the split key is used for signature verification during signature verification, so as to ensure correctness and security.
The method is characterized in that the slicing key and the collaborative signature are in ciphertext form, the slicing key and the collaborative signature are sent to the authentication system for signature verification, the password authentication mode of the authentication system of the web end is stripped, the authentication system is not required to be adopted for carrying out user authentication on plaintext such as user identification, and therefore plaintext leakage related to user identity can be avoided, and information security is improved.
Optionally, sending a collaborative signature and a sharding key to the authentication system, the collaborative signature including the second challenge value and the challenge value signature; the authentication system verifies whether the second challenge value is correct based on the first challenge value, and decrypts and verifies the challenge value signature based on the fragment key verification; when the second challenge value is correct and the challenge value signature passes the decryption verification, the verification of the signature by the signature is determined to pass.
Because the web terminal and the key management center interact through the authentication system, the authentication system can acquire and store the first challenge value returned by the key management center, and the first challenge value can be called for verification during signature verification.
S105, after the signature verification passes, the client login is successful.
If the verification sign passes, the verification sign indicates that the authentication of the web terminal is successful, namely the web terminal has the qualification of proxy client login, so that the client login is successful.
It should be noted that, the identity corresponding to the client space to be logged in and the identity corresponding to the user identifier used when logging in the web end must be identical, and the identity includes at least one unique identifier such as an identity card and a phone number. For example, assuming that the user A, B registers the account numbers of the web end and the client end respectively with their own identities (at least one unique identity such as an identity card and a telephone number), when the client end is to be logged in by the web end, after the web end is logged in with the identity of the user a and after the web end is authenticated and logged in, the logged-in web end can only proxy the client space corresponding to the identity of the user a, after the web end is logged in with the identity of the user B and after the web end is authenticated and logged in, the logged-in web end can only proxy the client space corresponding to the identity of the user B.
To fully illustrate the benefits of this embodiment, we now describe the prior art in which a BS (Browser/Server) architecture mode is typically used to access a service system, i.e. a Browser/Server architecture mode, under which a Browser is used to access an access interface of the service system, and very few transaction logic is implemented at the front end (i.e. the web end) of the Browser, and the main transaction logic is implemented at the Server end, but this is essentially managed by the management background of the Browser to log in (state, which easily results in the user's operation behavior being monitored by the Browser vendor or other mechanism, user information being trapped, and risk of information leakage is high.
CS (Client/Server), i.e. Client-Server architecture. CS is a software system architecture, which can fully utilize the advantages of hardware environments at two ends, reasonably distribute tasks to the two ends of clients and servers, and reduce the communication overhead of the system.
Requirements of CS and BS on hardware environment: the BS requires an operating system and a browser, is irrelevant to an operating system platform, is generally oriented to a relatively fixed user group, can carry out multi-level verification on the authority, provides a safer access mode, and has strong control capability on information security.
Fig. 4 is a schematic diagram of a client authentication login process system, as shown in fig. 4, in the client authentication login process system of this embodiment, a client 13 is set, the BS mode is changed to the CS mode, the mode of logging in the web terminal 10 through password authentication of the authentication system 11 (at the back end of the browser) is changed, in the identity authentication process (i.e. the process from obtaining the first challenge value to signing) of the web terminal 10, the authentication system 11 is used as an information transmission port, no substantial data processing is required, so that the method is represented by a dashed box, directly uses the key management center 12 to realize identity authentication, and finally uses the authentication system 11 to perform information authentication, thereby realizing the login authentication of the web terminal 10 and simultaneously realizing the login of the client 13. The authentication system 11 does not need to perform substantial data processing even during the login of the client 13, and is therefore indicated by a dashed box.
The client login method provided by the embodiment of the invention confirms the security of the web proxy login client by starting mutual authentication between the web and the key management center when the client is logged in, specifically, the web acquires a first challenge value from the key management center according to the user identification, and extracts a slicing key locally stored in the web according to the key decryption information provided by the user so as to subsequently authenticate the web by using the slicing key. The first challenge value is signed based on the segmentation key and the key management center, and the security and reliability of signature information can be improved by combining the key management center to participate in the signing process. Because the collaborative signature is signed based on the slicing key, the web terminal can check the collaborative signature based on the slicing key, and after the collaborative signature passes, the web terminal is proved to pass the authentication of the authentication system, so that the web terminal can proxy the client terminal to log in, the client terminal can log in according to the user information of the web terminal, and the login password is not required to be input in the client terminal.
In the login process of the client, on one hand, the web authentication process is used for replacing the client login, user management and authentication are not required to be carried out on the client, and the development of a client system is reduced; on the other hand, when the web terminal is authenticated, the password authentication mode of the authentication system of the web terminal is stripped, the web terminal is authenticated by adopting a slicing key and through a key management center, which is equivalent to local authentication, and the login of the client terminal is also equivalent to local login, so that the risk of information leakage caused by user access is greatly reduced, and the privacy of the user is protected.
Example two
Fig. 5 is a flowchart of a client login method according to a second embodiment of the present invention, where the client login method according to the first embodiment of the present invention is optimized based on the first embodiment, as shown in fig. 5, and includes:
s501, when detecting the operation of logging in the client by the user, acquiring a first challenge value from the key management center based on the user identification provided by the user.
S502, calling a slicing key locally stored by the web terminal according to key decryption information provided by a user.
The split key is an SM9 split key generated by the key management center according to the identity of the user.
S501 to S502 are similar to S101 to S102 in the first embodiment, and specific reference is made to the description of S101 to S102, which is not described herein.
S503, performing key verification locally on the web side based on the slicing key.
And S504, after the verification is passed, signing the first challenge value to obtain a local signature.
The local signature is a signature obtained by locally signing the first challenge value at the web end by adopting the slicing key.
And S505, sending the slicing key and the local signature to a key management center for signature to obtain a collaborative signature.
The collaborative signature is a signature obtained by adopting a slicing key to perform secondary signature on the local signature in a key management center.
The key management center is equivalent to a password production and management center with a reliable carrier, and the information security can be improved by authenticating the web terminal through the key management center. Compared with the web end, the method has a safer and more reliable environment, so that the signature is divided into two steps to be completed, the local signature is completed on the web end, then the local signature and the slicing keys are sent to the key management center to complete collaborative signature, the key management center with high safety is combined, and the reliability and the safety of signature information are improved by adopting the slicing signature mode.
In the process of the fragment signature, the authentication system is only used as a data transmission end and does not participate in the substantial data processing process.
And S506, sending the collaborative signature and the slicing key to an authentication system, wherein the collaborative signature comprises a second challenge value and a challenge value signature.
S507, the authentication system verifies whether the second challenge value is correct based on the first challenge value, and decrypts and verifies the challenge value signature based on the fragment key verification.
Because the web terminal and the key management center interact through the authentication system, the authentication system can acquire and store the first challenge value returned by the key management center, and the first challenge value can be called for verification during signature verification.
And S508, when the second challenge value is correct and the challenge value signature passes the decryption verification, determining that the verification signature passes.
The process of verifying the signature is typically performed at the authentication system end.
S509, after the signature verification passes, the client login is successful.
The split key includes a public key and a private key existing in pairs, and in general, the private key in the split key is used for signature operation during signature, and the public key in the split key is used for signature verification during signature verification, so as to ensure correctness and security. The private key can be called under the operation of the user, so that the login authentication operation sent by the user can be determined when the verification passes.
After the signature passes, a signature result is usually returned to the client of the service system, wherein the signature result can comprise a token or a code with a user identifier, and the client can acquire user information related to the user identifier from the authentication system based on the token or the code.
To clearly describe the overall process of web-side login authentication to client-side login, a description will now be given in connection with fig. 6. Fig. 6 is a schematic diagram of a process of authenticating a web login to a client login, as shown in fig. 6, mainly including the following steps:
1. initiating a login request to a web end by a client;
the web terminal initiates a login authentication request based on the user identification;
3. the authentication system acquires a challenge value from the key management center;
4. the key management center returns a challenge value to the web terminal;
triggering the local authentication of the authentication system by the web terminal;
6. the authentication system activates the drive (drive of the fingerprint acquisition device).
The web terminal obtains the fingerprint of the user;
8. a local slicing key signature is adopted to obtain a local signature;
specifically, after a local slicing key is called through a user fingerprint, a challenge value is signed.
9. Initiating a signature to a key management center;
the method specifically refers to the steps of adopting a local signature and a slicing key to initiate a signature to a key management center so as to obtain a collaborative signature.
10. The key management center returns a collaborative signature;
the web end initiates a signature verification.
12. The authentication system performs signature verification (signature verification is successful);
specifically, the collaborative signature is checked, and the example assumes that the check is successful.
The web end login is successful;
14. the client login is successful.
In this embodiment, the key management center is equivalent to a password production and management center with a reliable carrier, and the information security can be improved by authenticating the web terminal through the key management center. Compared with the web end, the method has a safer and more reliable environment, so that the embodiment sets two signatures, one is completed locally at the web end and the other is transmitted to the key management center for completion, the signature finally returned by the key management center is taken as an authentication basis, and the reliability and the safety of signature information are improved by adopting a slicing signature mode. During signature verification, public keys in the slicing keys are adopted to carry out signature verification so as to ensure correctness and safety. The private key can be called only under the operation of the user, so that the login authentication operation sent by the user can be determined when the verification passes, and the whole verification process also ensures the information security.
Example III
Fig. 2 is a schematic structural diagram of a client login system according to a third embodiment of the present invention. As shown in fig. 2, the client login system includes:
including a web-side 10, an authentication system 11 and a key management center 12. The web-side 10 interacts with a key management center 12 via an authentication system 11.
Fig. 7 is a schematic diagram of a web end structure provided by an embodiment of the present invention, as shown in fig. 7, where the web end includes:
a challenge value obtaining module 701, configured to obtain, when detecting an operation of a user logging into a client, a first challenge value from the key management center based on a user identifier provided by the user;
the slicing key invoking module 702 is configured to invoke a slicing key locally stored in the web terminal according to key decryption information provided by a user, where the slicing key is an SM9 slicing key generated by a key management center according to an identity of the user;
a signature module 703, configured to sign the first challenge value based on the shard key in cooperation with the key management center, to obtain a cooperative signature;
the signature verification module 704 is configured to send the fragment key and the collaborative signature to the authentication system for signature verification;
and the login module 705 is configured to successfully log in the client after the verification passes.
In an alternative embodiment, the challenge value obtaining module 701 includes:
a login authentication request generation sub-module for generating a login authentication request based on a user identification provided by a user;
a first challenge value request submodule, configured to send the login authentication request to the authentication system, where the authentication system requests a first challenge value from the key management center and returns the first challenge value to the web end when receiving the login authentication request;
and the first challenge value receiving sub-module is used for receiving the first challenge value returned by the authentication system.
In an alternative embodiment, the generation process of the slicing key includes:
the web terminal acquires the biological characteristics and the identity of the user;
the web terminal verifies the biological characteristics through the authentication system;
after verification is passed, the web terminal requests a key from the key management center based on the identity, and the key management center generates a component key according to the identity and sends the component key to the web terminal;
and the web terminal receives the slicing key and locally encrypts and stores the slicing key in the web terminal.
In an alternative embodiment, the key decryption information includes at least one of a personal identification code and a biometric feature, and the fragmented key invoking module 702 includes:
The key decryption information acquisition sub-module is used for acquiring key decryption information provided by a user;
the first slicing key invoking submodule is used for acquiring the slicing key locally stored in the web terminal based on the personal identification code when the key decryption information is the personal identification code;
and the second segment key invoking submodule is used for locally determining the segment key matched with the biological characteristics at the web end when the key decryption information is the biological characteristics.
In an alternative embodiment, the biometric feature is a fingerprint, and the key decryption information acquisition sub-module includes:
and the fingerprint acquisition unit is used for activating the driving of the fingerprint acquisition device through the authentication system so as to acquire the fingerprint of the user and serve as key decryption information of the user.
In an alternative embodiment, the signature module 703 includes:
the local verification sub-module is used for carrying out key verification on the web terminal locally based on the slicing key;
the local signature sub-module is used for signing the first challenge value after verification is passed, so as to obtain a local signature;
and the collaborative signature sub-module is used for sending the slicing key and the local signature to the key management center for signature to obtain collaborative signature.
In an alternative embodiment, the signature verification module 704 includes:
a signature combining sub-module for transmitting the collaborative signature and the shard key to the authentication system, the collaborative signature including a second challenge value and a challenge value signature;
the authentication system verifies whether the second challenge value is correct based on the first challenge value and decrypts the challenge value signature based on the shard key verification; when the second challenge value is correct and the challenge value signature is verified by decryption, determining that the signature is verified by signature.
The client login system provided by the embodiment of the invention can execute the client login method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
Fig. 8 shows a schematic diagram of an electronic device 40 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 8, the electronic device 40 includes at least one processor 41, and a memory communicatively connected to the at least one processor 41, such as a Read Only Memory (ROM) 42, a Random Access Memory (RAM) 43, etc., in which the memory stores a computer program executable by the at least one processor, and the processor 41 may perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 42 or the computer program loaded from the storage unit 48 into the Random Access Memory (RAM) 43. In the RAM 43, various programs and data required for the operation of the electronic device 40 may also be stored. The processor 41, the ROM 42 and the RAM 43 are connected to each other via a bus 44. An input/output (I/O) interface 45 is also connected to bus 44.
Various components in electronic device 40 are connected to I/O interface 45, including: an input unit 46 such as a keyboard, a mouse, etc.; an output unit 47 such as various types of displays, speakers, and the like; a storage unit 48 such as a magnetic disk, an optical disk, or the like; and a communication unit 49 such as a network card, modem, wireless communication transceiver, etc. The communication unit 49 allows the electronic device 40 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 41 may be various general and/or special purpose processing components with processing and computing capabilities. Some examples of processor 41 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 41 performs the various methods and processes described above, such as the client login method.
In some embodiments, the client login method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as the storage unit 48. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 40 via the ROM 42 and/or the communication unit 49. When the computer program is loaded into RAM 43 and executed by processor 41, one or more steps of the client login method described above may be performed. Alternatively, in other embodiments, the processor 41 may be configured to perform the client login method in any other suitable way (e.g., by means of firmware).
Various implementations of the systems and techniques described here above can be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. The client login method is characterized by being applied to a web end in a client login system, wherein the client login system further comprises an authentication system and a key management center, the web end and the key management center interact through the authentication system, and the client login method comprises the following steps:
when detecting an operation of logging in a client by a user, acquiring a first challenge value from the key management center based on a user identification provided by the user;
Invoking a slicing key locally stored in the web terminal according to key decryption information provided by a user, wherein the slicing key is an SM9 slicing key generated by a key management center according to the identity of the user;
signing the first challenge value based on the segmentation key and the key management center to obtain a cooperative signature;
sending the fragment key and the collaborative signature to the authentication system for signature verification;
after the signature verification passes, the client login is successful.
2. The client login method of claim 1, wherein the obtaining a first challenge value from the key management center based on a user identification provided by a user comprises:
generating a login authentication request based on a user identification provided by a user;
sending the login authentication request to the authentication system, wherein the authentication system requests a first challenge value from the key management center and returns to the web terminal when receiving the login authentication request;
and receiving the first challenge value returned by the authentication system.
3. The client login method as set forth in claim 1, wherein the generation process of the shard key includes:
acquiring biological characteristics and identity of a user;
Verifying the biological characteristics;
after verification is passed, a key is requested to the key management center based on the identity, and the key management center generates a component key according to the identity and sends the component key to the web terminal;
and receiving the slicing key and locally encrypting and storing the slicing key at the web side.
4. The client login method of claim 1, wherein the key decryption information includes at least one of a personal identification code and a biometric feature, and the invoking the locally stored shard key of the web terminal according to the key decryption information provided by the user comprises:
obtaining key decryption information provided by a user;
when the key decryption information is a personal identification code, acquiring a slicing key locally stored by the web terminal based on the personal identification code;
and when the key decryption information is biological characteristics, determining the slicing key matched with the biological characteristics locally at the web end.
5. The method of claim 4, wherein the biometric feature is a fingerprint, and the obtaining key decryption information provided by the user comprises:
and activating a drive of the fingerprint acquisition device through the authentication system to acquire the fingerprint of the user as key decryption information of the user.
6. The client login method according to any one of claims 1 to 5, wherein signing the first challenge value based on the shard key in cooperation with the key management center, to obtain a cooperative signature, includes:
performing key verification locally on the web side based on the slicing key;
after the verification is passed, signing the first challenge value to obtain a local signature;
and sending the slicing key and the local signature to the key management center for signature to obtain a collaborative signature.
7. The client login method according to any one of claims 1 to 5, wherein said sending the collaborative signature by the shard key to the authentication system for verification includes:
transmitting the collaborative signature and the shard key to the authentication system, the collaborative signature including a second challenge value and a challenge value signature;
the authentication system verifies whether the second challenge value is correct based on the first challenge value and decrypts the challenge value signature based on the shard key verification;
and when the second challenge value is correct and the challenge value signature passes decryption verification, determining that the verification signature passes.
8. A client login system comprising a web side, an authentication system, and a key management center, the web side interacting with the key management center via the authentication system, the web side comprising:
the challenge value acquisition module is used for acquiring a first challenge value from the key management center based on a user identifier provided by a user when detecting the operation of logging in the client by the user;
the system comprises a split key calling module, a web terminal and a server, wherein the split key calling module is used for calling a split key locally stored in the web terminal according to key decryption information provided by a user, and the split key is an SM9 split key generated by a key management center according to the identity of the user;
the signature module is used for signing the first challenge value based on the segmentation key and the key management center to obtain a collaborative signature;
the signature verification module is used for sending the fragment key and the collaborative signature to the authentication system for signature verification;
and the login module is used for successfully logging in the client after the verification sign passes.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the client login method of any one of claims 1-7.
10. A computer readable storage medium storing computer instructions for causing a processor to perform the client login method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311478566.0A CN117336092A (en) | 2023-11-07 | 2023-11-07 | Client login method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311478566.0A CN117336092A (en) | 2023-11-07 | 2023-11-07 | Client login method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117336092A true CN117336092A (en) | 2024-01-02 |
Family
ID=89290476
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311478566.0A Pending CN117336092A (en) | 2023-11-07 | 2023-11-07 | Client login method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117336092A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117749393A (en) * | 2024-02-07 | 2024-03-22 | 江苏意源科技有限公司 | SSLVPN user identity verification method and system based on collaborative signature |
-
2023
- 2023-11-07 CN CN202311478566.0A patent/CN117336092A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117749393A (en) * | 2024-02-07 | 2024-03-22 | 江苏意源科技有限公司 | SSLVPN user identity verification method and system based on collaborative signature |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11711219B1 (en) | PKI-based user authentication for web services using blockchain | |
| WO2022206349A1 (en) | Information verification method, related apparatus, device, and storage medium | |
| CN108092776B (en) | System based on identity authentication server and identity authentication token | |
| EP3175578B1 (en) | System and method for establishing trust using secure transmission protocols | |
| US9838205B2 (en) | Network authentication method for secure electronic transactions | |
| US9231925B1 (en) | Network authentication method for secure electronic transactions | |
| US8112787B2 (en) | System and method for securing a credential via user and server verification | |
| EP3208732A1 (en) | Method and system for authentication | |
| KR101486782B1 (en) | One-time password authentication with infinite nested hash chains | |
| US20210399895A1 (en) | Systems and Methods for Single-Step Out-of-Band Authentication | |
| WO2019079356A1 (en) | Authentication token with client key | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| US20200196143A1 (en) | Public key-based service authentication method and system | |
| US20210241270A1 (en) | System and method of blockchain transaction verification | |
| CN109272314B (en) | Secure communication method and system based on two-party collaborative signature calculation | |
| WO2010128451A2 (en) | Methods of robust multi-factor authentication and authorization and systems thereof | |
| CN117336092A (en) | Client login method and device, electronic equipment and storage medium | |
| CN110866754A (en) | Pure software DPVA (distributed data authentication and privacy infrastructure) identity authentication method based on dynamic password | |
| CN114139176A (en) | Industrial internet core data protection method and system based on state secret | |
| CN114070568A (en) | Data processing method and device, electronic equipment and storage medium | |
| TW201328280A (en) | Instant communication identity authentication system and method | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| WO2019184206A1 (en) | Identity authentication method and apparatus | |
| KR101879842B1 (en) | User authentication method and system using one time password | |
| CN113704723B (en) | Block chain-based digital identity verification method and device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |