CN117857185A - Authentication method, device and processing system based on virtual identity - Google Patents

Authentication method, device and processing system based on virtual identity Download PDF

Info

Publication number
CN117857185A
CN117857185A CN202410037953.9A CN202410037953A CN117857185A CN 117857185 A CN117857185 A CN 117857185A CN 202410037953 A CN202410037953 A CN 202410037953A CN 117857185 A CN117857185 A CN 117857185A
Authority
CN
China
Prior art keywords
virtual identity
current user
access control
login
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410037953.9A
Other languages
Chinese (zh)
Inventor
乔志巍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202410037953.9A priority Critical patent/CN117857185A/en
Publication of CN117857185A publication Critical patent/CN117857185A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides an authentication method, an authentication device and a processing system based on virtual identity, which are used for introducing multi-level access control on the basis of virtual identity verification, so that the cost of identity imitation of an attacker can be effectively improved, the authentication effect can be improved, the security risk is reduced, and the network security is improved. The authentication method based on the virtual identity comprises the following steps: determining a target virtual identity of the current user login, wherein the target virtual identity is contained in a virtual identity login range preset by different users; determining a target access control strategy matched with a target virtual identity from different access control strategies corresponding to different types of virtual identities pre-configured on a system; and performing access control on the current user based on the target access control policy.

Description

Authentication method, device and processing system based on virtual identity
Technical Field
The present application relates to the field of network security, and in particular, to an authentication method, an apparatus, and a processing system based on virtual identity.
Background
In a company, or in a network architecture of the company, in order to ensure the feasibility of network access, an authentication system is generally configured, and when each user accesses the network, the user identity of the user needs to be confirmed, and the user after confirmation can obtain the access right of the network.
The general confirmation method includes an active authentication method (web version user name password authentication, short message authentication, AD authentication, etc.) and a passive authentication method (interconnection Oauth authentication, weChat authentication, enterprise WeChat authentication, etc.).
The method is rich enough for the confirmation mode of the user accessing the network, but the inventor discovers that from the safety point of view, whether an active authentication mode or a passive authentication mode or a certain security risk exists, if once authentication information is revealed, any attacker can simulate the user identity to acquire corresponding network access rights and carry out network attack.
Disclosure of Invention
The application provides an authentication method, an authentication device and a processing system based on virtual identity, which are used for introducing multi-level access control on the basis of virtual identity verification, so that the cost of identity imitation of an attacker can be effectively improved, the authentication effect can be improved, the security risk is reduced, and the network security is improved.
In a first aspect, the present application provides a virtual identity-based authentication method, where the method includes:
determining a target virtual identity of the current user login, wherein the target virtual identity is contained in a virtual identity login range preset by different users;
determining a target access control strategy matched with a target virtual identity from different access control strategies corresponding to different types of virtual identities pre-configured on a system;
and performing access control on the current user based on the target access control policy.
With reference to the first aspect of the present application, in a first possible implementation manner of the first aspect of the present application, determining a target virtual identity of a current user login includes:
displaying a virtual identity login page to a current user, wherein the virtual identity login page displays different virtual identity login modes;
after a login request initiated by a current user through a target virtual identity login mode, collecting a target virtual identity corresponding to the login request from terminal equipment of the current user or network traffic related to the terminal equipment of the current user by gateway equipment.
With reference to the first aspect of the present application, in a second possible implementation manner of the first aspect of the present application, determining a target virtual identity of a current user login includes:
the gateway device collects the corresponding target virtual identity from the terminal device of the current user or from the network traffic related to the terminal device of the current user.
With reference to the second possible implementation manner of the first aspect of the present application, in a third possible implementation manner of the first aspect of the present application, collecting, by a gateway device, a corresponding target virtual identity from a terminal device of a current user or from network traffic related to the terminal device of the current user, includes:
the gateway device continuously collects the corresponding target virtual identity from the terminal device of the current user or from the network traffic related to the terminal device of the current user.
With reference to the first aspect of the present application, in a fourth possible implementation manner of the first aspect of the present application, the virtual identity login range includes a mailbox class, a social communication class, and a web class login, where:
the mailbox type virtual identity corresponds to a first-level access control strategy, and the access rights of the product server and the Internet are opened;
the social communication type virtual identity corresponds to a second-level access control strategy, and access rights of a document server, a product server and the Internet are opened;
the web type logic virtual identity corresponds to a third-level access control policy, and opens access rights of a production server, a document server, a product server and the Internet.
With reference to the fourth possible implementation manner of the first aspect of the present application, in a fifth possible implementation manner of the first aspect of the present application, the method further includes:
after checking the user account number which is logged in by the current user and is configured in the company network architecture, the access right of the Internet is opened to the current user.
With reference to the fourth possible implementation manner of the first aspect of the present application, in a sixth possible implementation manner of the first aspect of the present application, the method further includes:
monitoring whether the duration span between the latest login time point of the highest-level virtual identity logged in by the current user and the current time point exceeds a preset duration span;
if yes, the access authority of the virtual identity with the highest level is reduced.
In a second aspect, the present application provides an authentication device based on a virtual identity, where the device includes:
the determining unit is used for determining a target virtual identity of the current user login, wherein the target virtual identity is contained in a virtual identity login range preset by different users;
the matching unit is used for determining a target access control strategy matched with the target virtual identity from different access control strategies corresponding to different types of virtual identities pre-configured on the system;
and the access control unit is used for performing access control on the current user based on the target access control strategy.
With reference to the second aspect of the present application, in a first possible implementation manner of the second aspect of the present application, the determining unit is specifically configured to:
displaying a virtual identity login page to a current user, wherein the virtual identity login page displays different virtual identity login modes;
after a login request initiated by a current user through a target virtual identity login mode, collecting a target virtual identity corresponding to the login request from terminal equipment of the current user or network traffic related to the terminal equipment of the current user by gateway equipment.
With reference to the second aspect of the present application, in a second possible implementation manner of the second aspect of the present application, the determining unit is specifically configured to:
the gateway device collects the corresponding target virtual identity from the terminal device of the current user or from the network traffic related to the terminal device of the current user.
With reference to the second possible implementation manner of the second aspect of the present application, in a third possible implementation manner of the second aspect of the present application, the determining unit is specifically configured to:
the gateway device continuously collects the corresponding target virtual identity from the terminal device of the current user or from the network traffic related to the terminal device of the current user.
With reference to the second aspect of the present application, in a fourth possible implementation manner of the second aspect of the present application, the virtual identity login scope includes a mailbox class, a social communication class, and a web class login, where:
the mailbox type virtual identity corresponds to a first-level access control strategy, and the access rights of the product server and the Internet are opened;
the social communication type virtual identity corresponds to a second-level access control strategy, and access rights of a document server, a product server and the Internet are opened;
the web type logic virtual identity corresponds to a third-level access control policy, and opens access rights of a production server, a document server, a product server and the Internet.
With reference to the fourth possible implementation manner of the second aspect of the present application, in a fifth possible implementation manner of the second aspect of the present application, the access control unit is further configured to:
after checking the user account number which is logged in by the current user and is configured in the company network architecture, the access right of the Internet is opened to the current user.
With reference to the fourth possible implementation manner of the second aspect of the present application, in a sixth possible implementation manner of the second aspect of the present application, the access control unit is further configured to:
monitoring whether the duration span between the latest login time point of the highest-level virtual identity logged in by the current user and the current time point exceeds a preset duration span;
if yes, the access authority of the virtual identity with the highest level is reduced.
In a third aspect, the present application provides a processing system comprising a processor and a memory, the memory having stored therein a computer program, the processor executing the method provided by the first aspect of the present application or any one of the possible implementations of the first aspect of the present application when calling the computer program in the memory.
In a fourth aspect, the present application provides a computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the method provided in the first aspect of the present application or any one of the possible implementations of the first aspect of the present application.
From the above, the present application has the following advantages:
for access control based on user identity, the application configures different corresponding access control strategies for different virtual identities on the basis of applying virtual identity verification, so that even if authentication information of one virtual identity of a current user is stolen, only a limited access range can be obtained, rather than directly opening all access ranges as in the prior art, the cost of identity imitation of an attacker can be effectively improved through the multi-level access control, thereby improving the authentication effect, reducing the security risk and improving the network security.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a virtual identity-based authentication method of the present application;
FIG. 2 is a signaling flow diagram of the authentication and authorization process of the present application;
FIG. 3 is a schematic diagram of an authentication and authorization processing architecture according to the present application;
fig. 4 is a schematic structural diagram of an authentication device based on virtual identity according to the present application;
fig. 5 is a schematic diagram of a structure of the processing system of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The terms first, second and the like in the description and in the claims of the present application and in the above-described figures, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules that are expressly listed or inherent to such process, method, article, or apparatus. The naming or numbering of the steps in the present application does not mean that the steps in the method flow must be executed according to the time/logic sequence indicated by the naming or numbering, and the execution sequence of the steps in the flow that are named or numbered may be changed according to the technical purpose to be achieved, so long as the same or similar technical effects can be achieved.
The division of the modules in the present application is a logical division, and may be implemented in another manner in practical application, for example, a plurality of modules may be combined or integrated in another system, or some features may be omitted or not implemented, and in addition, coupling or direct coupling or communication connection between the modules that are shown or discussed may be through some interfaces, and indirect coupling or communication connection between the modules may be in an electrical or other similar form, which is not limited in this application. The modules or sub-modules described as separate components may or may not be physically separate, or may be distributed in a plurality of circuit modules, and some or all of the modules may be selected according to actual needs to achieve the purposes of the present application.
Before introducing the authentication method based on virtual identity provided by the application, the background content related to the application is first introduced.
The authentication method, the authentication device and the computer readable storage medium based on the virtual identity can be applied to a processing system, and are used for introducing multi-level access control on the basis of virtual identity verification, so that the cost of identity imitation of an attacker can be effectively improved, the authentication effect can be improved, the security risk is reduced, and the network security is improved.
The executing body of the authentication method based on the virtual identity can be an authentication device based on the virtual identity or a processing system integrating the authentication device based on the virtual identity. The authentication and authorization device based on the virtual identity can be realized in a hardware or software mode, and the processing system can be single equipment or equipment clusters and can relate to different types of processing equipment such as a server, a physical host, network node equipment and the like.
As an example, the processing system for executing the authentication and authorization method based on virtual identity provided in the application may be specifically a network node in a company, which is specially responsible for the function of authentication and authorization in a company network architecture, such as an authentication gateway device, so that direct and effective access control can be performed for user access behavior in the company.
Next, the authentication method based on virtual identity provided by the application is introduced.
Referring to fig. 1, fig. 1 shows a flow chart of a virtual identity-based authentication method of the present application, and the virtual identity-based authentication method provided in the present application may specifically include steps S101 to S103 as follows:
step S101, determining a target virtual identity of a current user login, wherein the target virtual identity is contained in a virtual identity login range preset by different users;
it can be understood that in the application scenario or network architecture where the present application is located, access control based on the identity of the user is applied, specifically, the access control is developed for the virtual identity of the user.
In this regard, when performing the relevant network access actions, the user needs to log in his virtual identity for the data processing of the access control.
It should be noted that, the virtual identity is not user basic information used in a conventional company, such as a personal name, a mobile phone number, a job number, or a OA system account number of the company, which is usually open in the company and is user identity information used in conventional authentication, and in this case, the virtual identity refers to an alternative identity used by a user in a network environment, and if the real information of the user behind the virtual identity is not notified, it is difficult or impossible to associate with the real identity of the user.
As such, the virtual identities are typically configured in a network environment outside of the corporate intranet architecture, the virtual identities used on typical social platforms.
Thus, the virtual identities referred to in this application may also be understood with alternative identities configured in external network environments outside the corporate intranet environment. The modification of the virtual identity is usually the personal behavior of the user (there may be a special case that the company replaces the user to perform the update, which is often informed about the user or the permission of the user), but the modification of the virtual identity needs to be performed in an external network environment outside the internal network environment of the company, because the external network environment is not already an internal network of the company that can be operated by the company autonomously, and also in the case of pre-recording (for subsequent verification to determine whether the virtual identity belongs to the user or not), the virtual identity has a high credibility for personnel (the user) in the company, and can be identified as having a unique binding relationship between the virtual identity and the user's person, which can be used for the access control focused by the application.
Different virtual identities which are recorded in advance by the user and are matched with the real user subsequently can be stored through files in the form of name card holders and the like, so that a three-dimensional network user identity display effect can be formed, and in addition, the stored virtual identities can be encrypted to ensure the data security.
Step S102, determining a target access control strategy matched with a target virtual identity from different access control strategies corresponding to different types of virtual identities pre-configured on a system;
it is easy to see that the present application classifies the virtual identities, determines access rights in advance for each type of virtual identity, and configures the virtual identities in the form of an access control policy, where, for each type of virtual identity, a plurality of virtual identities are usually involved, and certainly, the case of only one virtual identity is not excluded.
Thus, after determining the target virtual identity of the current user login, the type of the current user login can be determined, and the target access control strategy matched with the type of the current user login can be determined from the pre-configured access control strategies.
The determining process of the type of the target virtual identity logged in by the current user can be realized by the name of the target virtual identity or the related type identifier in the identity information, the classifying process can be performed in real time, and the specific determining mode is flexible, so that the determining method is not particularly limited.
Step S103, access control is performed on the current user based on the target access control policy.
It can be understood that, for different access control policies configured for different types of virtual identities in the application, the different access rights and different access ranges correspond to the same real user, and if the logged virtual identities are different, a situation of loading the different access control policies can be formed, so that multi-level and flexible access control is formed, even if authentication information (including user account numbers, passwords and other user information) of a certain virtual identity is stolen, obviously, only access rights corresponding to the type of virtual identity can be obtained, but all access rights of the same user can not be obtained at one time, and for a real user, more types of virtual identities need to be logged in to obtain more access rights, which means that only the real user can trigger all virtual identities which exist successfully.
For the specific execution of the access control, the access control can be differentially performed by devices such as gateway devices in the network architecture.
Under the condition, compared with the traditional authentication mode which is set to be single or twice on the basis of the active authentication mode or the passive authentication mode, the terminal identity (the equipment logged in by the user or the user side equipment is usually the terminal equipment) can be more effectively confirmed, so that the security giving of the network access authority of the corresponding identity is ensured, the aim that the higher the identity credibility is, the higher the network authority obtained by the corresponding identity is really realized, the attack cost of an attacker can be greatly increased, and the network security is effectively ensured.
As can be seen from the embodiment shown in fig. 1, for access control based on user identity, the present application configures different access control policies corresponding to different virtual identities on the basis of applying virtual identity verification, so that even if authentication information of a certain virtual identity of a current user is stolen, only a limited access range can be obtained, instead of directly opening all access ranges as in the prior art, so that the cost of identity imitation of an attacker can be effectively improved through the multi-level access control, thereby improving the authentication effect, reducing the security risk and improving the network security.
The steps of the embodiment shown in fig. 1 and the possible implementation thereof in practical applications will be described in detail.
The application also provides the following two specific implementation schemes in combination with practical application for how to acquire the target virtual identity of the current user login.
As an exemplary embodiment, in the process of determining the target virtual identity of the current user login in step S10, the method specifically may include:
displaying a virtual identity login page to a current user, wherein the virtual identity login page displays different virtual identity login modes;
after a login request initiated by a current user through a target virtual identity login mode, collecting a target virtual identity corresponding to the login request from terminal equipment of the current user or network traffic related to the terminal equipment of the current user by gateway equipment.
It can be understood that, under the condition that authentication or user login is related conventionally, a corresponding login page is displayed for a user, so that the Application can also display a corresponding virtual identity login page for a current user through Application (APP) or web service and other user access channels in such a manner, wherein different virtual identity login manners are displayed in the page corresponding to the Application related to different types of virtual identities, so as to prompt the current user to select the corresponding virtual identity for login operation.
Thus, after the current user selects the virtual identity to be logged in and triggers the corresponding login request, after passing login verification, the corresponding target virtual identity can be collected in the network traffic transmitted in the user side terminal (realized by the terminal plug-in or actively reported by the terminal) or the network architecture.
As another exemplary implementation manner, the present application further introduces a virtual identity collection mechanism that is not perceived by the user, and correspondingly, in the process of determining the target virtual identity of the current user login in step S101, the method specifically may include:
the gateway device collects the corresponding target virtual identity from the terminal device of the current user or from the network traffic related to the terminal device of the current user.
It can be understood that compared with the above virtual identity acquisition mode, the setting does not need to involve triggering by a login page, so that the virtual identity can be flexibly acquired along with actual requirements in a user login link or a normal user access process, and for a user, the method obviously avoids additional user operation, can keep the original network use habit and can improve the user use experience; for the terminal, compared with the setting of the showing login page, the terminal can be considered to have no other auxiliary overhead; for the system, the virtual identity acquisition work without perception can be carried out in the background under the condition that the virtual identity acquisition function exists by default, so that the user use experience and the function service effect are considered, the effect of blackening (information theft is more difficult to take over) for an attacker can be realized, and the attack cost is enhanced.
In addition, as can be seen from the virtual identity acquisition mechanism involved herein, the virtual identity acquisition processing performed by the method is not necessarily limited to only one time point, and specifically, the method can also have the characteristic of persistence, namely, the virtual identity of the user in the login state can be continuously acquired, so that authentication and authentication can be continuously and dynamically performed, and the method has more flexibility and security.
Correspondingly, as a further exemplary embodiment, the collecting, by the gateway device, the corresponding target virtual identity from the terminal device of the current user or from the network traffic related to the terminal device of the current user in the foregoing embodiment may specifically include:
the gateway device continuously collects the corresponding target virtual identity from the terminal device of the current user or from the network traffic related to the terminal device of the current user.
Furthermore, for different types of virtual identities or virtual identity login ranges referred to in the application, a specific matching scheme is also provided.
Specifically, as yet another exemplary embodiment, the virtual identity login scope of the present application may include a mailbox class, a social communication class, and a web class login, where there are:
1) The mailbox type virtual identity corresponds to a first-level access control strategy, and the access rights of the product server and the Internet are opened;
2) The social communication type virtual identity corresponds to a second-level access control strategy, and access rights of a document server, a product server and the Internet are opened;
3) The web class logic (web class) virtual identity corresponds to a third level of access control policy, and opens access rights for the production server, the document server, the product server and the internet.
From the above different levels of access control policy settings, the application classifies the access control based on the virtual identity into specific 3 layers, the mailbox virtual identity at the bottom layer has more access rights to the product server on the basis of obtaining the internet access rights, the social communication virtual identity at the middle layer has more access rights to the product server, the web logic virtual identity at the upper layer continues to have more access rights to the generation server,
taking Zhang San user as an example, the virtual identity of the mailbox class can relate to different mailboxes, such as zhangsan@abc.com, zhangsan@163.com, zhangsan@126.com and the like, the virtual identity of the social communication class can relate to different social communication platforms, such as user account numbers of QQ, microblog, weChat, nail and the like, and the virtual identity of the web class can relate to different web login services, such as mobile phone numbers, mailboxes and the like.
After the user 'Zhang Sanj' uses the pad to log in the mailbox zhangsan@abc.com to process the work, the user can access the product server; after the user 'Zhang Sany' logs in QQ or WeChat by using pad, the user can access the document server; after the "Zhang Sano" user logs into the corporate web OA system using the pad, the production server may be accessed.
In addition, it can be seen that the access rights available to the virtual users of the higher class may also directly cover the access rights available to the virtual users of the lower class.
Furthermore, it should be understood that, in the scenario where the present application is located, the user may log in to his personal virtual identity through the corporate network, or within the scope of the corporate network architecture, so as to increase the user's credibility in machine perception through the access control mechanism based on the virtual identity, and adjust the user's access rights accordingly, and the processing mechanism may also be combined with the original/traditional authentication mechanism, for example, if the user account configured in the corporate network architecture is logged in and checked, the underlying network access rights may be opened, without involving a related server that requires higher user credibility to access as above.
In this regard, as yet another exemplary embodiment, the method of the present application may further include:
after checking the user account number which is logged in by the current user and is configured in the company network architecture, the access right of the Internet is opened to the current user.
It can be understood that for the traditional authentication processing (the domain account number and the password are used, the revealing risk is higher), the application only gives the based network access right (the access right of the internet) and does not give the access right of the server which can be involved in the software development/maintenance work, so that the flexible and efficient authentication effect can be realized through the introduced authentication and authentication processing based on the virtual user under the software development/maintenance application scene, and the network security is ensured.
For the above solution, a signaling flow chart of the authentication and authentication process of the present application shown in fig. 2 and an architecture diagram of the authentication and authentication process architecture of the present application shown in fig. 3 may be further understood in a more visual manner.
It can be seen from fig. 3 that the scheme of the present application may be executed by the gateway device, and may be further configured with a disaster recovery dual-activity mechanism, where the primary gateway device normally works, and when the primary gateway device fails or is abnormal, the primary gateway device is switched to the secondary gateway device to continue working, so as to improve service continuity.
In addition, with respect to the multi-level access right control mechanism, the time decay mechanism may be introduced, and as a further exemplary embodiment, the method may further include:
monitoring whether the duration span between the latest login time point of the highest-level virtual identity logged in by the current user and the current time point exceeds a preset duration span;
if yes, the access authority of the virtual identity with the highest level is reduced.
It can be understood that the specific span of the preset duration span herein may be flexibly set, for example, 8 hours, 12 hours, 24 hours, etc., and in the setting of reducing the access right, the access right of any server may be directly cancelled, or the access right of the virtual identity reduced to the next level may be reduced, so that the current user may wait for logging in the corresponding level or the virtual identity of the highest level again to restore the corresponding access right.
In addition, on the basis of monitoring the long time span, the setting of lowering the access right every other day can be continuously introduced, so that the access right adjusting effect based on the time decay mechanism can be continuously enhanced, when the setting of lowering the access right every other day is applied, whether the duration span between the latest login time point and the current time point of the highest-level virtual identity is in the range of ignoring the duration span can be detected, if so, the operation of lowering the access right every other day is not required to be executed under the condition that the login is just soon confirmed, for example, if the login is carried out at 11 times more at night, the access right can be reached at 12 times at night under the condition that the long time span is less than 1 hour, and the access right can be not degraded under the condition.
For the embodiment herein, it is obvious that the method can help to dynamically restrict the access right of the user through the logged-in virtual identity, so as to forcefully prompt the user to log in again to acquire the corresponding access right, but not to continuously acquire the access right of the corresponding virtual identity after logging in, which can also continuously improve the attack cost of an attacker, and further improve the security of the authentication and authorization process related to the application.
The above is an introduction of the authentication method based on virtual identity provided by the application, and in order to facilitate better implementation of the authentication method based on virtual identity provided by the application, the application also provides an authentication device based on virtual identity from the perspective of a functional module.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a virtual identity-based authentication device in the present application, and in this application, a virtual identity-based authentication device 400 may specifically include the following structure:
a determining unit 401, configured to determine a target virtual identity of a current user login, where the target virtual identity is included in a virtual identity login range preset by a different user;
a matching unit 402, configured to determine a target access control policy for matching a target virtual identity from different access control policies corresponding to different types of virtual identities preconfigured on the system;
an access control unit 403, configured to perform access control on the current user based on the target access control policy.
In an exemplary embodiment, the determining unit 401 is specifically configured to:
displaying a virtual identity login page to a current user, wherein the virtual identity login page displays different virtual identity login modes;
after a login request initiated by a current user through a target virtual identity login mode, collecting a target virtual identity corresponding to the login request from terminal equipment of the current user or network traffic related to the terminal equipment of the current user by gateway equipment.
In a further exemplary embodiment, the determining unit 401 is specifically configured to:
the gateway device collects the corresponding target virtual identity from the terminal device of the current user or from the network traffic related to the terminal device of the current user.
In a further exemplary embodiment, the determining unit 401 is specifically configured to:
the gateway device continuously collects the corresponding target virtual identity from the terminal device of the current user or from the network traffic related to the terminal device of the current user.
In yet another exemplary embodiment, the virtual identity login scope includes mailbox class, social communications class, and web class login, where there are:
the mailbox type virtual identity corresponds to a first-level access control strategy, and the access rights of the product server and the Internet are opened;
the social communication type virtual identity corresponds to a second-level access control strategy, and access rights of a document server, a product server and the Internet are opened;
the web type logic virtual identity corresponds to a third-level access control policy, and opens access rights of a production server, a document server, a product server and the Internet.
In a further exemplary embodiment, the access control unit 403 is further configured to:
after checking the user account number which is logged in by the current user and is configured in the company network architecture, the access right of the Internet is opened to the current user.
In a further exemplary embodiment, the access control unit 403 is further configured to:
monitoring whether the duration span between the latest login time point of the highest-level virtual identity logged in by the current user and the current time point exceeds a preset duration span;
if yes, the access authority of the virtual identity with the highest level is reduced.
The present application also provides a processing system from the perspective of a hardware structure, where the processing system may specifically include a processing device such as a gateway device, and for convenience of description, the processing system is treated as a whole, and referring to fig. 5, fig. 5 shows a schematic structural diagram of the processing system of the present application, specifically, the processing system of the present application may include a processor 501, a memory 502, and an input/output device 503, where the processor 501 is configured to implement steps of the virtual identity based authentication method in the corresponding embodiment of fig. 1 when executing a computer program stored in the memory 502; alternatively, the processor 501 is configured to implement the functions of each unit in the corresponding embodiment of fig. 4 when executing the computer program stored in the memory 502, and the memory 502 is configured to store the computer program required by the processor 501 to execute the virtual identity-based authentication method in the corresponding embodiment of fig. 1.
By way of example, a computer program may be partitioned into one or more modules/units that are stored in the memory 502 and executed by the processor 501 to complete the present application. One or more of the modules/units may be a series of computer program instruction segments capable of performing particular functions to describe the execution of the computer program in a computer device.
The processing system may include, but is not limited to, a processor 501, memory 502, and input-output devices 503. Those skilled in the art will appreciate that the illustrations are merely examples of processing systems and are not limiting of processing systems, and that more or fewer components than shown may be included, or certain components may be combined, or different components may be included, for example, a processing system may also include network access devices, buses, etc., through which processor 501, memory 502, input output device 503, etc. are connected.
The processor 501 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like that is a control center of a processing system that utilizes various interfaces and lines to connect the various parts of the overall device.
The memory 502 may be used to store computer programs and/or modules, and the processor 501 may implement various functions of the computer device by executing or executing the computer programs and/or modules stored in the memory 502, and invoking data stored in the memory 502. The memory 502 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, application programs required for at least one function, and the like; the storage data area may store data created according to the use of the processing system, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
The processor 501, when configured to execute a computer program stored in the memory 502, may specifically implement the following functions:
determining a target virtual identity of the current user login, wherein the target virtual identity is contained in a virtual identity login range preset by different users;
determining a target access control strategy matched with a target virtual identity from different access control strategies corresponding to different types of virtual identities pre-configured on a system;
and performing access control on the current user based on the target access control policy.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the authentication device, the processing system and the corresponding units based on the virtual identity described above may refer to the description of the authentication method based on the virtual identity in the corresponding embodiment of fig. 1, which is not repeated herein.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.
For this reason, the present application provides a computer readable storage medium, in which a plurality of instructions capable of being loaded by a processor are stored, so as to execute the steps of the authentication method based on virtual identity in the corresponding embodiment of fig. 1, and specific operations may refer to the description of the authentication method based on virtual identity in the corresponding embodiment of fig. 1, which is not repeated herein.
Wherein the computer-readable storage medium may comprise: read Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
Because the instructions stored in the computer readable storage medium may execute the steps of the authentication method based on the virtual identity in the corresponding embodiment of fig. 1, the beneficial effects that can be achieved by the authentication method based on the virtual identity in the corresponding embodiment of fig. 1 are described in detail in the foregoing description, and are not repeated herein.
The virtual identity based authentication method, device, processing system and computer readable storage medium provided in the present application are described in detail, and specific examples are applied to illustrate the principles and embodiments of the present application, and the description of the above examples is only used to help understand the method and core idea of the present application; meanwhile, those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present application, and the present description should not be construed as limiting the present application in view of the above.

Claims (10)

1. An authentication method based on virtual identity, the method comprising:
determining a target virtual identity of a current user login, wherein the target virtual identity is contained in a virtual identity login range preset by different users;
determining a target access control strategy matched with the target virtual identity from different access control strategies corresponding to different types of virtual identities pre-configured on a system;
and performing access control on the current user based on the target access control strategy.
2. The method of claim 1, wherein the determining the target virtual identity of the current user login comprises:
displaying a virtual identity login page to the current user, wherein the virtual identity login page displays different virtual identity login modes;
after a login request initiated by the current user through a target virtual identity login mode, collecting the target virtual identity corresponding to the login request from the terminal equipment of the current user or from network traffic related to the terminal equipment of the current user by gateway equipment.
3. The method of claim 1, wherein the determining the target virtual identity of the current user login comprises:
and acquiring the corresponding target virtual identity from the terminal equipment of the current user or the network traffic related to the terminal equipment of the current user by gateway equipment.
4. A method according to claim 3, characterized in that collecting, by a gateway device, the corresponding target virtual identity from the current user's terminal device or from the network traffic to which the current user's terminal device relates, comprises:
and continuously collecting the corresponding target virtual identity from the terminal equipment of the current user or the network traffic related to the terminal equipment of the current user by gateway equipment.
5. The method of claim 1, wherein the virtual identity login scope comprises mailbox class, social communications class, and web class logins, wherein there are:
the mailbox type virtual identity corresponds to a first-level access control strategy, and the access rights of the product server and the Internet are opened;
the social communication type virtual identity corresponds to a second-level access control strategy, and access rights of a document server, the product server and the Internet are opened;
the web type logic virtual identity corresponds to a third-level access control policy, and opens access rights of a production server, the document server, the product server and the Internet.
6. The method of claim 5, wherein the method further comprises:
and after checking the user account number which is logged in by the current user and is configured in the company network architecture, opening the access right of the Internet to the current user.
7. The method of claim 5, wherein the method further comprises:
monitoring whether the duration span between the latest login time point of the highest-level virtual identity logged in by the current user and the current time point exceeds a preset duration span;
if yes, the access authority of the virtual identity with the highest level is reduced.
8. An authentication and authorization device based on virtual identity, characterized in that the device comprises:
the determining unit is used for determining a target virtual identity of the current user login, wherein the target virtual identity is contained in a virtual identity login range preset by different users;
the matching unit is used for determining a target access control strategy matched with the target virtual identity from different access control strategies corresponding to different types of virtual identities which are preconfigured on the system;
and the access control unit is used for performing access control on the current user based on the target access control strategy.
9. A processing system comprising a processor and a memory, the memory having stored therein a computer program, the processor performing the method of any of claims 1 to 7 when the computer program in the memory is invoked by the processor.
10. A computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the method of any one of claims 1 to 7.
CN202410037953.9A 2024-01-10 2024-01-10 Authentication method, device and processing system based on virtual identity Pending CN117857185A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410037953.9A CN117857185A (en) 2024-01-10 2024-01-10 Authentication method, device and processing system based on virtual identity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410037953.9A CN117857185A (en) 2024-01-10 2024-01-10 Authentication method, device and processing system based on virtual identity

Publications (1)

Publication Number Publication Date
CN117857185A true CN117857185A (en) 2024-04-09

Family

ID=90541492

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410037953.9A Pending CN117857185A (en) 2024-01-10 2024-01-10 Authentication method, device and processing system based on virtual identity

Country Status (1)

Country Link
CN (1) CN117857185A (en)

Similar Documents

Publication Publication Date Title
CA2935688C (en) System and method for biometric protocol standards
US9288193B1 (en) Authenticating cloud services
KR101742474B1 (en) Providing devices as a service
US8522333B2 (en) Client/server system for communicating according to the standard protocol OPC UA and having single sign-on mechanisms for authenticating, and method for performing single sign-on in such a system
US20170019393A1 (en) Disposable Browsers and Authentication Techniques for a Secure Online User Environment
US8948399B2 (en) Dynamic key management
US8694993B1 (en) Virtualization platform for secured communications between a user device and an application server
US20110072502A1 (en) Method and Apparatus for Identity Verification
WO2008137396A2 (en) Security based on network environment
US9521032B1 (en) Server for authentication, authorization, and accounting
WO2019129642A1 (en) Secure storage of and access to files through a web application
US20170118211A1 (en) Native enrollment of mobile devices
CN109413080B (en) Cross-domain dynamic authority control method and system
CN105162763B (en) Communication data processing method and device
CN114448700A (en) Data access method, data access system, computer device and storage medium
CN104052829A (en) Adaptive name resolution
CN116319024A (en) Access control method and device of zero trust system and zero trust system
CN114598498A (en) Access method, access system, computer device, and storage medium
CN114374524A (en) Access control method and device for object storage, storage medium and electronic device
EP3373551B1 (en) Access control in a computer system
CN112615864A (en) Role-based access control management system and method implemented by block chain
US9904791B1 (en) Processing device having secure container for accessing enterprise data over a network
EP2585967A1 (en) Consigning authentication method
RU2589333C2 (en) Back end limited delegation model
WO2012001476A2 (en) Consigning authentication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination