CN118041625A

CN118041625A - Equipment login-free identity verification method and system based on renewable JWT and IP signature

Info

Publication number: CN118041625A
Application number: CN202410173400.6A
Authority: CN
Inventors: 毛文渊; 赵加坤; 魏东
Original assignee: Xi'an Lanheng Technology Co ltd
Current assignee: Xi'an Lanheng Technology Co ltd
Priority date: 2024-02-07
Filing date: 2024-02-07
Publication date: 2024-05-14

Abstract

The invention discloses a login-free identity verification method and a login-free identity verification system for equipment based on a renewable JWT and an IP signature, wherein the login-free identity verification method and the login-free identity verification system comprise a basic information configuration module, a login verification module and an authentication module; s1: generating an asymmetric key pair for each terminal device based on a digital signature algorithm, respectively importing a private key into each terminal device, importing a corresponding public key into a server, and storing the corresponding relationship between the public key and the device in the server; s2: creating an account at a management end, and binding the account with the equipment position and public key information; the decoupling of the equipment login and the equipment information can be realized by creating an account at the management end and binding the account with the equipment information; only an account number and a password are needed to be provided when the equipment logs in, the detailed information of the equipment is not required to be exposed, and the basic information of the equipment is protected; the device login is only associated with the account, and the change of the information such as the device position only needs to update the device information bound by the account, so that the device is not required to be directly operated, and higher flexibility is provided for coping with service changes.

Description

Equipment login-free identity verification method and system based on renewable JWT and IP signature

Technical Field

The invention belongs to the technical field of Internet, and particularly relates to a login-free identity verification method and system for equipment based on a renewable JWT and an IP signature.

Background

With the development of internet technology, data security issues are increasingly emphasized. In order to ensure the safety of user data, login is used as a key verification mode and is widely applied when a client accesses a server resource. In the prior art, the main stream login-free method is to generate JWT (JSON Web Token) tokens at the server side for caching, and the method can be almost suitable for login scenes of all types of terminals or clients. However, this approach has some drawbacks. Once the token expires, the user needs to log in again, and the server cannot determine whether the JWT is stolen. Meanwhile, in order to ensure security of data transmission, an SSL protocol is generally used for encrypted communication between a server and a client. However, such an encrypted communication manner generally only verifies the identity of the server, but does not verify the identity of the client, and thus, the server cannot effectively intercept an illegal request.

In some business environments, such as medical calling systems, monitoring systems for nursing homes, and self-service pickers, there are a large number of terminal devices or clients that need to operate for a long period of time. These devices must have high availability to ensure reliable support for various services is continuously provided. Considering the characteristic of long-term operation of equipment, the adoption of a permanent JWT (wireless local area network) inevitably increases the security risk of the system, and once the JWT is hijacked, a pirate can be disguised as a terminal device or a client to access a server for a long time. Therefore, the device must use JWT with a fixed validity period, however, the mechanism has a login and logout problem, and in a scenario where the traffic is concentrated, requiring the user to log in again periodically obviously reduces the availability of the system and the viscosity of the system by the user. In addition, the JWT with a fixed validity period still has the problem of being stolen and falsified to access, even if SSL protocol communication is adopted, since SSL certificates usually only verify the server, the server still cannot distinguish whether the currently accessed client is a falsified client, and can still access the server within the validity period after the JWT is hijacked. Although security may be enhanced by setting up an accessible terminal device IP whitelist, the system may still face ARP attacks, i.e. hackers forge client IP addresses and MAC addresses to communicate. Therefore, the terminal devices or clients in these service environments need to improve the user friendliness and stability of the system while ensuring the security of user data. Therefore, the system needs to solve the problem of JWT renewal and the problem of JWT hijacking.

Disclosure of Invention

The invention aims to provide a login-free authentication method and a login-free authentication system for equipment based on a renewable JWT and an IP signature, so as to solve the problems in the background art.

In order to achieve the above purpose, the present invention provides the following technical solutions: the equipment login-free identity verification system based on the renewing JWT and the IP signature comprises a basic information configuration module, a login verification module, an authentication module, a service request management module, a JWT renewing module and a global module;

The authentication module comprises a JWT module and an IP signature module; the JWT module comprises a JWT generation module and a JWT verification module; the IP signature module comprises an IP signature generation module and an IP signature verification module;

the global module comprises a stored information management module and an exception management module;

the basic information configuration module is used for configuring an account number for the terminal equipment and generating a key team for the terminal equipment and the server side;

The login verification module is used for processing a terminal equipment login service, and comprises equipment first login and equipment exit re-login scenes;

the JWT generation module is used for generating a JWT with a fixed validity period at a server side;

The JWT verification module is used for verifying the validity of the JWT;

The IP signature generation module generates a signature value of the IP of the terminal equipment based on a digital signature algorithm;

the IP signature verification module is used for verifying the legitimacy of the IP signature;

the JWT continuous module is used for realizing the JWT automatic continuous period of the fixed validity period;

The storage information management module is used for maintaining various database storage data;

the abnormality management module is used for notifying abnormal information when the management terminal equipment logs in or requests for services;

the service request management module is used for processing the request of the terminal equipment to the service end for resources.

Preferably, the basic information configuration module specifically includes: 11 The management end creates an account number and a password, and binds the account number with specific terminal equipment information, and the password is stored in a ciphertext, so that the plaintext password needs to be recorded in paper;

12 The management end generates a key team for digital signature, imports the private key into specific terminal equipment, imports the public key into the service end and binds the terminal equipment information corresponding to the private key; among them, the optional key length includes 512 bits, 1024 bits and 2048 bits, and the optional digital signature algorithm is DSA algorithm, RSA algorithm, ECDSA algorithm and SM2 algorithm.

Preferably, the login verification module includes the following: 21 The terminal equipment generates an IP signature and transmits the account number, the password, the IP signature and the original signature value to the server;

22 If the account number and the password are consistent with the stored account number and the password, optionally, performing authority verification, and if the verification result is consistent, continuing IP signature verification;

23 If the verification result is legal, the server updates the IP stored in the equipment, and simultaneously generates the JWT and caches the JWT at the server, and in addition, the generated JWT is responded to the terminal equipment;

24 If any one of the above verification fails, the management end is notified to perform exception handling.

Preferably, the JWT generation module includes the following:

31 For prolonging the service life of equipment and saving energy, some temporarily unused equipment can be shut down by system maintenance personnel, and the JWT has an effective period which is not too short and can be set according to specific service scenes in order to achieve the purpose that the equipment can be restarted in a short time;

32 The JWT generating process can call the existing programming language realization library, and can also design coding realization by self according to the JWT signing step;

33 The fixed validity period of the JWT can be realized by matching with Redis, the permanent JWT is generated by the existing programming library, and the storage expiration time is set when the permanent JWT is stored in the Redis, so that the purpose of expiration of the JWT is achieved;

34 Single sign-on can be realized through a JWT blacklist, and old JWT is stored in the blacklist, so that the security is improved;

35 While generating JWT, putting JWT renew signal with delay time 1/2 times JWT expiration time into delay switch of Rabbitmq.

Preferably, the IP signature generating module generates a signature value of the terminal device IP based on a digital signature algorithm, including the following contents:

41 Firstly splicing the terminal equipment IP and the effective deadline timestamp into one data in a certain fixed format, then carrying out hash calculation on the spliced data by adopting a hash algorithm to generate a character string with a fixed length, and finally signing the generated character string by adopting a private key of the terminal equipment to obtain a signature value of the terminal equipment IP;

42 The fixed format adopted by splicing the IP and the time stamp is character string splicing and JSON format splicing; the hash algorithm for carrying out hash calculation on the spliced data can be selected from SHA-1, SHA-256 and SHA-512; the effective time of the time stamp can be dynamically set according to the network condition, and is not suitable to be too long or too short.

Preferably, the IP signature verification module is configured to verify the legitimacy of the IP signature, including the following:

51 Verifying whether the timestamp is within the validity period: comparing the current timestamp with the timestamp in the request, verifying whether the IP signature is expired, and if not, verifying whether the IP signature is used;

52 Verifying whether the IP signature has been used: the system stores all used IP signatures in the effective time, judges whether the IP signature of the current request is in a used list, if not, the system indicates that the current IP signature is used for the first time, and continuously verifies whether the stored IP is empty;

53 Verifying if the stored IP is empty): according to the information of the equipment corresponding to the request, the JWT acquires the information of the equipment corresponding to the request, judges whether the IP in the storage is empty, if so, the equipment is firstly on line, the IP signature verification result is legal, and if not, whether the IP is in a white list is verified;

54 Verifying whether the IP is within the whitelist): comparing the IP white list stored by the equipment with the IP currently requested by the equipment, and if the requested IP is in the white list, verifying the consistency of the decrypted data of the IP signature and the data obtained by hash calculation of the original value by the server;

55 Verifying whether the decrypted data is consistent with the hash calculation data: splicing the IP of the current equipment request and the timestamp in the request by adopting a certain fixed format, and calculating by adopting a specific hash algorithm to obtain H1; the server decrypts the IP signature in the request by adopting the public key to obtain a character string H2; comparing whether H1 and H2 are consistent, if so, the IP signature is legal;

56 The format of the spliced data and the hash calculation method are required to be consistent with those of the IP signature generation module; each device may include a plurality of IPs in an IP whitelist;

57 After the verification fails in steps 51), 52), 54), and 55), the management end needs to be notified to perform exception handling.

Preferably, the JWT renewal module is configured to implement a JWT automatic renewal of a fixed validity period, including the following:

61 After the terminal equipment logs in, the server side inputs a JWT renew signal with the delay time being 1/2 times of the JWT expiration time to a delay switch of the RabbitMQ, and the server side judges whether the JWT renew signal of the current equipment is responded or not at regular time;

62 If the signal exceeds the response time and is not responded, the server side inputs a JWT renew signal with 7/8 times of JWT expiration time to a delay switch of RabbitMQ, and the server side judges whether the JWT renew signal of the current device is responded or not at regular time;

63 If the signal exceeds the response time and is not responded, the server side inputs a JWT renew signal with the delay time close to but less than 1 time of the JWT expiration time to the delay switch of the RabbitMQ;

64 No matter whether the JWT renewing signal is answered or not, the device ends the JWT renewing process at the present time;

65 If the JWT offer signal of step 63) is not responded for more than a predetermined time, it is selected whether to notify the management end of the exception processing.

Preferably, the storage information management module is configured to maintain various database storage data, including the following:

71 The database stores data including equipment basic information, equipment account information, equipment IP white list, public key of equipment, equipment JWT information, JWT expiration time setting, JWT blacklist, IP signature used list, hash algorithm, data splicing format and other data meeting business requirements, and the management end can intuitively display the binding relation between various basic data and equipment;

72 The management end can manually delete the JWT of the specific equipment, prolong or shorten the validity period of the JWT of the specific equipment, maintain the JWT blacklist and maintain the IP whitelist; and here lengthening or shortening the JWT does not change the JWT's own string;

73 The management end can maintain the binding relation between the account number and the basic information of the equipment, and decouple the equipment login from the equipment information.

Preferably, the anomaly management module is configured to notify anomaly information when the management end device logs in or requests for services, and mainly includes:

81 If necessary, the server needs to notify the management end of the exception information including: device login account number or password error, device request IP not in white list, IP signature not in validity period, IP signature used, JWT verification failure, JWT provisioning failure, and other necessary information;

82 After receiving the abnormal information, the management end can make corresponding processing, if the abnormal information is received and the equipment request IP is not in the white list, the management end can modify the equipment IP white list or reject the IP access;

the service request management module is used for processing the request of the terminal equipment to the service end for resources, and comprises the following contents:

91 All requests from the terminal device need to carry IP signatures, except for login requests, all requests need to carry JWTs;

92 The terminal equipment generates an IP signature locally and carries the IP signature, an original timestamp, the JWT and other request parameters to initiate a request to the server, the server performs unified interception processing on all the requests from the terminal equipment, and only if the JWT verifies that the IP signature is valid and the verification of the IP signature is legal, the server releases the request and allows the resource access;

93 When the IP signature is validated, the server adds the current IP signature to the used list, and the server maintains all used IP signatures within the valid time range of a single IP signature;

94 If not, normal business processing is carried out and the result is responded to the terminal equipment; if the JWT is updated, the service regenerates the JWT, updates the stored JWT of the terminal device and responds to the JWT to the terminal device.

The login-free identity verification method for the equipment based on the renewability JWT and the IP signature adopts the verification system and comprises the following specific steps:

S1: generating an asymmetric key pair for each terminal device based on a digital signature algorithm, respectively importing a private key into each terminal device, importing a corresponding public key into a server, and storing the corresponding relationship between the public key and the device in the server;

S2: creating an account at a management end, and binding the account with the equipment position and public key information;

S3: logging in by adopting an account number and password at a terminal equipment logging interface, and carrying a signature of a hash calculation value of equipment IP and a timestamp and an original value of the timestamp besides a request parameter;

s4: verifying whether the account password is correct or not at the server, if not, returning to the step S3, otherwise, executing the step S5;

S5: verifying the signature of a login request at a server, firstly, comparing a current timestamp with a timestamp carried in the request, judging whether an IP signature is in an effective period, executing a step S7 if the IP signature is not in the effective period, otherwise, continuing to verify other signatures; secondly, verifying whether the IP signature is used, if so, executing a step S7, otherwise, continuing to verify the other IP signatures; thirdly, verifying whether the stored IP of the equipment is empty, if so, indicating that the equipment is logged in for the first time, and the account number and the password are submitted to an engineer for logging in by a paper version for the first time, so that the signature can be directly considered legal, the signature is added into a used list, and then executing step S6, and if not, continuing to verify the other equipment; thirdly, verifying whether the IP is in the white list, comparing the IP white list stored by the equipment with the IP currently requested by the equipment, if the requested IP is not in the white list, executing the step S7, otherwise, continuing to verify the other IP; finally, verifying the consistency of the decrypted data of the IP signature and the data obtained after hash calculation is carried out on the original value by the server, decrypting the IP signature by the server by adopting a public key corresponding to the request equipment to obtain a hash value H1, carrying out data splicing on the IP of the current request equipment and a timestamp carried in the request by adopting a method identical to that of the terminal equipment, calculating the hash value to obtain H2, comparing whether the H1 and the H2 are consistent, if the two are inconsistent, judging that the IP signature of the request is illegal, executing a step S7, if the two are consistent, judging that the signature is legal, adding the signature into a used list, and then executing a step S6;

S6: storing or updating the IP of the terminal device, and then executing step S8;

S7: notifying the management end of abnormal login information, wherein the equipment login account number or the password is wrong, the equipment request IP is not in a white list, the IP signature is not in the validity period, and returning to the step S3;

S8: the server generates JWT with fixed validity period and caches the JWT at the server, and then responds to the JWT to the terminal equipment;

S9: the following terminal equipment and the server side work in parallel;

S10: at the server, delay processing is carried out on the JWT continuous signal by adopting a RabbitMQ delay switch technology, and whether the signal is responded or not is checked at regular time; after the terminal equipment logs in by using an account number and a password, the server side generates a JWT continuous signal and sets a delay which is 1/2 times of the JWT expiration time, and the signal is called JWT8 for short; if JWT8 is answered, then the current JWT' S offer flow ends, then step S17 is performed; if the JWT8 does not respond, the server side can generate a JWT renew signal and set a delay which is 3/8 times of the JWT expiration time, and the signal is called JWT6 for short; if JWT6 is answered, then the current JWT renewal process is also ended, then step S17 is performed; if the JWT6 does not respond, the server side will generate a JWT continuous signal and set a delay close to but less than 1 time of the JWT expiration time, the signal is called JWT2; finally, whether the JWT2 is responded or not, the current JWT renewing flow of the server ends, and then step S17 is executed, if the JWT2 is not responded after overtime, abnormal information of the management end is notified, namely the JWT renewing failure of the equipment is notified;

s11: the terminal equipment monitors a RabbitMQ message queue, when a JWT continuous signal is monitored, JWT updating operation is executed, and after the operation is completed, the JWT continuous signal is responded;

S12: the terminal equipment carries the signature of the hash value of the JWT, the equipment IP and the timestamp and the original timestamp to carry out service request operation;

S13: the server performs unified interception processing on all requests from the terminal equipment, and the server releases the requests only if the JWT verifies that the request is valid and the IP signature verifies that the request is legal; the JWT verification can be combined with the existing programming library, redis and JWT blacklist, and the IP signature verification process is the same as that of the step S5; if the request is legal, executing the step S15, and if the request is illegal, executing the step S14;

S14: notifying the management end of logging in abnormal information, requesting the IP not to be in a white list, the IP signature not to be in the validity period, and returning to the step S3 when the JWT verification fails;

s15: the server judges whether the request of the terminal equipment is a JWT update request, if yes, the S8 is returned to; if not, executing S16;

S16: processing a normal service request at a server, and responding to the data to the terminal equipment;

S17: the single service request ends or the single JWT offer signal ends.

Compared with the prior art, the invention has the beneficial effects that: 1) The mechanism can realize decoupling of equipment login and equipment information by creating an account at a management end and binding the account with the equipment information; on one hand, only an account number and a password are needed to be provided when the equipment logs in, and the detailed information of the equipment is not required to be exposed, so that the basic information of the equipment is protected; on the other hand, the device login is only associated with the account, which means that the change of the information such as the device position only needs to update the device information bound by the account, and the device is not required to be directly operated, so that higher flexibility is provided for coping with the service change.

2) The mechanism can realize JWT automatic contract, and improves the safety and the friendliness of the system. Because the equipment is not shut down after long-term operation, the permanent JWT can increase the safety risk of the system; the JWT with a fixed validity period is introduced and a DHCP lease duration mechanism is used for reference, so that an automatic JWT updating strategy is designed; according to practical situations, the device will receive a JWT renewing signal and request renewing within half the JWT expiration time or seven eighth of the JWT expiration time or close to but less than one JWT expiration time; the JWT automatic updating strategy ensures that the equipment can automatically update the JWT effective period during normal operation, thereby avoiding login and exit caused by the expiration of the JWT and improving the system friendliness; meanwhile, the JWT is automatically updated at regular intervals, so that the safety of the system is improved;

3) The service end of the mechanism can verify the request source, so that the risk that the equipment is attacked by ARP due to long-time operation is effectively reduced, and the system security is further enhanced; in ARP attack, an attacker impersonates the terminal equipment to request the server resource by forging the IP address and the MAC address; because the private key of the terminal equipment is not disclosed, even if an attacker gets the JWT, the signature value, the IP and the time stamp of the equipment, the signature value cannot be regenerated, and the validity period of the IP signature value is extremely short, so that the safety of the system is greatly improved. In addition, since the system maintains the device IP white list, the JWT black list and the IP signature used list, whether the IP is in the white list, whether the JWT is in the black list or not and whether the IP signature is used or not are verified each time the signature is verified, the signature of the device IP, JWT, IP can be further managed and controlled, if verification fails, the management end is notified of the reason of abnormality at the moment, and the safety is further enhanced.

4) The method adopts the existing technology, is simple to realize, and moves the timing down to the server side, thereby being beneficial to the stability and fluency of the equipment; the hash calculation and the key pair generation algorithm can be realized by directly calling the existing programming library, and the delayed JWT continuous constraint signal is realized by a delayed switch technology of a middleware RabbitMQ; rabbitMQ is a message queue technology for asynchronous processing, and messages in a delay switch can be sent to a delay queue only after a designated delay time and are received by a receiving party for processing, so that resources and tasks can be better managed, and performance jamming caused by long-term timing tasks at a device end is avoided.

Drawings

FIG. 1 is a schematic diagram of the relationship of the modules in the method of the present invention.

FIG. 2 is a flow chart of the method of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Referring to fig. 1-2, the present invention provides a technical solution: the equipment login-free identity verification system based on the renewing JWT and the IP signature comprises a basic information configuration module, a login verification module, an authentication module, a service request management module, a JWT renewing module and a global module;

The authentication module comprises a JWT module and an IP signature module; the IP signature module comprises an IP signature generation module and an IP signature verification module; the JWT module comprises a JWT generation module and a JWT verification module;

the JWT generation module is used for generating JWT with fixed validity period at the server side;

the JWT verification module is used for verifying the validity of the JWT;

the storage information management module is used for maintaining storage data of various databases;

the abnormality management module is used for informing the abnormality information when the management terminal equipment logs in or requests for service;

the service request management module is used for processing the resource request from the terminal equipment to the server.

In this embodiment, preferably, the basic information configuration module specifically includes: 11 The management end creates an account number and a password, and binds the account number with specific terminal equipment information, and the password is stored in a ciphertext, so that the plaintext password needs to be recorded in paper;

In this embodiment, preferably, the login verification module includes the following: 21 The terminal equipment generates an IP signature and transmits the account number, the password, the IP signature and the original signature value to the server;

In this embodiment, the JWT generation module preferably includes the following:

In this embodiment, preferably, the IP signature generating module generates a signature value of the terminal device IP based on a digital signature algorithm, including the following contents:

In this embodiment, preferably, the IP signature verification module is configured to verify that the IP signature is legal, including the following contents:

In this embodiment, preferably, the JWT duration module is configured to implement a JWT automatic duration with a fixed validity period, including the following:

65 If the JWT offer signal of step 63) is not acknowledged for more than a predetermined time, the management end may be notified to perform exception handling.

In this embodiment, preferably, the storage information management module is configured to maintain various database storage data, including the following:

In this embodiment, preferably, the anomaly management module is configured to notify anomaly information when the management end device logs in or requests for services, and mainly includes:

in this embodiment, preferably, the service request management module is configured to process that the terminal device requests resources from the server, and includes the following contents:

S5: verifying the signature of a login request at a server, firstly, comparing a current timestamp with a timestamp carried in the request, judging whether an IP signature is in an effective period, executing a step S7 if the IP signature is not in the effective period, otherwise, continuing to verify other signatures; secondly, verifying whether the IP signature is used, if so, executing a step S7, otherwise, continuing to verify the other IP signatures; thirdly, verifying whether the stored IP of the equipment is empty, if the stored IP of the equipment is empty, the equipment is described as logging in for the first time, and the account number and the password are submitted to an engineer for logging in for the first time by a paper version, so that the signature can be directly considered legal, the signature is added into a used list and the expiration time is set to be 3 minutes, and then executing step S6, if the stored IP of the equipment is not empty, continuing to verify the other steps; thirdly, verifying whether the IP is in the white list, comparing the IP white list stored by the equipment with the IP currently requested by the equipment, if the requested IP is not in the white list, executing the step S7, otherwise, continuing to verify the other IP; finally, verifying the consistency of the decrypted data of the IP signature and the data obtained after hash calculation is carried out on the original value by the server, decrypting the IP signature by the server by adopting a public key corresponding to the request equipment to obtain a hash value H1, carrying out data splicing on the IP of the current request equipment and a timestamp carried in the request by adopting a method which is the same as that of the terminal equipment, calculating the hash value to obtain H2, comparing whether the H1 and the H2 are consistent or not, if the two are inconsistent, judging that the IP signature of the request is illegal, executing a step S7, if the two are consistent, judging that the signature is legal, adding the signature into a used list, setting the expiration time to be 3 minutes, and then executing a step S6;

s8: the server generates JWT with the validity period of 16 days and caches the JWT at the server, and then responds to the JWT to the terminal equipment;

S9: the following terminal equipment and the server side work in parallel;

S10: at the server, delay processing is carried out on the JWT continuous signal by adopting a RabbitMQ delay switch technology, and whether the signal is responded or not is checked at regular time; after the terminal equipment logs in by using an account number and a password, the server side generates a JWT renewing signal and sets 8-day delay, and the signal is called JWT8 for short; if JWT8 is answered, then the current JWT' S offer flow ends, then step S17 is performed; if the JWT8 does not respond, the server side can generate a JWT continuous signal and set 6 days delay, and the signal is called JWT6 for short; if JWT6 is answered, then the current JWT renewal process is also ended, then step S17 is performed; if the JWT6 does not respond, the server side can generate a JWT continuous signal and set a delay close to but less than 2 days, and the signal is called JWT2 for short; finally, whether the JWT2 is responded or not, the current JWT renewing flow of the server ends, and then step S17 is executed, if the JWT2 is not responded after overtime, abnormal information of the management end is notified, namely the JWT renewing failure of the equipment is notified;

S17: the single service request ends or the single JWT offer signal ends.

Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims

1. The login-free identity verification system for the equipment based on the renewability JWT and the IP signature is characterized in that: the system comprises a basic information configuration module, a login verification module, an authentication module, a service request management module, a JWT renewal module and a global module;

The JWT verification module is used for verifying the validity of the JWT;

2. The renewably JWT and IP signature-based device login-free authentication system of claim 1, wherein: the basic information configuration module specifically comprises: 11 The management end creates an account number and a password, and binds the account number with specific terminal equipment information, and the password is stored in a ciphertext, so that the plaintext password needs to be recorded in paper;

3. The renewably JWT and IP signature-based device login-free authentication system of claim 1, wherein: the login verification module comprises the following contents: 21 The terminal equipment generates an IP signature and transmits the account number, the password, the IP signature and the original signature value to the server;

4. The renewably JWT and IP signature-based device login-free authentication system of claim 1, wherein: the JWT generation module includes the following:

5. The renewably JWT and IP signature-based device login-free authentication system of claim 1, wherein: the IP signature generation module generates a signature value of the terminal equipment IP based on a digital signature algorithm, and comprises the following contents:

6. The renewably JWT and IP signature-based device login-free authentication system of claim 1, wherein: the IP signature verification module is used for verifying the legal IP signature and comprises the following contents:

7. The renewably JWT and IP signature-based device login-free authentication system of claim 1, wherein: the JWT continuous module is used for realizing the JWT automatic continuous period of the fixed validity period, and comprises the following contents:

8. The renewably JWT and IP signature-based device login-free authentication system of claim 1, wherein: the storage information management module is used for maintaining various database storage data, and comprises the following contents:

9. The renewably JWT and IP signature-based device login-free authentication system of claim 1, wherein: the abnormality management module is used for notifying abnormality information when the management end equipment logs in or requests for services, and mainly comprises:

10. The login-free identity verification method for the equipment based on the renewability JWT and the IP signature is characterized by comprising the following steps of: use of a verification system according to any one of claims 1-9, comprising the specific steps of:

S9: the following terminal equipment and the server side work in parallel;

S17: the single service request ends or the single JWT offer signal ends.