WO2014180431A1 - Network management security authentication method, device and system, and computer storage medium - Google Patents

Network management security authentication method, device and system, and computer storage medium Download PDF

Info

Publication number
WO2014180431A1
WO2014180431A1 PCT/CN2014/079516 CN2014079516W WO2014180431A1 WO 2014180431 A1 WO2014180431 A1 WO 2014180431A1 CN 2014079516 W CN2014079516 W CN 2014079516W WO 2014180431 A1 WO2014180431 A1 WO 2014180431A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
network management
user
request message
result
Prior art date
Application number
PCT/CN2014/079516
Other languages
French (fr)
Chinese (zh)
Inventor
孙向东
龙卉
黄媛媛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Priority to JP2016521681A priority Critical patent/JP2016536678A/en
Publication of WO2014180431A1 publication Critical patent/WO2014180431A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a network management security authentication method, apparatus, system, and computer storage medium.
  • BACKGROUND With the rapid development of the telecommunications industry and the continuous updating and expansion of network equipment, operators have increasingly higher requirements for network management systems, and verification of user identity validity is an essential part of their security.
  • the most common user identity legality verification is the system user name and password verification method.
  • this verification method has certain security risks and inconveniences: If the password setting is too simple, it is easy to leak. If the password setting is complicated, It is inconvenient to remember and operate, and the user has to spend a lot of energy and time to remember the password and prevent the password from leaking.
  • SUMMARY OF THE INVENTION The technical problem to be solved by the present invention is to provide a network management security authentication method, device, system, and computer storage medium, which are used to solve the problems of security risks and inconveniences in the network management security authentication in the prior art.
  • the embodiment of the present invention provides a network management security authentication method, which is applied to a network management server; the method includes:
  • the determining, according to the authentication result sent by the authentication server, whether to allocate resources and operation rights to the user of the network management client includes: determining, when the authentication result is successful, determining, assigning to the user of the network management client Resources and operational permissions.
  • the embodiment of the present invention further provides a network management security authentication method, which is applied to a network management client.
  • the method includes:
  • the authentication request message carries a user name and a token code
  • the determining, according to the authentication result, whether the user is allowed to log in includes: determining that the user is allowed to log in when the authentication result is that the authentication is successful;
  • the new user is provided with an entry for entering a personal identification number (PIN), and after the PIN is successfully set, the new user is provided with an entry for inputting an authentication request message;
  • PIN personal identification number
  • the embodiment of the present invention further provides a network management security authentication method, which is applied to an authentication server.
  • the method includes: receiving an authentication request message from a network management server, where the authentication request message carries a user name and a token code;
  • the method further includes: receiving a PIN setting message from the network management server, where the PIN setting message carries a PIN;
  • an embodiment of the present invention further provides a network management security authentication apparatus, where the apparatus includes:
  • the first transceiver unit is configured to receive an authentication request message from the network management client, and send the authentication request message to the authentication server, where the authentication request message carries the user name and the token code, and is further configured to receive the authentication server to send The authentication result is further configured to send the authentication result received by the first transceiver unit to the network management client;
  • the first determining unit is configured to determine, according to the authentication result received by the first transceiver unit, whether to allocate resources and operation rights for the user of the network management client.
  • the first determining unit is configured to: when the authentication result is that the authentication is successful, determine to allocate resources and operation rights to the user of the network management client.
  • an embodiment of the present invention further provides a network management security authentication apparatus, where the apparatus includes: a second transceiver unit configured to receive an authentication request message input by a user and send the authentication request message to a network management server;
  • the authentication request message carries a username and a token code; and is configured to receive an authentication result sent by the network management server;
  • a second determining unit configured to determine, according to the authentication result received by the second transceiver unit, whether the user is allowed to log in.
  • the second determining unit is configured to: when the authentication result is successful, determining to allow the user to log in; when the authentication result is an authentication failure, determining whether the current authentication is a new user for the first time Authentication: when the result of the determination is yes, the new user is provided with an entry for inputting a PIN, and after the PIN is successfully set, the new user is provided with an entry for inputting an authentication request message; when the result of the determination is no, the judgment is The number of times the user continuously inputs the authentication request message erroneously Whether the number reaches the preset number; when the result of the judgment is yes, it is determined that the user is an illegal user; when the result of the determination is no, the user is further provided with an entry for inputting the authentication request message.
  • the embodiment of the present invention further provides a network management security authentication apparatus, where the apparatus includes: a receiving unit, configured to receive an authentication request message from a network management server, where the authentication request message carries a username and a token code;
  • An authentication unit configured to perform authentication on the username and the token code received by the receiving unit, to obtain an authentication result
  • a sending unit configured to send the authentication result obtained by the authentication unit to the network management service knife to cry
  • the receiving unit is further configured to receive a PIN setting message from the network management server, where the PIN setting message carries a PIN;
  • the authentication unit is further configured to set the PIN received by the receiving unit to obtain a setting result
  • the sending unit is further configured to send the setting result of the PIN obtained by the authentication unit to the network management client through the network management server.
  • the embodiment of the present invention further provides a network management security authentication system, where the system includes a network management server, a network management client, and an authentication server;
  • the network management server is configured to receive an authentication request message from the network management client, and send the authentication request message to the authentication server, where the authentication request message carries the user name and the token code, and is further configured to send according to the authentication server.
  • the authentication result determines whether the resource and the operation authority are allocated to the user of the network management client; the authentication result is sent to the network management client; the network management client is configured to receive the authentication request message input by the user, and The authentication request message is sent to the network management server; the authentication request message carries the user name and the token code; and is configured to receive the authentication result sent by the network management server, and determine whether to allow the user to log in according to the authentication result;
  • the authentication server is configured to receive an authentication request message from the network management server, where the authentication request message carries a user name and a token code; the user name and the token code are authenticated; and the authentication result is sent to the network management server.
  • the network management server is configured to allocate resources and operation rights to users of the network management client when the authentication result sent by the authentication server is successful.
  • the network management client is configured to: when the authentication result sent by the network management server is successful, determine that the user is allowed to log in; when the authentication result is that the authentication fails, determine whether the current authentication is The new user is authenticated for the first time; when the result of the determination is yes, the new user is provided with an entry for inputting a PIN, and after the PIN is successfully set, the new user is provided with an entry for inputting an authentication request message; If the result of the determination is YES, the user is determined to be an illegal user; when the result of the determination is no, the user continues to be the user. Provides an entry for entering an authentication request message.
  • the authentication server is further configured to receive a PIN setting message from the network management server, where the PIN setting message carries a PIN; setting the PIN; and sending the setting result of the PIN through the network management server To the network management client.
  • the embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, where the computer executable instructions are used to execute the network management server according to the embodiment of the present invention.
  • Network management security certification method
  • the embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the application of the network management client according to the embodiment of the present invention. End network management security certification method.
  • the embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, where the computer executable instructions are used to execute the application server according to the embodiment of the present invention.
  • Network management security certification method The network management security authentication method, device, system and computer storage medium provided by the embodiment of the present invention, the network management server can receive an authentication request message from the network management client, and forward the authentication request message to the authentication server to enable the authentication server to The user name and the token code in the authentication request message are authenticated, and then determining whether to allocate resources and operation rights to the user of the network management client according to the authentication result of the authentication server, and replacing the token code generated by the token in the whole operation.
  • the traditional password is input by the user.
  • the network management security authentication method provided by the example ensures the security and facilitates the user's operation.
  • FIG. 1 is a schematic flowchart of a first network management security authentication method according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a second network management security authentication method according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a fourth network management security authentication method according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a first network management security authentication apparatus according to an embodiment of the present invention; ;
  • FIG. 6 is a schematic structural diagram of a second network management security authentication apparatus according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a third network management security authentication apparatus according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a network management security authentication system according to an embodiment of the present invention. detailed description
  • FIG. 1 is a schematic flowchart of a first network management security authentication method according to an embodiment of the present invention. As shown in FIG. 1 , an embodiment of the present invention provides a network management security authentication method, based on a network management server, where the method includes:
  • S11 Receive an authentication request message from the network management client, and send the authentication request message to the authentication server, where the authentication request message carries the user name and the token code.
  • S12 Determine, according to the authentication result sent by the authentication server, whether to allocate resources and operation rights to the user of the network management client.
  • the network management security authentication method provided by the embodiment of the present invention can receive an authentication request message from the network management client, and forward the authentication request message to the authentication server, so that the authentication server uses the user name and the token code in the authentication request message. Performing authentication, and then determining whether to allocate resources and operation rights to the user of the network management client according to the authentication result of the authentication server, and replacing the traditional password with the token code generated by the token by the user, because the token code is
  • the security generated by the network management method provided by the embodiment of the present invention ensures the security of the security management method provided by the embodiment of the present invention. At the same time, it is convenient for the user's operation.
  • the token code is a number of random digital codes generated by the token.
  • the token is divided into a software token and a hardware token.
  • the hardware token is an independent portable physical device.
  • the software token is software that can be installed in a portable device such as a personal computer or a smart phone. Both the software token and the hardware token are associated with the authentication server. Before each token is sent to the user, token-related information is created on the authentication server, and the corresponding token seed is imported into each token. Thus a token code is generated when needed. Different users have different tokens, and correspondingly, the generated token codes are different.
  • the network management server receives an authentication request message from the network management client. Specifically, the information input by the user through the network management client, such as a username and a token code. And so on are included in the authentication request information. It should be noted that although the network management server is responsible for coordinating and managing the entire network and providing support for the token authentication method, it is not responsible for the specific work of the security authentication. After receiving the authentication request message, the network management server forwards the authentication request message to the authentication server, and the authentication server performs authentication.
  • the authentication server can be configured to support multiple authentication methods such as password authentication, random number authentication, or token authentication. For example, in an embodiment of the present invention, the network management server configures the authentication mode as token authentication. When the security module of the network management server receives the authentication request message, the network management server may establish with the authentication server. The session forwards the authentication request message to the authentication server.
  • the network management server may receive the authentication result from the authentication server, and determine, according to the authentication result, whether the The user of the network management client allocates resources and operation rights. Specifically, if the authentication result is that the authentication is successful, the user who provides the username and the token code is a security user, and may determine to allocate resources and operation rights to the user of the network management client. If the authentication result is that the authentication fails, the security of the user has not been authenticated. Therefore, it is determined that the resource and operation authority cannot be allocated to the user of the network management client.
  • the embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the network management security authentication method according to the embodiment of the invention.
  • FIG. 2 is a schematic flowchart of a second network management security authentication method according to an embodiment of the present invention.
  • an embodiment of the present invention further provides a network management security authentication method, which is based on a network management client, and includes the following Steps:
  • S21 Receive an authentication request message input by the user, and send the authentication request message to the network management server; the authentication request message carries a user name and a token code.
  • S22 Receive an authentication result sent by the network management server.
  • S23 Determine, according to the authentication result, whether the user is allowed to log in.
  • the network management security authentication method provided by the embodiment of the present invention can receive an authentication request message input by a user and send the authentication request message to the network management server, and can also receive the authentication request from the network management server.
  • the user name and the token code in the message perform the authentication result of the authentication, and then determine whether the user is allowed to log in according to the authentication result.
  • the whole process replaces the traditional password with the token code generated by the token by the user. Since the token code is dynamically generated, it has better security, and the number of token codes is less convenient for people to input. Therefore, the network management security authentication method provided by the embodiment of the present invention ensures the security and facilitates the operation of the user.
  • the authentication request message and the authentication result are mainly transmitted between the network management client, the network management server, and the authentication server.
  • the authentication request message and the authentication result may be encrypted and encapsulated.
  • the network transmits and transmits to the destination the corresponding information in the authentication request message and the authentication result is obtained through corresponding decryption or parsing.
  • determining whether to allow the user to log in according to the authentication result may include the following steps:
  • the network client serves as a device directly interfacing with the user, provides an operation interface for the user, and can exchange information with the user. Once the network client knows that the user name and the token code input by the user are successfully authenticated, the authentication result can be displayed. Friendly feedback, so that users can make appropriate interactions based on the results of the certification, and finally successfully log in.
  • the method further includes the step of determining whether the current authentication is the first authentication of the new user.
  • the new user When the result of the determination is yes, the new user is provided with an entry for inputting a PIN, and after the PIN is set, the new user is provided with an entry for inputting an authentication request message; when the result of the determination is no, the exclusion is also excluded.
  • the possibility of missing PIN settings At this time, optionally, it may be determined whether the number of times the user continuously inputs the authentication request message is up to a preset number of times; when the result of the determination is yes, determining that the user is an illegal user; when the result of the determination is no At the same time, continue to provide the user with an entry for entering an authentication request message.
  • the preset number of times is three times, and each time an error is input, the number of times the user name or the token code is incorrectly input is counted.
  • the error input reaches 3 times, The user is further provided with an entry for inputting an authentication request message, prompting the user to be an illegal user.
  • the embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the network management security authentication method according to the embodiment of the invention.
  • FIG. 3 is a schematic flowchart of a third network management security authentication method according to an embodiment of the present invention. As shown in FIG. 3, an embodiment of the present invention further provides a network management security authentication method, based on an authentication server, where the method is Includes:
  • S31 Receive an authentication request message from the network management server, where the authentication request message carries a username and a token code.
  • the network management security authentication method provided by the embodiment of the present invention can receive an authentication request message from the network management server, and then authenticate the user name and the token code carried in the authentication request message, and send the authentication result to the network management server. Throughout the process, the token code generated by the token replaces the traditional password input by the user. Since the token code is dynamically generated, it is better.
  • the network security authentication method provided by the embodiment of the present invention ensures the security and facilitates the user's operation while ensuring the security of the user.
  • the authentication server when the authentication server receives the authentication request message carrying the user name and the token code, the user name and the token code may be parsed out, and the related information of the token is created on the authentication server, so The token-related information created on the authentication server authenticates the username and token code.
  • the user only needs to input the username and the token code to form a corresponding authentication request message to perform security authentication on the user, but when a user performs security authentication for the first time, When the authentication server actually needs to be
  • PIN is set. After the first PIN setting, the same user does not need to make a PIN setting in future authentication.
  • the method may further include:
  • the setting result of the PIN may include setting success and setting failure.
  • the network management server parses the PIN setting result and notifies the network management client.
  • the embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the network management security authentication method according to the embodiment of the invention.
  • FIG. 4 is a schematic flowchart of a fourth network management security authentication method according to an embodiment of the present invention; as shown in FIG. 4, the method may include the following steps: Step 101: The user opens the network management login entry, generates a token code with the token, and provides the network management client with the username.
  • Step 102 The network management client encrypts the input user information and sends the information to the network management server.
  • Step 103 The network management server establishes a session with the authentication server according to the configured authentication server address, and then forwards the authentication request message to the authentication server.
  • Step 104 The authentication server parses the authentication request message, authenticates the validity of the token code, and sends the authentication result to the network management server.
  • Step 105 The network management server parses the authentication result, and determines whether the user identity authentication is successful. When the result of the determination is yes, step 106 is performed; when the result of the determination is no, step 107 is performed.
  • Step 106 Assign a reasonable resource and operation authority to the user, and then encapsulate the authentication result and return the authentication result to the network management client, and perform step 108.
  • Step 107 The direct encapsulation authentication result is returned to the network management client, and the corresponding resource allocation is not performed, and step 108 is performed.
  • Step 108 The client parses the authentication result, and determines whether the authentication is successful. When the result of the determination is yes, step 115 is performed; when the result of the determination is no, step 109 is performed.
  • Step 109 The network management client further determines whether the authentication is the first authentication of the new user, whether the user PIN needs to be set, and when the result of the determination is yes, step 110 is performed; when the result of the determination is no, step 113 is performed.
  • Step 110 Provide an entry for entering the PIN and send the PIN entered by the user to the network management server.
  • Step 111 The network management server forwards the PIN to the authentication server.
  • Step 112 The authentication server successfully sets the PIN, and returns a message that the PIN setting is successful to the network client, and step 101 is performed.
  • Step 113 Determine whether the number of consecutive incorrect input token codes reaches a preset value. When the result of the determination is no, repeat the authentication start process of step 101; when the result of the determination is yes, It is determined that the user is not a legitimate user, and several different token codes have been continuously generated and cannot be authenticated. Step 114 is performed.
  • Step 114 Log out and go to step 116.
  • Step 115 Log in directly, and go to Step 116.
  • Step 116 The authentication process ends.
  • FIG. 5 is a schematic structural diagram of a first network management security authentication apparatus according to an embodiment of the present invention. As shown in FIG. 5, an embodiment of the present invention further provides a network management security authentication apparatus 2, including:
  • the first transceiver unit 21 is configured to receive an authentication request message from the network management client, and send the authentication request message to the authentication server, where the authentication request message carries the user name and the token code, and is further configured to receive the authentication server.
  • the authentication result that is sent is also configured to send the authentication result received by the first transceiver unit to the network management client;
  • the first determining unit 22 is configured to determine, according to the authentication result received by the first transceiver unit, whether to allocate resources and operation rights for the user of the network management client.
  • the first transceiver unit 21 can receive an authentication request message from the network management client, and forward the authentication request message to the authentication server to enable the authentication server to authenticate the server.
  • the user name and the token code in the request message are authenticated;
  • the first determining unit 22 is configured to determine, according to the authentication result of the authentication server, whether to allocate resources and operation rights to the user of the network management client, and generate the token by using the token.
  • the code replaces the traditional password input by the user. Since the token code is dynamically generated, it has better security, and the number of token code bits is less convenient for people to perform input operations without requiring user memory. Therefore, the present invention
  • the network management security authentication device provided by the embodiment facilitates the operation of the user while ensuring security.
  • the first determining unit 22 is configured to: when the authentication result is that the authentication is successful, determine to allocate resources and operation rights to the user of the network management client, thereby enabling the network management client to The user can use the resources and the operation authority.
  • the authentication result is the authentication failure, it is determined that the resource and the operation authority are not allocated to the user of the network management client.
  • the network management security authentication device may be implemented by the network management server in the actual application; the first determining unit 22 may be implemented by the central processing unit in the first network management security authentication device according to the embodiment of the present invention.
  • CPU Central Processing Unit
  • DSP Digital Signal Processor
  • FPGA Field Programmable Gate Array
  • the first transceiver unit 21 can be implemented by a transceiver or a transceiver in the network management security authentication device in an actual application.
  • FIG. 6 is a schematic structural diagram of a second network management security authentication apparatus according to an embodiment of the present invention. As shown in FIG. 6, an embodiment of the present invention further provides a network management security authentication apparatus 3, where the apparatus includes:
  • the second transceiver unit 31 is configured to receive an authentication request message input by the user, and send the authentication request message to the network management server, where the authentication request message carries the user name and the token code; and is configured to receive the authentication sent by the network management server.
  • the second determining unit 32 is configured to determine whether to permit the user to log in according to the authentication result received by the second transceiver unit 31.
  • the second transceiver unit 31 can receive an authentication request message input by a user and send the authentication request message to the network management server, and can also receive the authentication request message.
  • the user name and the token code in the authentication result of the authentication; the second determining unit 32 is capable of determining whether to permit the user to log in according to the authentication result.
  • the whole process replaces the traditional password with the token code generated by the token by the user. Since the token code is dynamically generated, it has better security, and the number of token codes is less convenient for people to input. Therefore, the network management security authentication device 3 provided by the embodiment of the present invention can ensure the security of the user and facilitate the operation of the user.
  • the second determining unit 32 is configured to: when the authentication result is successful, The user is allowed to log in; when the authentication result is the authentication failure, it is determined whether the current authentication is the first authentication of the new user; when the result of the determination is yes, the new user is provided with the input personal identification code PIN. After the PIN is successfully set, the new user is provided with an entry for inputting an authentication request message; when the result of the determination is no, it is determined whether the number of times the user continuously inputs the authentication request message erroneously reaches a preset number of times; When the result of the determination is yes, it is determined that the user is an illegal user; when the result of the determination is no, the user is further provided with an entry for inputting an authentication request message.
  • the network management device can be implemented by the network management client, and the gateway client can be a terminal device such as a computer or a smart phone.
  • the second determining unit 32 can be implemented by the present invention in practical applications.
  • the CPU, DSP or FPGA in the second network management security authentication device is implemented;
  • the second transceiver unit 31 can be implemented by a transceiver or a transceiver in the network management security authentication device.
  • FIG. 7 is a schematic structural diagram of a third network management security authentication apparatus according to an embodiment of the present invention. As shown in FIG. 7, an embodiment of the present invention further provides a network management security authentication apparatus 4, where the apparatus includes:
  • the receiving unit 41 is configured to receive an authentication request message from the network management server, where the authentication request message carries a username and a token code;
  • the authentication unit 42 is configured to authenticate the username and the token code received by the receiving unit 41, and obtain an authentication result
  • the sending unit 43 is configured to send the authentication result obtained by the authentication unit 42 to the network management server.
  • the network management security authentication device 4 provided by the embodiment of the present invention, the receiving unit 41 can receive an authentication request message from the network management server; the authentication unit 42 can authenticate the user name and the token code carried in the authentication request message; The transmitting unit 43 can transmit the authentication result to the network management server.
  • the token code generated by the token is used instead of the traditional password.
  • the user input because the token code is dynamically generated, and thus has better security, and the number of digits of the token code is less convenient for people to perform input operations, and the user does not need to memorize. Therefore, the network management provided by the embodiment of the present invention
  • the security authentication method facilitates the user's operation while ensuring security.
  • the receiving unit 41 is further configured to receive a PIN setting message from the network management server, where the PIN setting message carries a PIN;
  • the authentication unit 42 may be further configured to set the PIN received by the receiving unit 41 to obtain a setting result
  • the sending unit 43 is further configured to send the setting result of the PIN obtained by the authentication unit 42 to the network management client through the network management server.
  • the network management security authentication device may be implemented by an authentication server in an actual application; the authentication unit 42 may be implemented by a CPU, a DSP, or an FPGA in a third network management security authentication device according to the embodiment of the present invention.
  • the receiving unit 41 can be implemented by a receiver or a receiver in the network management security authentication device in an actual application; the transmitting unit 43 can be used by the network management security authentication device in the actual application.
  • FIG. 8 is a schematic structural diagram of a network management security authentication system according to an embodiment of the present invention.
  • the system includes: a network management server 51.
  • the network management client 52 and the authentication server 53 are configured to receive an authentication request message from the network management client 52, and send the authentication request message to the authentication server 53, where the authentication request message is carried.
  • the user name and the token code are further configured to determine whether to allocate resources and operation rights to the user of the network management client 52 according to the authentication result sent by the authentication server 53; and send the authentication result to the network management client 52;
  • the network management client 52 is configured to receive an authentication request message input by the user, and send the authentication request message to the network management server 51; the authentication request message carries the user name and the order
  • the card code is further configured to receive the authentication result sent by the network management server 51, and determine, according to the authentication result, whether the user is allowed to log in;
  • the authentication server 53 is configured to receive an authentication request message from the network management server 51, where the authentication request message carries a user name and a token code; the user name and the token code are authenticated; and the authentication result is sent to the network management server. 51.
  • the network management server 51 is configured to allocate resources and operation rights to the user of the network management client 52 when the authentication result sent by the authentication server 53 is successful.
  • the network management client 52 is configured to: when the authentication result sent by the network management server 51 is successful, determine that the user is allowed to log in; when the authentication result is that the authentication fails, determine the current authentication. Whether the new user is authenticated for the first time; when the result of the judgment is yes, the new user is provided with an entry for inputting the personal identification number PIN, and after the PIN is successfully set, the new user is provided with an entry for inputting the authentication request message; When the result of the determination is no, it is determined whether the number of times the user continuously inputs the authentication request message erroneously reaches a preset number of times; when the result of the determination is yes, the user is determined to be an illegal user; when the result of the determination is no At the same time, continue to provide the user with an entry for entering an authentication request message.
  • the authentication server 53 is further configured to receive a PIN setting message from the network management server 51, where the PIN setting message carries a PIN; setting the PIN; and setting the result of the PIN through the network management
  • the server 51 sends it to the network management client 52.
  • the network management server 51 includes any one of the network management security authentication devices 2 provided in the foregoing embodiment; the network management client 52 includes any one of the network management security authentication devices 3 provided in the foregoing embodiment; The server 53 includes any of the network management security authentication devices 4 provided in the foregoing embodiments. Since the network management security authentication system includes the network management security authentication device in the foregoing embodiment, the corresponding beneficial technical effects can also be achieved. The foregoing has been described in detail, and details are not described herein again.
  • the present invention is directed to methods, apparatus, and computer program products according to embodiments of the present invention.
  • Flowcharts and/or block diagrams are described. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • the embodiment of the present invention receives an authentication request message from the network management client by using the network management server, and forwards the authentication request message to the authentication server, so that the authentication server authenticates the user name and the token code in the authentication request message, according to the
  • the authentication result of the authentication server determines whether resources and operation rights are allocated to the users of the network management client.
  • the token code generated by the token is replaced by the traditional password, and the user has better security.
  • Card code The number of bits is less for the user to perform the input operation, and the user does not need to memorize. Therefore, the network management security authentication method provided by the embodiment of the present invention ensures the security and the user's operation.

Abstract

The embodiments of the present invention disclose a network management security authentication method, device and system, and a computer storage medium. The method comprises: receiving an authentication request message from a network management client, and sending the authentication request message to an authentication server, wherein the authentication request message carries a user name and a token code; according to an authentication result sent by the authentication server, determining whether resources and operation rights are allocated to users of the network management client; and sending the authentication result to the network management client.

Description

一种网管安全认证方法、 装置、 系统及计算机存储介质 技术领域 本发明涉及通信技术领域, 特别是涉及一种网管安全认证方法、 装置、 系统及计算机存储介质。 背景技术 随着电信行业飞速发展, 网络设备不断更新扩展, 运营商对于网络管 理系统安全性要求也越来越高, 用户身份合法性校验是其安全性必不可少 的一部分。  TECHNICAL FIELD The present invention relates to the field of communications technologies, and in particular, to a network management security authentication method, apparatus, system, and computer storage medium. BACKGROUND With the rapid development of the telecommunications industry and the continuous updating and expansion of network equipment, operators have increasingly higher requirements for network management systems, and verification of user identity validity is an essential part of their security.
目前最常见的用户身份合法性校验是系统用户名密码校验方式, 然而 这种校验方式却存在着一定安全隐患和操作不便: 如果密码设置过于简单, 就容易泄露, 如果密码设置复杂则不便于记忆和操作, 而且用户要花费大 量的精力和时间来记住密码并防止密码泄露。 发明内容 本发明要解决的技术问题是提供一种网管安全认证方法、 装置、 系统 及计算机存储介质, 用以解决现有技术中网管安全认证中存在的安全隐患 和操作不便等问题。  At present, the most common user identity legality verification is the system user name and password verification method. However, this verification method has certain security risks and inconveniences: If the password setting is too simple, it is easy to leak. If the password setting is complicated, It is inconvenient to remember and operate, and the user has to spend a lot of energy and time to remember the password and prevent the password from leaking. SUMMARY OF THE INVENTION The technical problem to be solved by the present invention is to provide a network management security authentication method, device, system, and computer storage medium, which are used to solve the problems of security risks and inconveniences in the network management security authentication in the prior art.
为解决上述技术问题, 一方面, 本发明实施例提供了一种网管安全认 证方法, 应用于网管服务器; 所述方法包括:  To solve the above technical problem, in one aspect, the embodiment of the present invention provides a network management security authentication method, which is applied to a network management server; the method includes:
从网管客户端接收认证请求消息, 并将所述认证请求消息发送至认证 服务器, 所述认证请求消息中携带用户名和令牌码;  Receiving an authentication request message from the network management client, and sending the authentication request message to the authentication server, where the authentication request message carries the user name and the token code;
根据所述认证服务器发送的认证结果确定是否为所述网管客户端的用 户分配资源和操作权限; 将所述认证结果发送至所述网管客户端。 Determining, according to the authentication result sent by the authentication server, whether to allocate resources and operation rights to the user of the network management client; Sending the authentication result to the network management client.
优选地, 所述根据所述认证服务器发送的认证结果确定是否为所述网 管客户端的用户分配资源和操作权限, 包括: 当所述认证结果为认证成功 时, 确定为所述网管客户端的用户分配资源和操作权限。  Preferably, the determining, according to the authentication result sent by the authentication server, whether to allocate resources and operation rights to the user of the network management client, includes: determining, when the authentication result is successful, determining, assigning to the user of the network management client Resources and operational permissions.
另一方面, 本发明实施例还提供了一种网管安全认证方法, 应用于网 管客户端; 所述方法包括:  On the other hand, the embodiment of the present invention further provides a network management security authentication method, which is applied to a network management client. The method includes:
接收用户输入的认证请求消息, 并将所述认证请求消息发送至网管服 务器; 所述认证请求消息中携带用户名和令牌码;  Receiving an authentication request message input by the user, and sending the authentication request message to the network management server; the authentication request message carries a user name and a token code;
接收所述网管服务器发送的认证结果;  Receiving an authentication result sent by the network management server;
根据所述认证结果确定是否允许所述用户登录。  Determining whether to allow the user to log in according to the authentication result.
优选地, 所述根据所述认证结果确定是否允许所述用户登录, 包括: 当所述认证结果为认证成功时, 确定允许所述用户登录;  Preferably, the determining, according to the authentication result, whether the user is allowed to log in, includes: determining that the user is allowed to log in when the authentication result is that the authentication is successful;
当所述认证结果为认证失败时, 判断本次认证是否为新用户第一次认 证;  When the authentication result is that the authentication fails, it is determined whether the current authentication is the first authentication of the new user;
当判断的结果为是时, 为所述新用户提供输入个人识别码 (PIN , Personal Identity Number ) 的入口, 在 PIN设置成功后, 为所述新用户提供 输入认证请求消息的入口;  When the result of the determination is yes, the new user is provided with an entry for entering a personal identification number (PIN), and after the PIN is successfully set, the new user is provided with an entry for inputting an authentication request message;
当判断的结果为否时, 判断所述用户连续错误输入所述认证请求消息 的次数是否达到预设次数; 当判断的结果为是时, 确定所述用户为非法用 户; 当判断的结果为否时, 继续为用户提供输入认证请求消息的入口。  When the result of the determination is no, it is determined whether the number of times the user continuously inputs the authentication request message erroneously reaches a preset number of times; when the result of the determination is yes, the user is determined to be an illegal user; when the result of the determination is no At the same time, continue to provide the user with an entry for entering an authentication request message.
另一方面, 本发明实施例还提供了一种网管安全认证方法, 应用于认 证服务器; 所述方法包括: 从网管服务器接收认证请求消息, 所述认证请 求消息中携带用户名和令牌码;  On the other hand, the embodiment of the present invention further provides a network management security authentication method, which is applied to an authentication server. The method includes: receiving an authentication request message from a network management server, where the authentication request message carries a user name and a token code;
对所述用户名和令牌码进行认证;  Authenticating the username and token code;
将认证结果发送至所述网管服务器。 优选地, 在所述将认证结果发送至所述网管服务器后, 所述方法还包 括: 从所述网管服务器接收 PIN设置消息, 所述 PIN设置消息中携带 PIN; Send the authentication result to the network management server. Preferably, after the sending the authentication result to the network management server, the method further includes: receiving a PIN setting message from the network management server, where the PIN setting message carries a PIN;
对所述 PIN进行设置;  Setting the PIN;
将所述 PIN的设置结果通过所述网管服务器发送至网管客户端。  Sending the setting result of the PIN to the network management client through the network management server.
另一方面, 本发明实施例还提供了一种网管安全认证装置, 所述装置 包括:  On the other hand, an embodiment of the present invention further provides a network management security authentication apparatus, where the apparatus includes:
第一收发单元, 配置为从网管客户端接收认证请求消息, 并将所述认 证请求消息发送至认证服务器, 所述认证请求消息中携带用户名和令牌码; 还用于接收所述认证服务器发送的认证结果; 还配置为将所述第一收发单 元接收的认证结果发送至所述网管客户端;  The first transceiver unit is configured to receive an authentication request message from the network management client, and send the authentication request message to the authentication server, where the authentication request message carries the user name and the token code, and is further configured to receive the authentication server to send The authentication result is further configured to send the authentication result received by the first transceiver unit to the network management client;
第一确定单元, 配置为根据所述第一收发单元接收的认证结果确定是 否为所述网管客户端的用户分配资源和操作权限。  The first determining unit is configured to determine, according to the authentication result received by the first transceiver unit, whether to allocate resources and operation rights for the user of the network management client.
优选地, 所述第一确定单元, 配置为当所述认证结果为认证成功时, 确定为所述网管客户端的用户分配资源和操作权限。  Preferably, the first determining unit is configured to: when the authentication result is that the authentication is successful, determine to allocate resources and operation rights to the user of the network management client.
另一方面, 本发明的实施例还提供了一种网管安全认证装置, 所述装 置包括: 第二收发单元, 配置为接收用户输入的认证请求消息并将所述认 证请求消息发送至网管服务器; 所述认证请求消息中携带用户名和令牌码; 还配置接收所述网管服务器发送的认证结果;  On the other hand, an embodiment of the present invention further provides a network management security authentication apparatus, where the apparatus includes: a second transceiver unit configured to receive an authentication request message input by a user and send the authentication request message to a network management server; The authentication request message carries a username and a token code; and is configured to receive an authentication result sent by the network management server;
第二确定单元, 配置为根据所述第二收发单元接收的认证结果确定是 否允许所述用户登录。  And a second determining unit, configured to determine, according to the authentication result received by the second transceiver unit, whether the user is allowed to log in.
优选地, 所述第二确定单元, 配置为当所述认证结果为认证成功时, 确定允许所述用户登录; 当所述认证结果为认证失败时, 判断本次认证是 否为新用户第一次认证: 当判断的结果为是时,为所述新用户提供输入 PIN 的入口, 在 PIN设置成功后, 为所述新用户提供输入认证请求消息的入口; 当判断的结果为否时, 判断所述用户连续错误输入所述认证请求消息的次 数是否达到预设次数; 当判断的结果为是时, 确定所述用户为非法用户; 当判断的结果为否时, 继续为用户提供输入认证请求消息的入口。 Preferably, the second determining unit is configured to: when the authentication result is successful, determining to allow the user to log in; when the authentication result is an authentication failure, determining whether the current authentication is a new user for the first time Authentication: when the result of the determination is yes, the new user is provided with an entry for inputting a PIN, and after the PIN is successfully set, the new user is provided with an entry for inputting an authentication request message; when the result of the determination is no, the judgment is The number of times the user continuously inputs the authentication request message erroneously Whether the number reaches the preset number; when the result of the judgment is yes, it is determined that the user is an illegal user; when the result of the determination is no, the user is further provided with an entry for inputting the authentication request message.
另一方面, 本发明实施例还提供了一种网管安全认证装置, 所述装置 包括: 接收单元, 配置为从网管服务器接收认证请求消息, 所述认证请求 消息中携带用户名和令牌码;  In another aspect, the embodiment of the present invention further provides a network management security authentication apparatus, where the apparatus includes: a receiving unit, configured to receive an authentication request message from a network management server, where the authentication request message carries a username and a token code;
认证单元, 配置为对所述接收单元接收到的所述用户名和令牌码进行 认证, 获得认证结果;  An authentication unit, configured to perform authentication on the username and the token code received by the receiving unit, to obtain an authentication result;
发送单元, 配置为将所述认证单元获得的认证结果发送至所述网管服 备刀哭口  a sending unit, configured to send the authentication result obtained by the authentication unit to the network management service knife to cry
优选地, 所述接收单元, 还配置为从所述网管服务器接收 PIN设置消 息, 所述 PIN设置消息中携带 PIN;  Preferably, the receiving unit is further configured to receive a PIN setting message from the network management server, where the PIN setting message carries a PIN;
所述认证单元, 还配置为对所述接收单元接收的所述 PIN进行设置, 获得设置结果;  The authentication unit is further configured to set the PIN received by the receiving unit to obtain a setting result;
所述发送单元, 还配置为将所述认证单元获得的 PIN的设置结果通过 所述网管服务器发送至网管客户端。  The sending unit is further configured to send the setting result of the PIN obtained by the authentication unit to the network management client through the network management server.
另一方面, 本发明实施例还提供了一种网管安全认证系统, 所述系统 包括网管服务器、 网管客户端和认证服务器; 其中,  On the other hand, the embodiment of the present invention further provides a network management security authentication system, where the system includes a network management server, a network management client, and an authentication server;
所述网管服务器, 配置为从网管客户端接收认证请求消息, 并将所述 认证请求消息发送至认证服务器, 所述认证请求消息中携带用户名和令牌 码; 还配置为根据所述认证服务器发送的认证结果确定是否为所述网管客 户端的用户分配资源和操作权限; 将所述认证结果发送至所述网管客户端; 所述网管客户端, 配置为接收用户输入的认证请求消息, 并将所述认 证请求消息发送至网管服务器; 所述认证请求消息中携带用户名和令牌码; 还配置为接收所述网管服务器发送的认证结果, 根据所述认证结果确定是 否允许所述用户登录; 所述认证服务器, 配置为从网管服务器接收认证请求消息, 所述认证 请求消息中携带用户名和令牌码; 对所述用户名和令牌码进行认证; 将认 证结果发送至所述网管服务器。 The network management server is configured to receive an authentication request message from the network management client, and send the authentication request message to the authentication server, where the authentication request message carries the user name and the token code, and is further configured to send according to the authentication server. The authentication result determines whether the resource and the operation authority are allocated to the user of the network management client; the authentication result is sent to the network management client; the network management client is configured to receive the authentication request message input by the user, and The authentication request message is sent to the network management server; the authentication request message carries the user name and the token code; and is configured to receive the authentication result sent by the network management server, and determine whether to allow the user to log in according to the authentication result; The authentication server is configured to receive an authentication request message from the network management server, where the authentication request message carries a user name and a token code; the user name and the token code are authenticated; and the authentication result is sent to the network management server.
优选地, 所述网管服务器, 配置为当认证服务器发送的所述认证结果 为认证成功时, 确定为所述网管客户端的用户分配资源和操作权限。  Preferably, the network management server is configured to allocate resources and operation rights to users of the network management client when the authentication result sent by the authentication server is successful.
优选地, 所述网管客户端, 配置为当所述网管服务器发送的所述认证 结果为认证成功时, 确定允许所述用户登录; 当所述认证结果为认证失败 时, 判断本次认证是否为新用户第一次认证; 当判断的结果为是时, 为所 述新用户提供输入 PIN的入口, 在 PIN设置成功后, 为所述新用户提供输 入认证请求消息的入口; 当判断的结果为否时, 判断所述用户连续错误输 入所述认证请求消息的次数是否达到预设次数; 当判断的结果为是时, 确 定所述用户为非法用户; 当判断的结果为否时, 继续为用户提供输入认证 请求消息的入口。  Preferably, the network management client is configured to: when the authentication result sent by the network management server is successful, determine that the user is allowed to log in; when the authentication result is that the authentication fails, determine whether the current authentication is The new user is authenticated for the first time; when the result of the determination is yes, the new user is provided with an entry for inputting a PIN, and after the PIN is successfully set, the new user is provided with an entry for inputting an authentication request message; If the result of the determination is YES, the user is determined to be an illegal user; when the result of the determination is no, the user continues to be the user. Provides an entry for entering an authentication request message.
优选地, 所述认证服务器, 还配置为从所述网管服务器接收 PIN设置 消息, 所述 PIN设置消息中携带 PIN; 对所述 PIN进行设置; 将所述 PIN 的设置结果通过所述网管服务器发送至网管客户端。  Preferably, the authentication server is further configured to receive a PIN setting message from the network management server, where the PIN setting message carries a PIN; setting the PIN; and sending the setting result of the PIN through the network management server To the network management client.
另一方面, 本发明实施例还提供了一种计算机存储介质, 所述计算机 存储介质中存储有计算机可执行指令, 所述计算机可执行指令用于执行本 发明实施例所述的应用于网管服务器的网管安全认证方法。  In another aspect, the embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, where the computer executable instructions are used to execute the network management server according to the embodiment of the present invention. Network management security certification method.
另一方面, 本发明实施例还提供了一种计算机存储介质, 所述计算机 存储介质中存储有计算机可执行指令, 所述计算机可执行指令用于执行本 发明实施例所述的应用于网管客户端的网管安全认证方法。  In another aspect, the embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the application of the network management client according to the embodiment of the present invention. End network management security certification method.
另一方面, 本发明实施例还提供了一种计算机存储介质, 所述计算机 存储介质中存储有计算机可执行指令, 所述计算机可执行指令用于执行本 发明实施例所述的应用于认证服务器的网管安全认证方法。 本发明的实施例提供的网管安全认证方法、 装置、 系统及计算机存储 介质, 网管服务器能够从网管客户端接收认证请求消息, 并将所述认证请 求消息转发给认证服务器以使认证服务器对所述认证请求消息中的用户名 和令牌码进行认证, 然后根据所述认证服务器的认证结果确定是否为所述 网管客户端的用户分配资源和操作权限, 整个操作中, 用令牌产生的令牌 码代替了传统的密码由用户输入, 由于令牌码是动态产生的, 因而具有更 好的安全性, 同时令牌码位数较少便于人们进行输入操作, 且无需用户记 忆, 因此, 本发明的实施例提供的网管安全认证方法在保证了安全性的同 时也方便了用户的操作。 附图说明 In another aspect, the embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, where the computer executable instructions are used to execute the application server according to the embodiment of the present invention. Network management security certification method. The network management security authentication method, device, system and computer storage medium provided by the embodiment of the present invention, the network management server can receive an authentication request message from the network management client, and forward the authentication request message to the authentication server to enable the authentication server to The user name and the token code in the authentication request message are authenticated, and then determining whether to allocate resources and operation rights to the user of the network management client according to the authentication result of the authentication server, and replacing the token code generated by the token in the whole operation. The traditional password is input by the user. Since the token code is dynamically generated, it has better security, and the number of token code bits is less convenient for people to perform input operations without user memory. Therefore, the implementation of the present invention The network management security authentication method provided by the example ensures the security and facilitates the user's operation. DRAWINGS
图 1是本发明实施例提供的第一种网管安全认证方法的流程示意图; 图 2是本发明实施例提供的第二种网管安全认证方法的流程示意图; 图 3是本发明实施例提供的第三种网管安全认证方法的流程示意图; 图 4是本发明实施例提供的第四种网管安全认证方法的流程示意图; 图 5是本发明实施例提供的第一种网管安全认证装置的组成结构示意 图;  1 is a schematic flowchart of a first network management security authentication method according to an embodiment of the present invention; FIG. 2 is a schematic flowchart of a second network management security authentication method according to an embodiment of the present invention; FIG. 4 is a schematic flowchart of a fourth network management security authentication method according to an embodiment of the present invention; FIG. 5 is a schematic structural diagram of a first network management security authentication apparatus according to an embodiment of the present invention; ;
图 6是本发明实施例提供的第二种网管安全认证装置的组成结构示意 图;  6 is a schematic structural diagram of a second network management security authentication apparatus according to an embodiment of the present invention;
图 7是本发明实施例提供的第三种网管安全认证装置的组成结构示意 图;  FIG. 7 is a schematic structural diagram of a third network management security authentication apparatus according to an embodiment of the present invention; FIG.
图 8是本发明实施例提供的网管安全认证系统的组成结构示意图。 具体实施方式  FIG. 8 is a schematic structural diagram of a network management security authentication system according to an embodiment of the present invention. detailed description
下面结合附图和实施例, 对本发明的具体实施方式作进一步详细描述。 以下实施例用于说明本发明, 但不用来限制本发明的范围。 图 1是本发明实施例提供的第一种网管安全认证方法的流程示意图; 如图 1 所示, 本发明的实施例提供一种网管安全认证方法, 基于网管服务 器, 所述方法包括: The specific embodiments of the present invention are further described in detail below with reference to the drawings and embodiments. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention. 1 is a schematic flowchart of a first network management security authentication method according to an embodiment of the present invention; as shown in FIG. 1 , an embodiment of the present invention provides a network management security authentication method, based on a network management server, where the method includes:
S11 : 从网管客户端接收认证请求消息, 并将所述认证请求消息发送至 认证服务器, 所述认证请求消息中携带用户名和令牌码。  S11: Receive an authentication request message from the network management client, and send the authentication request message to the authentication server, where the authentication request message carries the user name and the token code.
S12: 根据所述认证服务器发送的认证结果确定是否为所述网管客户端 的用户分配资源和操作权限。  S12: Determine, according to the authentication result sent by the authentication server, whether to allocate resources and operation rights to the user of the network management client.
S13: 将所述认证结果发送至所述网管客户端。  S13: Send the authentication result to the network management client.
本发明的实施例提供的网管安全认证方法, 能够从网管客户端接收认 证请求消息, 并将所述认证请求消息转发给认证服务器以使认证服务器对 所述认证请求消息中的用户名和令牌码进行认证, 然后才 据所述认证服务 器的认证结果确定是否为所述网管客户端的用户分配资源和操作权限, 用 令牌产生的令牌码代替了传统的密码由用户输入, 由于令牌码是动态产生 的, 因而具有更好的安全性, 同时令牌码位数较少便于人们进行输入操作, 且无需用户记忆, 因此, 本发明的实施例提供的网管安全认证方法在保证 了安全性的同时也方便了用户的操作。  The network management security authentication method provided by the embodiment of the present invention can receive an authentication request message from the network management client, and forward the authentication request message to the authentication server, so that the authentication server uses the user name and the token code in the authentication request message. Performing authentication, and then determining whether to allocate resources and operation rights to the user of the network management client according to the authentication result of the authentication server, and replacing the traditional password with the token code generated by the token by the user, because the token code is The security generated by the network management method provided by the embodiment of the present invention ensures the security of the security management method provided by the embodiment of the present invention. At the same time, it is convenient for the user's operation.
为了便于理解本发明, 首先对令牌码进行简单的介绍。 令牌码是由令 牌产生的若干位随机的数字码。 令牌又有软件令牌和硬件令牌之分, 其中, 硬件令牌是独立的便携物理设备,软件令牌是可以安装于个人电脑, 智能手 机等便携设备中的软件。 无论软件令牌还是硬件令牌都与认证服务器相联 系, 每一个令牌被下发给用户之前, 都在认证服务器上创建了令牌相关信 息, 在各个令牌中导入相应的令牌种子, 从而在需要时产生令牌码。 不同 的用户具有不同的令牌, 相应的, 产生的令牌码也不相同。  In order to facilitate the understanding of the present invention, a simple introduction to the token code is first made. The token code is a number of random digital codes generated by the token. The token is divided into a software token and a hardware token. The hardware token is an independent portable physical device. The software token is software that can be installed in a portable device such as a personal computer or a smart phone. Both the software token and the hardware token are associated with the authentication server. Before each token is sent to the user, token-related information is created on the authentication server, and the corresponding token seed is imported into each token. Thus a token code is generated when needed. Different users have different tokens, and correspondingly, the generated token codes are different.
在步骤 S11 中, 所述网管服务器接收来自所述网管客户端的认证请求 消息。 具体的, 用户通过所述网管客户端输入的信息, 如用户名、 令牌码 等都包含在认证请求信息中。 要说明的是, 所述网管服务器虽然负责对整 个网络的协调和管理, 提供对令牌认证方式的支持, 但并不负责安全认证 这一具体工作。 当所述网管服务器接收到认证请求消息后, 把所述认证请 求消息转发给认证服务器, 由所述认证服务器进行认证。 所述认证服务器 可以才 据需要配置为支持密码认证、 随机号码认证或令牌认证等多种认证 方式。 例如, 在本发明的一个实施例中, 所述网管服务器将认证方式配置 为令牌认证, 当所述网管服务器的安全模块接收到认证请求消息时, 所述 网管服务器可以与所述认证服务器建立会话, 将所述认证请求消息转发至 所述认证服务器。 In step S11, the network management server receives an authentication request message from the network management client. Specifically, the information input by the user through the network management client, such as a username and a token code. And so on are included in the authentication request information. It should be noted that although the network management server is responsible for coordinating and managing the entire network and providing support for the token authentication method, it is not responsible for the specific work of the security authentication. After receiving the authentication request message, the network management server forwards the authentication request message to the authentication server, and the authentication server performs authentication. The authentication server can be configured to support multiple authentication methods such as password authentication, random number authentication, or token authentication. For example, in an embodiment of the present invention, the network management server configures the authentication mode as token authentication. When the security module of the network management server receives the authentication request message, the network management server may establish with the authentication server. The session forwards the authentication request message to the authentication server.
经过所述认证服务器对认证请求消息中的用户名和令牌码进行认证 后, 在步骤 S12中, 所述网管服务器可以从所述认证服务器接收认证结果, 并根据所述认证结果确定是否为所述网管客户端的用户分配资源和操作权 限。 具体的, 如果所述认证结果为认证成功, 说明提供这个用户名和令牌 码的用户是安全用户, 可以确定为所述网管客户端的用户分配资源和操作 权限。 如果所述认证结果为认证失败, 则所述用户的安全性尚未被认证, 因此, 确定不能为所述网管客户端的用户分配资源和操作权限。  After the authentication server authenticates the user name and the token code in the authentication request message, in step S12, the network management server may receive the authentication result from the authentication server, and determine, according to the authentication result, whether the The user of the network management client allocates resources and operation rights. Specifically, if the authentication result is that the authentication is successful, the user who provides the username and the token code is a security user, and may determine to allocate resources and operation rights to the user of the network management client. If the authentication result is that the authentication fails, the security of the user has not been authenticated. Therefore, it is determined that the resource and operation authority cannot be allocated to the user of the network management client.
本发明实施例还提供了一种计算机存储介质, 所述计算机存储介质中 存储有计算机可执行指令, 所述计算机可执行指令用于执行本发明实施例 所述的网管安全认证方法。  The embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the network management security authentication method according to the embodiment of the invention.
相应的, 图 2是本发明实施例提供的第二种网管安全认证方法的流程 示意图; 如图 2所示, 本发明的实施例还提供一种网管安全认证方法, 基 于网管客户端, 包括如下步骤:  Correspondingly, FIG. 2 is a schematic flowchart of a second network management security authentication method according to an embodiment of the present invention. As shown in FIG. 2, an embodiment of the present invention further provides a network management security authentication method, which is based on a network management client, and includes the following Steps:
S21 : 接收用户输入的认证请求消息, 并将所述认证请求消息发送至网 管服务器; 所述认证请求消息中携带用户名和令牌码。  S21: Receive an authentication request message input by the user, and send the authentication request message to the network management server; the authentication request message carries a user name and a token code.
S22: 接收所述网管服务器发送的认证结果。 S23: 根据所述认证结果确定是否允许所述用户登录。 S22: Receive an authentication result sent by the network management server. S23: Determine, according to the authentication result, whether the user is allowed to log in.
本发明实施例提供的网管安全认证方法, 一方面能够接收用户输入的 认证请求消息并将所述认证请求消息发送给网管服务器, 另一方面还能够 从所述网管服务器处接收对所述认证请求消息中的用户名和令牌码进行认 证的认证结果, 然后根据所述认证结果确定是否允许所述用户登录。 整个 过程用令牌产生的令牌码代替了传统的密码由用户输入, 由于令牌码是动 态产生的, 因而具有更好的安全性, 同时令牌码位数较少便于人们进行输 入操作, 且无需用户记忆, 因此, 本发明的实施例提供的网管安全认证方 法在保证了安全性的同时也方便了用户的操作。  The network management security authentication method provided by the embodiment of the present invention can receive an authentication request message input by a user and send the authentication request message to the network management server, and can also receive the authentication request from the network management server. The user name and the token code in the message perform the authentication result of the authentication, and then determine whether the user is allowed to log in according to the authentication result. The whole process replaces the traditional password with the token code generated by the token by the user. Since the token code is dynamically generated, it has better security, and the number of token codes is less convenient for people to input. Therefore, the network management security authentication method provided by the embodiment of the present invention ensures the security and facilitates the operation of the user.
在步骤 S21和 S22中, 主要涉及认证请求消息和认证结果在网管客户 端、 网管服务器和认证服务器之间的传递, 为了保证信息的安全性, 认证 请求消息和认证结果可以进行加密封装后再通过网络传输, 而传达到目的 地后, 再经过相应的解密或解析等获知认证请求消息和认证结果中的具体 信息。  In steps S21 and S22, the authentication request message and the authentication result are mainly transmitted between the network management client, the network management server, and the authentication server. To ensure the security of the information, the authentication request message and the authentication result may be encrypted and encapsulated. After the network transmits and transmits to the destination, the corresponding information in the authentication request message and the authentication result is obtained through corresponding decryption or parsing.
具体的, 在步骤 S23 中, 根据所述认证结果确定是否允许所述用户登 录可以包括以下步骤:  Specifically, in step S23, determining whether to allow the user to log in according to the authentication result may include the following steps:
当所述认证结果为认证成功时, 确定允许所述用户登录。 所述网络客 户端作为直接与用户接口的装置, 为用户提供了操作界面并能够与用户进 行信息交互, 一旦网络客户端获知用户输入的用户名和令牌码被认证成功, 就能显示出认证结果的友好反馈, 以便用户根据认证结果做出合适的交互 动作, 最后成功登录。  When the authentication result is that the authentication is successful, it is determined that the user is allowed to log in. The network client serves as a device directly interfacing with the user, provides an operation interface for the user, and can exchange information with the user. Once the network client knows that the user name and the token code input by the user are successfully authenticated, the authentication result can be displayed. Friendly feedback, so that users can make appropriate interactions based on the results of the certification, and finally successfully log in.
需要说明的是, 虽然在网管安全认证中, 用户只需要输入用户名和令 牌码即可形成相应的认证请求消息从而实现对所述用户进行安全认证, 但 是, 当某个用户第一次进行安全认证时, 认证服务器其实还需要对所述用 户设置 PIN, 以便为令牌码的产生提供条件。 为了排除由缺少 PIN设置引起的认证失败, 在用户名和令牌码认证失 败后, 优选的, 还可以包括判断本次认证是否是新用户第一次认证的步骤。 当判断的结果为是时, 则为所述新用户提供输入 PIN的入口, 在进行 PIN 设置后, 为所述新用户提供输入认证请求消息的入口; 当判断的结果为否 时, 也就排除了缺少 PIN设置的可能。 此时, 可选的, 可以判断所述用户 连续错误输入所述认证请求消息的次数是否达到预设次数; 当判断的结果 为是时, 确定所述用户为非法用户; 当判断的结果为否时, 继续为用户提 供输入认证请求消息的入口。 例如, 在本发明的一个实施例中, 预设次数 为 3 次, 每次错误输入时, 都要对错误输入用户名或令牌码的次数进行计 数, 当错误输入达到 3次时, 就不再为用户提供输入认证请求消息的入口, 提示所述用户为非法用户。 It should be noted that, in the network management security authentication, the user only needs to input the username and the token code to form a corresponding authentication request message to implement security authentication for the user, but when a user performs security for the first time, At the time of authentication, the authentication server actually needs to set a PIN for the user to provide conditions for the generation of the token code. In order to eliminate the authentication failure caused by the lack of the PIN setting, after the user name and the token code authentication fail, preferably, the method further includes the step of determining whether the current authentication is the first authentication of the new user. When the result of the determination is yes, the new user is provided with an entry for inputting a PIN, and after the PIN is set, the new user is provided with an entry for inputting an authentication request message; when the result of the determination is no, the exclusion is also excluded. The possibility of missing PIN settings. At this time, optionally, it may be determined whether the number of times the user continuously inputs the authentication request message is up to a preset number of times; when the result of the determination is yes, determining that the user is an illegal user; when the result of the determination is no At the same time, continue to provide the user with an entry for entering an authentication request message. For example, in one embodiment of the present invention, the preset number of times is three times, and each time an error is input, the number of times the user name or the token code is incorrectly input is counted. When the error input reaches 3 times, The user is further provided with an entry for inputting an authentication request message, prompting the user to be an illegal user.
本发明实施例还提供了一种计算机存储介质, 所述计算机存储介质中 存储有计算机可执行指令, 所述计算机可执行指令用于执行本发明实施例 所述的网管安全认证方法。  The embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the network management security authentication method according to the embodiment of the invention.
相应的, 图 3是本发明实施例提供的第三种网管安全认证方法的流程 示意图; 如图 3 所示, 本发明的实施例还提供一种网管安全认证方法, 基 于认证服务器, 所述方法包括:  3 is a schematic flowchart of a third network management security authentication method according to an embodiment of the present invention; as shown in FIG. 3, an embodiment of the present invention further provides a network management security authentication method, based on an authentication server, where the method is Includes:
S31 : 从网管服务器接收认证请求消息, 所述认证请求消息中携带用户 名和令牌码。  S31: Receive an authentication request message from the network management server, where the authentication request message carries a username and a token code.
S32: 对所述用户名和令牌码进行认证。  S32: Authenticate the username and the token code.
S33: 将认证结果发送至所述网管服务器。  S33: Send the authentication result to the network management server.
本发明的实施例提供的网管安全认证方法, 能够从网管服务器接收认 证请求消息, 然后对所述认证请求消息中携带的用户名和令牌码进行认证, 并将认证结果向所述网管服务器发送。 整个过程中, 用令牌产生的令牌码 代替了传统的密码由用户输入, 由于令牌码是动态产生的, 因而具有更好 的安全性, 同时令牌码位数较少便于人们进行输入操作, 且无需用户记忆, 因此, 本发明的实施例提供的网管安全认证方法在保证了安全性的同时也 方便了用户的操作。 The network management security authentication method provided by the embodiment of the present invention can receive an authentication request message from the network management server, and then authenticate the user name and the token code carried in the authentication request message, and send the authentication result to the network management server. Throughout the process, the token code generated by the token replaces the traditional password input by the user. Since the token code is dynamically generated, it is better. The network security authentication method provided by the embodiment of the present invention ensures the security and facilitates the user's operation while ensuring the security of the user.
具体的, 所述认证服务器接收到携带有用户名和令牌码的认证请求消 息时, 可以将用户名和令牌码解析出, 由于所述认证服务器上创建有令牌 的相关信息, 因此, 可以根据认证服务器上创建的令牌相关信息对用户名 和令牌码进行认证。  Specifically, when the authentication server receives the authentication request message carrying the user name and the token code, the user name and the token code may be parsed out, and the related information of the token is created on the authentication server, so The token-related information created on the authentication server authenticates the username and token code.
需要说明的是, 虽然在网管安全认证中, 用户只需要输入用户名和令 牌码即可形成相应的认证请求消息从而对所述用户进行安全认证, 但是, 当某个用户第一次进行安全认证时, 认证服务器其实还需要对所述用户的 It should be noted that, in the network management security authentication, the user only needs to input the username and the token code to form a corresponding authentication request message to perform security authentication on the user, but when a user performs security authentication for the first time, When the authentication server actually needs to be
PIN进行设置。 首次通过 PIN设置后, 相同的用户在以后的认证中都无需 再进行 PIN设置。 PIN is set. After the first PIN setting, the same user does not need to make a PIN setting in future authentication.
具体的, 在步骤 S33后, 所述方法还可包括:  Specifically, after step S33, the method may further include:
从所述网管服务器接收 PIN设置消息, 所述 PIN设置消息中携带 PIN; 对所述 PIN进行设置; 将对所述 PIN的设置结果通过所述网管服务器 发送至网管客户端。  Receiving a PIN setting message from the network management server, where the PIN setting message carries a PIN; setting the PIN; and sending the setting result of the PIN to the network management client through the network management server.
其中, 对 PIN的设置结果可以包括设置成功和设置失败两种; 当 PIN 设置结果发送到网管服务器后, 由所述网管服务器对所述 PIN设置结果进 行解析, 并通知网管客户端即可。  The setting result of the PIN may include setting success and setting failure. After the PIN setting result is sent to the network management server, the network management server parses the PIN setting result and notifies the network management client.
本发明实施例还提供了一种计算机存储介质, 所述计算机存储介质中 存储有计算机可执行指令, 所述计算机可执行指令用于执行本发明实施例 所述的网管安全认证方法。  The embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the network management security authentication method according to the embodiment of the invention.
下面通过具体的实施例对本发明实施例提供的网管安全认证方法进行 详细说明。 图 4是本发明实施例提供的第四种网管安全认证方法的流程示 意图; 如图 4所示, 所述方法可包括以下步骤: 步骤 101 : 用户打开网管登录入口, 用令牌产生一个令牌码, 和用户名 一起提供给网管客户端。 The network management security authentication method provided by the embodiment of the present invention is described in detail below through a specific embodiment. FIG. 4 is a schematic flowchart of a fourth network management security authentication method according to an embodiment of the present invention; as shown in FIG. 4, the method may include the following steps: Step 101: The user opens the network management login entry, generates a token code with the token, and provides the network management client with the username.
步骤 102: 网管客户端把输入用户信息加密后发送到网管服务器。  Step 102: The network management client encrypts the input user information and sends the information to the network management server.
步骤 103: 网管服务器根据配置好的认证服务器地址, 同所述认证服务 器建立会话, 然后转发认证请求消息到所述认证服务器。  Step 103: The network management server establishes a session with the authentication server according to the configured authentication server address, and then forwards the authentication request message to the authentication server.
步骤 104: 认证服务器解析认证请求消息, 认证令牌码合法性, 并发送 认证结果到网管服务器。  Step 104: The authentication server parses the authentication request message, authenticates the validity of the token code, and sends the authentication result to the network management server.
步骤 105:网管服务器解析认证结果,判断所述用户身份认证是否成功, 当判断的结果为是时,执行步骤 106; 当判断的结果为否时,执行步骤 107。  Step 105: The network management server parses the authentication result, and determines whether the user identity authentication is successful. When the result of the determination is yes, step 106 is performed; when the result of the determination is no, step 107 is performed.
步骤 106: 为所述用户分配合理的资源和操作权限, 然后封装认证结果 并将所述认证结果返回所述网管客户端, 执行步骤 108。  Step 106: Assign a reasonable resource and operation authority to the user, and then encapsulate the authentication result and return the authentication result to the network management client, and perform step 108.
步骤 107: 直接封装认证结果返回给网管客户端, 不进行相应的资源分 配, 执行步骤 108。  Step 107: The direct encapsulation authentication result is returned to the network management client, and the corresponding resource allocation is not performed, and step 108 is performed.
步骤 108: 客户端解析认证结果, 判断认证是否成功, 当判断的结果为 是时, 则执行步骤 115; 当判断的结果为否时, 执行步骤 109。  Step 108: The client parses the authentication result, and determines whether the authentication is successful. When the result of the determination is yes, step 115 is performed; when the result of the determination is no, step 109 is performed.
步骤 109: 网管客户端进一步判断此次认证是否新用户第一次认证、是 否需要设置用户 PIN, 当判断的结果为是时, 执行步骤 110; 当判断的结果 为否时, 执行步骤 113。  Step 109: The network management client further determines whether the authentication is the first authentication of the new user, whether the user PIN needs to be set, and when the result of the determination is yes, step 110 is performed; when the result of the determination is no, step 113 is performed.
步骤 110: 提供输入 PIN的入口, 并将用户输入的 PIN发送到网管服 务器。  Step 110: Provide an entry for entering the PIN and send the PIN entered by the user to the network management server.
步骤 111 : 网管服务器转发 PIN到认证服务器。  Step 111: The network management server forwards the PIN to the authentication server.
步骤 112: 认证服务器对 PIN设置成功, 将 PIN设置成功的消息返回 网络客户端, 执行步骤 101。  Step 112: The authentication server successfully sets the PIN, and returns a message that the PIN setting is successful to the network client, and step 101 is performed.
步骤 113: 判断连续错误输入令牌码的次数是否达到预设值, 当判断的 结果为否时, 则重复步骤 101 的认证开始流程; 当判断的结果为是时, 则 确定所述用户非合法用户, 已经连续产生了几个不同令牌码都无法认证通 过, 执行步骤 114。 Step 113: Determine whether the number of consecutive incorrect input token codes reaches a preset value. When the result of the determination is no, repeat the authentication start process of step 101; when the result of the determination is yes, It is determined that the user is not a legitimate user, and several different token codes have been continuously generated and cannot be authenticated. Step 114 is performed.
步骤 114: 退出登录, 执行步骤 116。  Step 114: Log out and go to step 116.
步骤 115: 直接登录, 执行步骤 116。  Step 115: Log in directly, and go to Step 116.
步骤 116: 认证流程结束。  Step 116: The authentication process ends.
相应的, 图 5是本发明实施例提供的第一种网管安全认证装置的组成 结构示意图;如图 5所示,本发明的实施例还提供一种网管安全认证装置 2, 包括:  Correspondingly, FIG. 5 is a schematic structural diagram of a first network management security authentication apparatus according to an embodiment of the present invention. As shown in FIG. 5, an embodiment of the present invention further provides a network management security authentication apparatus 2, including:
第一收发单元 21 , 配置为从网管客户端接收认证请求消息, 并将所述 认证请求消息发送至认证服务器, 所述认证请求消息中携带用户名和令牌 码; 还用于接收所述认证服务器发送的认证结果; 还配置为将所述第一收 发单元接收的认证结果发送至所述网管客户端;  The first transceiver unit 21 is configured to receive an authentication request message from the network management client, and send the authentication request message to the authentication server, where the authentication request message carries the user name and the token code, and is further configured to receive the authentication server. The authentication result that is sent is also configured to send the authentication result received by the first transceiver unit to the network management client;
第一确定单元 22, 配置为根据所述第一收发单元接收的认证结果确定 是否为所述网管客户端的用户分配资源和操作权限。  The first determining unit 22 is configured to determine, according to the authentication result received by the first transceiver unit, whether to allocate resources and operation rights for the user of the network management client.
本发明的实施例提供的网管安全认证装置 2中, 所述第一收发单元 21 能够从网管客户端接收认证请求消息, 并将所述认证请求消息转发给认证 服务器以使认证服务器对所述认证请求消息中的用户名和令牌码进行认 证; 所述第一确定单元 22能够根据所述认证服务器的认证结果确定是否为 所述网管客户端的用户分配资源和操作权限, 用令牌产生的令牌码代替了 传统的密码由用户输入, 由于令牌码是动态产生的, 因而具有更好的安全 性, 同时令牌码位数较少便于人们进行输入操作, 且无需用户记忆, 因此, 本发明的实施例提供的网管安全认证装置在保证了安全性的同时也方便了 用户的操作。  In the network management security authentication apparatus 2 provided by the embodiment of the present invention, the first transceiver unit 21 can receive an authentication request message from the network management client, and forward the authentication request message to the authentication server to enable the authentication server to authenticate the server. The user name and the token code in the request message are authenticated; the first determining unit 22 is configured to determine, according to the authentication result of the authentication server, whether to allocate resources and operation rights to the user of the network management client, and generate the token by using the token. The code replaces the traditional password input by the user. Since the token code is dynamically generated, it has better security, and the number of token code bits is less convenient for people to perform input operations without requiring user memory. Therefore, the present invention The network management security authentication device provided by the embodiment facilitates the operation of the user while ensuring security.
具体的, 所述第一确定单元 22, 配置为当所述认证结果为认证成功时, 确定为所述网管客户端的用户分配资源和操作权限, 从而使网管客户端的 用户可以使用这些资源和操作权限; 当所述认证结果为认证失败时, 确定 不为所述网管客户端的用户分配资源和操作权限。 Specifically, the first determining unit 22 is configured to: when the authentication result is that the authentication is successful, determine to allocate resources and operation rights to the user of the network management client, thereby enabling the network management client to The user can use the resources and the operation authority. When the authentication result is the authentication failure, it is determined that the resource and the operation authority are not allocated to the user of the network management client.
其中, 所述网管安全认证装置在实际应用中, 可由网管服务器实现; 所述第一确定单元 22在实际应用中, 可由本发明实施例所述第一种网管安 全认证装置中的中央处理器(CPU, Central Processing Unit )、 数字信号处 理器(DSP, Digital Signal Processor )或现场可编程门阵列 (FPGA, Field Programmable Gate Array ) 实现。 所述第一收发单元 21在实际应用中, 可 由所述网管安全认证装置中的收发机或收发器实现。  The network management security authentication device may be implemented by the network management server in the actual application; the first determining unit 22 may be implemented by the central processing unit in the first network management security authentication device according to the embodiment of the present invention. CPU, Central Processing Unit), Digital Signal Processor (DSP) or Field Programmable Gate Array (FPGA). The first transceiver unit 21 can be implemented by a transceiver or a transceiver in the network management security authentication device in an actual application.
相应的, 图 6是本发明实施例提供的第二种网管安全认证装置的组成 结构示意图;如图 6所示,本发明的实施例还提供一种网管安全认证装置 3 , 所述装置包括:  Correspondingly, FIG. 6 is a schematic structural diagram of a second network management security authentication apparatus according to an embodiment of the present invention; as shown in FIG. 6, an embodiment of the present invention further provides a network management security authentication apparatus 3, where the apparatus includes:
第二收发单元 31 , 配置为接收用户输入的认证请求消息并将所述认证 请求消息发送至网管服务器, 所述认证请求消息中携带用户名和令牌码; 还配置接收所述网管服务器发送的认证结果;  The second transceiver unit 31 is configured to receive an authentication request message input by the user, and send the authentication request message to the network management server, where the authentication request message carries the user name and the token code; and is configured to receive the authentication sent by the network management server. Result
第二确定单元 32,配置为根据所述第二收发单元 31接收的认证结果确 定是否允许所述用户登录。  The second determining unit 32 is configured to determine whether to permit the user to log in according to the authentication result received by the second transceiver unit 31.
本发明的实施例提供的网管安全认证装置 3中, 所述第二收发单元 31 能够接收用户输入的认证请求消息并将所述认证请求消息发送给网管服务 器, 还能够接收对所述认证请求消息中的用户名和令牌码进行认证的认证 结果; 所述第二确定单元 32能够根据所述认证结果确定是否允许所述用户 登录。 整个过程用令牌产生的令牌码代替了传统的密码由用户输入, 由于 令牌码是动态产生的, 因而具有更好的安全性, 同时令牌码位数较少便于 人们进行输入操作, 且无需用户记忆, 因此, 本发明的实施例提供的网管 安全认证装置 3在保证了安全性的同时也方便了用户的操作。  In the network management security authentication apparatus 3 provided by the embodiment of the present invention, the second transceiver unit 31 can receive an authentication request message input by a user and send the authentication request message to the network management server, and can also receive the authentication request message. The user name and the token code in the authentication result of the authentication; the second determining unit 32 is capable of determining whether to permit the user to log in according to the authentication result. The whole process replaces the traditional password with the token code generated by the token by the user. Since the token code is dynamically generated, it has better security, and the number of token codes is less convenient for people to input. Therefore, the network management security authentication device 3 provided by the embodiment of the present invention can ensure the security of the user and facilitate the operation of the user.
具体的, 第二确定单元 32, 配置为当所述认证结果为认证成功时, 确 定允许所述用户登录; 当所述认证结果为认证失败时, 判断本次认证是否 为新用户第一次认证; 当判断的结果为是时, 为所述新用户提供输入个人 识别码 PIN的入口, 在 PIN设置成功后, 为所述新用户提供输入认证请求 消息的入口; 当判断的结果为否时, 判断所述用户连续错误输入所述认证 请求消息的次数是否达到预设次数; 当判断的结果为是时, 确定所述用户 为非法用户; 当判断的结果为否时, 继续为用户提供输入认证请求消息的 入口。 Specifically, the second determining unit 32 is configured to: when the authentication result is successful, The user is allowed to log in; when the authentication result is the authentication failure, it is determined whether the current authentication is the first authentication of the new user; when the result of the determination is yes, the new user is provided with the input personal identification code PIN. After the PIN is successfully set, the new user is provided with an entry for inputting an authentication request message; when the result of the determination is no, it is determined whether the number of times the user continuously inputs the authentication request message erroneously reaches a preset number of times; When the result of the determination is yes, it is determined that the user is an illegal user; when the result of the determination is no, the user is further provided with an entry for inputting an authentication request message.
其中, 所述网管安全认证装置在实际应用中, 可由网管客户端实现, 所述网关客户端可以是电脑、 智能手机等终端设备; 所述第二确定单元 32 在实际应用中,可由本发明实施例所述第二种网管安全认证装置中的 CPU、 DSP或 FPGA实现; 所述第二收发单元 31在实际应用中, 可由所述网管安 全认证装置中的收发机或收发器实现。  The network management device can be implemented by the network management client, and the gateway client can be a terminal device such as a computer or a smart phone. The second determining unit 32 can be implemented by the present invention in practical applications. For example, the CPU, DSP or FPGA in the second network management security authentication device is implemented; the second transceiver unit 31 can be implemented by a transceiver or a transceiver in the network management security authentication device.
相应的, 图 7是本发明实施例提供的第三种网管安全认证装置的组成 结构示意图;如图 7所示,本发明的实施例还提供一种网管安全认证装置 4, 所述装置包括:  Correspondingly, FIG. 7 is a schematic structural diagram of a third network management security authentication apparatus according to an embodiment of the present invention; as shown in FIG. 7, an embodiment of the present invention further provides a network management security authentication apparatus 4, where the apparatus includes:
接收单元 41 , 配置为从网管服务器接收认证请求消息, 所述认证请求 消息中携带用户名和令牌码;  The receiving unit 41 is configured to receive an authentication request message from the network management server, where the authentication request message carries a username and a token code;
认证单元 42,配置为对所述接收单元 41接收到的所述用户名和令牌码 进行认证, 获得认证结果;  The authentication unit 42 is configured to authenticate the username and the token code received by the receiving unit 41, and obtain an authentication result;
发送单元 43 ,配置为将所述认证单元 42获得的认证结果发送至所述网 管服务器。  The sending unit 43 is configured to send the authentication result obtained by the authentication unit 42 to the network management server.
本发明的实施例提供的网管安全认证装置 4, 所述接收单元 41能够从 网管服务器接收认证请求消息; 所述认证单元 42能够对所述认证请求消息 中携带的用户名和令牌码进行认证; 所述发送单元 43能够将认证结果向所 述网管服务器发送。 整个过程中, 用令牌产生的令牌码代替了传统的密码 由用户输入, 由于令牌码是动态产生的, 因而具有更好的安全性, 同时令 牌码位数较少便于人们进行输入操作, 且无需用户记忆, 因此, 本发明的 实施例提供的网管安全认证方法在保证了安全性的同时也方便了用户的操 作。 The network management security authentication device 4 provided by the embodiment of the present invention, the receiving unit 41 can receive an authentication request message from the network management server; the authentication unit 42 can authenticate the user name and the token code carried in the authentication request message; The transmitting unit 43 can transmit the authentication result to the network management server. In the whole process, the token code generated by the token is used instead of the traditional password. The user input, because the token code is dynamically generated, and thus has better security, and the number of digits of the token code is less convenient for people to perform input operations, and the user does not need to memorize. Therefore, the network management provided by the embodiment of the present invention The security authentication method facilitates the user's operation while ensuring security.
可选的, 所述接收单元 41 , 还可配置为从所述网管服务器接收 PIN设 置消息, 所述 PIN设置消息中携带 PIN;  Optionally, the receiving unit 41 is further configured to receive a PIN setting message from the network management server, where the PIN setting message carries a PIN;
所述认证单元 42,还可配置为对所述接收单元 41接收的所述 PIN进行 设置, 获得设置结果;  The authentication unit 42 may be further configured to set the PIN received by the receiving unit 41 to obtain a setting result;
所述发送单元 43 ,还可配置为将所述认证单元 42获得的 PIN的设置结 果通过网管服务器发送至网管客户端。  The sending unit 43 is further configured to send the setting result of the PIN obtained by the authentication unit 42 to the network management client through the network management server.
其中, 所述网管安全认证装置在实际应用中, 可由认证服务器实现; 所述认证单元 42在实际应用中, 可由本发明实施例所述第三种网管安全认 证装置中的 CPU、 DSP或 FPGA实现; 所述接收单元 41在实际应用中, 可 由所述网管安全认证装置中的接收机或接收器实现; 所述发送单元 43在实 际应用中, 可由所述网管安全认证装置中的发射机。  The network management security authentication device may be implemented by an authentication server in an actual application; the authentication unit 42 may be implemented by a CPU, a DSP, or an FPGA in a third network management security authentication device according to the embodiment of the present invention. The receiving unit 41 can be implemented by a receiver or a receiver in the network management security authentication device in an actual application; the transmitting unit 43 can be used by the network management security authentication device in the actual application.
相应的, 本发明的实施例还提供了一种网管安全认证系统, 图 8是本 发明实施例提供的网管安全认证系统的组成结构示意图, 如图 8所示, 所 述系统包括: 网管服务器 51、 网管客户端 52和认证服务器 53 , 其中, 所述网管服务器 51 , 配置为从网管客户端 52接收认证请求消息, 并将 所述认证请求消息发送至认证服务器 53 , 所述认证请求消息中携带用户名 和令牌码; 还配置为根据所述认证服务器 53发送的认证结果确定是否为所 述网管客户端 52的用户分配资源和操作权限; 将所述认证结果发送至所述 网管客户端 52;  Correspondingly, the embodiment of the present invention further provides a network management security authentication system, and FIG. 8 is a schematic structural diagram of a network management security authentication system according to an embodiment of the present invention. As shown in FIG. 8, the system includes: a network management server 51. The network management client 52 and the authentication server 53 are configured to receive an authentication request message from the network management client 52, and send the authentication request message to the authentication server 53, where the authentication request message is carried. The user name and the token code are further configured to determine whether to allocate resources and operation rights to the user of the network management client 52 according to the authentication result sent by the authentication server 53; and send the authentication result to the network management client 52;
所述网管客户端 52, 配置为接收用户输入的认证请求消息, 并将所述 认证请求消息发送至网管服务器 51 ; 所述认证请求消息中携带用户名和令 牌码; 还配置为接收所述网管服务器 51发送的认证结果, 根据所述认证结 果确定是否允许所述用户登录; The network management client 52 is configured to receive an authentication request message input by the user, and send the authentication request message to the network management server 51; the authentication request message carries the user name and the order The card code is further configured to receive the authentication result sent by the network management server 51, and determine, according to the authentication result, whether the user is allowed to log in;
所述认证服务器 53 , 配置为从网管服务器 51接收认证请求消息, 所述 认证请求消息中携带用户名和令牌码; 对所述用户名和令牌码进行认证; 将认证结果发送至所述网管服务器 51。  The authentication server 53 is configured to receive an authentication request message from the network management server 51, where the authentication request message carries a user name and a token code; the user name and the token code are authenticated; and the authentication result is sent to the network management server. 51.
具体的, 所述网管服务器 51 , 配置为当认证服务器 53发送的所述认证 结果为认证成功时,确定为所述网管客户端 52的用户分配资源和操作权限。  Specifically, the network management server 51 is configured to allocate resources and operation rights to the user of the network management client 52 when the authentication result sent by the authentication server 53 is successful.
具体的, 所述网管客户端 52, 配置为当所述网管服务器 51发送的所述 认证结果为认证成功时, 确定允许所述用户登录; 当所述认证结果为认证 失败时, 判断本次认证是否为新用户第一次认证; 当判断的结果为是时, 为所述新用户提供输入个人识别码 PIN的入口, 在 PIN设置成功后, 为所 述新用户提供输入认证请求消息的入口; 当判断的结果为否时, 判断所述 用户连续错误输入所述认证请求消息的次数是否达到预设次数; 当判断的 结果为是时, 确定所述用户为非法用户; 当判断的结果为否时, 继续为用 户提供输入认证请求消息的入口。  Specifically, the network management client 52 is configured to: when the authentication result sent by the network management server 51 is successful, determine that the user is allowed to log in; when the authentication result is that the authentication fails, determine the current authentication. Whether the new user is authenticated for the first time; when the result of the judgment is yes, the new user is provided with an entry for inputting the personal identification number PIN, and after the PIN is successfully set, the new user is provided with an entry for inputting the authentication request message; When the result of the determination is no, it is determined whether the number of times the user continuously inputs the authentication request message erroneously reaches a preset number of times; when the result of the determination is yes, the user is determined to be an illegal user; when the result of the determination is no At the same time, continue to provide the user with an entry for entering an authentication request message.
优选地, 所述认证服务器 53 , 还配置为从所述网管服务器 51接收 PIN 设置消息, 所述 PIN设置消息中携带 PIN; 对所述 PIN进行设置; 将所述 PIN的设置结果通过所述网管服务器 51发送至网管客户端 52。  Preferably, the authentication server 53 is further configured to receive a PIN setting message from the network management server 51, where the PIN setting message carries a PIN; setting the PIN; and setting the result of the PIN through the network management The server 51 sends it to the network management client 52.
具体的, 所述网管服务器 51中包括前述实施例中提供的任一种网管安 全认证装置 2; 所述网管客户端 52包括前述实施例中提供的任一种网管安 全认证装置 3; 所述认证服务器 53包括前述实施例中提供的任一种网管安 全认证装置 4。由于所述网管安全认证系统包括了前述实施例中的网管安全 认证装置, 因此也能够实现相应的有益技术效果, 前文已经进行了详细的 说明, 此处不再赘述。  Specifically, the network management server 51 includes any one of the network management security authentication devices 2 provided in the foregoing embodiment; the network management client 52 includes any one of the network management security authentication devices 3 provided in the foregoing embodiment; The server 53 includes any of the network management security authentication devices 4 provided in the foregoing embodiments. Since the network management security authentication system includes the network management security authentication device in the foregoing embodiment, the corresponding beneficial technical effects can also be achieved. The foregoing has been described in detail, and details are not described herein again.
本发明是参照根据本发明实施例的方法、 装置、 和计算机程序产品的 流程图和 /或方框图来描述的。 应理解可由计算机程序指令实现流程图和 / 或方框图中的每一流程和 /或方框、以及流程图和 /或方框图中的流程和 /或方 框的结合。 可提供这些计算机程序指令到通用计算机、 专用计算机、 嵌入 式处理机或其他可编程数据处理设备的处理器以产生一个机器, 使得通过 计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流 程图一个流程或多个流程和 /或方框图一个方框或多个方框中指定的功能的 装置。 The present invention is directed to methods, apparatus, and computer program products according to embodiments of the present invention. Flowcharts and/or block diagrams are described. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理 设备以特定方式工作的计算机可读存储器中, 使得存储在该计算机可读存 储器中的指令产生包括指令装置的制造品, 该指令装置实现在流程图一个 流程或多个流程和 /或方框图一个方框或多个方框中指定的功能。  The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备 上, 使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机 实现的处理, 从而在计算机或其他可编程设备上执行的指令提供用于实现 在流程图一个流程或多个流程和 /或方框图一个方框或多个方框中指定的功 能的步骤。  These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
以上所述仅是本发明实施例的实施方式, 应当指出, 对于本技术领域 的普通技术人员来说, 在不脱离本发明实施例原理的前提下, 还可以作出 若干改进和润饰, 这些改进和润饰也应视为本发明实施例的保护范围。 工业实用性  The above is only an embodiment of the present invention. It should be noted that those skilled in the art can make some improvements and refinements without departing from the principles of the embodiments of the present invention. Retouching should also be considered as the scope of protection of the embodiments of the present invention. Industrial applicability
本发明实施例通过网管服务器从网管客户端接收认证请求消息, 并将 所述认证请求消息转发给认证服务器以使认证服务器对所述认证请求消息 中的用户名和令牌码进行认证, 根据所述认证服务器的认证结果确定是否 为所述网管客户端的用户分配资源和操作权限, 整个操作中, 用令牌产生 的令牌码代替了传统的密码由用户输入, 具有更好的安全性, 同时令牌码 位数较少便于人们进行输入操作, 且无需用户记忆, 因此, 本发明的实施 例提供的网管安全认证方法在保证了安全性的同时也方便了用户的操作。 The embodiment of the present invention receives an authentication request message from the network management client by using the network management server, and forwards the authentication request message to the authentication server, so that the authentication server authenticates the user name and the token code in the authentication request message, according to the The authentication result of the authentication server determines whether resources and operation rights are allocated to the users of the network management client. In the whole operation, the token code generated by the token is replaced by the traditional password, and the user has better security. Card code The number of bits is less for the user to perform the input operation, and the user does not need to memorize. Therefore, the network management security authentication method provided by the embodiment of the present invention ensures the security and the user's operation.

Claims

权利要求书 claims
1、 一种网管安全认证方法, 所述方法包括: 1. A network management security authentication method, the method includes:
从网管客户端接收认证请求消息, 并将所述认证请求消息发送至认证 服务器, 所述认证请求消息中携带用户名和令牌码; Receive an authentication request message from the network management client, and send the authentication request message to the authentication server, where the authentication request message carries the user name and token code;
根据所述认证服务器发送的认证结果确定是否为所述网管客户端的用 户分配资源和操作权限; Determine whether to allocate resources and operation permissions to users of the network management client based on the authentication results sent by the authentication server;
将所述认证结果发送至所述网管客户端。 Send the authentication result to the network management client.
2、 根据权利要求 1所述的方法, 其中, 所述根据所述认证服务器发送 的认证结果确定是否为所述网管客户端的用户分配资源和操作权限, 包括: 当所述认证结果为认证成功时, 确定为所述网管客户端的用户分配资 源和操作权限。 2. The method according to claim 1, wherein the determining whether to allocate resources and operation permissions to the user of the network management client based on the authentication result sent by the authentication server includes: when the authentication result is authentication successful. , determine to allocate resources and operation permissions to users of the network management client.
3、 一种网管安全认证方法, 所述方法包括: 3. A network management security authentication method, the method includes:
接收用户输入的认证请求消息, 并将所述认证请求消息发送至网管服 务器; 所述认证请求消息中携带用户名和令牌码; Receive the authentication request message input by the user, and send the authentication request message to the network management server; The authentication request message carries the user name and token code;
接收所述网管服务器发送的认证结果; Receive the authentication result sent by the network management server;
根据所述认证结果确定是否允许所述用户登录。 Determine whether to allow the user to log in based on the authentication result.
4、 根据权利要求 3所述的方法, 其中, 所述根据所述认证结果确定是 否允许所述用户登录, 包括: 4. The method according to claim 3, wherein the determining whether to allow the user to log in based on the authentication result includes:
当所述认证结果为认证成功时, 确定允许所述用户登录; When the authentication result is successful, it is determined that the user is allowed to log in;
当所述认证结果为认证失败时, 判断本次认证是否为新用户第一次认 证; When the authentication result is authentication failure, determine whether this authentication is the first authentication for a new user;
当判断的结果为是时, 为所述新用户提供输入个人识别码 PIN的入口, 在 PIN设置成功后, 为所述新用户提供输入认证请求消息的入口; When the result of the judgment is yes, provide the new user with an entrance to input the personal identification code PIN. After the PIN is set successfully, provide the new user with an entrance to input the authentication request message;
当判断的结果为否时, 判断所述用户连续错误输入所述认证请求消息 的次数是否达到预设次数; 当判断的结果为是时, 确定所述用户为非法用 户; 当判断的结果为否时, 继续为用户提供输入认证请求消息的入口。 When the result of the judgment is no, it is judged whether the number of times the user has continuously entered the authentication request message incorrectly reaches a preset number; when the result of the judgment is yes, it is determined that the user is an illegal user. user; when the judgment result is no, continue to provide the user with an entrance to input the authentication request message.
5、 一种网管安全认证方法, 所述方法包括: 5. A network management security authentication method, the method includes:
从网管服务器接收认证请求消息, 所述认证请求消息中携带用户名和 令牌码; Receive an authentication request message from the network management server, the authentication request message carries the user name and token code;
对所述用户名和令牌码进行认证; Authenticate the username and token code;
将认证结果发送至所述网管服务器。 Send the authentication result to the network management server.
6、 根据权利要求 5所述的方法, 其中, 在所述将认证结果发送至所述 网管服务器后, 所述方法还包括: 6. The method according to claim 5, wherein after sending the authentication result to the network management server, the method further includes:
从所述网管服务器接收 PIN设置消息, 所述 PIN设置消息中携带 PIN; 对所述 PIN进行设置; Receive a PIN setting message from the network management server, the PIN setting message carries a PIN; set the PIN;
将所述 PIN的设置结果通过所述网管服务器发送至网管客户端。 The setting result of the PIN is sent to the network management client through the network management server.
7、 一种网管安全认证装置, 所述装置包括: 7. A network management security authentication device, the device includes:
第一收发单元, 配置为从网管客户端接收认证请求消息, 并将所述认 证请求消息发送至认证服务器; 所述认证请求消息中携带用户名和令牌码; 还用于接收所述认证服务器发送的认证结果; 还配置为将所述第一收发单 元接收的认证结果发送至所述网管客户端; The first transceiver unit is configured to receive an authentication request message from the network management client and send the authentication request message to the authentication server; the authentication request message carries the user name and token code; and is also configured to receive the authentication request message sent by the authentication server. The authentication result; It is also configured to send the authentication result received by the first transceiver unit to the network management client;
第一确定单元, 配置为根据所述第一收发单元接收的认证结果确定是 否为所述网管客户端的用户分配资源和操作权限。 The first determination unit is configured to determine whether to allocate resources and operation permissions to the user of the network management client based on the authentication result received by the first transceiver unit.
8、 根据权利要求 7所述的装置, 其中, 所述第一确定单元, 配置为当 所述认证结果为认证成功时, 确定为所述网管客户端的用户分配资源和操 作权限。 8. The device according to claim 7, wherein the first determining unit is configured to determine to allocate resources and operation permissions to the user of the network management client when the authentication result is successful.
9、 一种网管安全认证装置, 所述装置包括: 9. A network management security authentication device, the device includes:
第二收发单元, 配置为接收用户输入的认证请求消息并将所述认证请 求消息发送至网管服务器; 所述认证请求消息中携带用户名和令牌码; 还 配置接收所述网管服务器发送的认证结果; 第二确定单元, 配置为根据所述第二收发单元接收的认证结果确定是 否允许所述用户登录。 The second transceiver unit is configured to receive an authentication request message input by the user and send the authentication request message to the network management server; the authentication request message carries the user name and token code; and is also configured to receive the authentication result sent by the network management server. ; The second determination unit is configured to determine whether to allow the user to log in based on the authentication result received by the second transceiver unit.
10、 根据权利要求 9所述的装置, 其中, 所述第二确定单元, 配置为 当所述认证结果为认证成功时, 确定允许所述用户登录; 当所述认证结果 为认证失败时, 判断本次认证是否为新用户第一次认证; 当判断的结果为 是时, 为所述新用户提供输入个人识别码 PIN的入口,在 PIN设置成功后, 为所述新用户提供输入认证请求消息的入口; 当判断的结果为否时, 判断 所述用户连续错误输入所述认证请求消息的次数是否达到预设次数; 当判 断的结果为是时, 确定所述用户为非法用户; 当判断的结果为否时, 继续 为用户提供输入认证请求消息的入口。 10. The device according to claim 9, wherein the second determining unit is configured to determine to allow the user to log in when the authentication result is authentication successful; and when the authentication result is authentication failure, determine Whether this authentication is the first authentication for a new user; when the result of the judgment is yes, provide the new user with an entrance to enter the personal identification code PIN, and after the PIN is set successfully, provide the new user with an input authentication request message When the result of the judgment is no, it is judged whether the number of times the user has continuously entered the authentication request message incorrectly reaches the preset number; when the result of the judgment is yes, it is determined that the user is an illegal user; when the judgment result is When the result is no, continue to provide the user with an entrance to enter the authentication request message.
11、 一种网管安全认证装置, 所述装置包括: 11. A network management security authentication device, the device includes:
接收单元, 配置为从网管服务器接收认证请求消息, 所述认证请求消 息中携带用户名和令牌码; A receiving unit configured to receive an authentication request message from the network management server, where the authentication request message carries the user name and token code;
认证单元, 配置为对所述接收单元接收到的所述用户名和令牌码进行 认证, 获得认证结果; An authentication unit, configured to authenticate the user name and token code received by the receiving unit, and obtain an authentication result;
发送单元, 配置为将所述认证单元获得的认证结果发送至所述网管服 备刀哭口 A sending unit configured to send the authentication result obtained by the authentication unit to the network management server.
12、 根据权利要求 11所述的装置, 其中, 12. The device according to claim 11, wherein,
所述接收单元, 还配置为从所述网管服务器接收 PIN设置消息, 所述 PIN设置消息中携带 PIN; The receiving unit is also configured to receive a PIN setting message from the network management server, where the PIN setting message carries a PIN;
所述认证单元, 还配置为对所述接收单元接收的所述 PIN进行设置, 获得设置结果; The authentication unit is also configured to set the PIN received by the receiving unit and obtain the setting result;
所述发送单元, 还配置为将所述认证单元获得的 PIN的设置结果通过 所述网管服务器发送至网管客户端。 The sending unit is also configured to send the PIN setting result obtained by the authentication unit to the network management client through the network management server.
13、 一种网管安全认证系统, 所述系统包括网管服务器、 网管客户端、 和认证服务器, 其中, 13. A network management security authentication system. The system includes a network management server, a network management client, and authentication server, where,
所述网管服务器, 配置为从网管客户端接收认证请求消息, 并将所述 认证请求消息发送至认证服务器, 所述认证请求消息中携带用户名和令牌 码; 还配置为根据所述认证服务器发送的认证结果确定是否为所述网管客 户端的用户分配资源和操作权限; 将所述认证结果发送至所述网管客户端; 所述网管客户端, 配置为接收用户输入的认证请求消息, 并将所述认 证请求消息发送至网管服务器; 所述认证请求消息中携带用户名和令牌码; 还配置为接收所述网管服务器发送的认证结果, 根据所述认证结果确定是 否允许所述用户登录; The network management server is configured to receive an authentication request message from the network management client and send the authentication request message to the authentication server, where the authentication request message carries a user name and token code; and is also configured to send the authentication request message according to the authentication server. The authentication result determines whether to allocate resources and operation permissions to the user of the network management client; send the authentication result to the network management client; the network management client is configured to receive the authentication request message input by the user, and The authentication request message is sent to the network management server; the authentication request message carries the user name and token code; and is also configured to receive the authentication result sent by the network management server, and determine whether to allow the user to log in based on the authentication result;
所述认证服务器, 配置为从网管服务器接收认证请求消息, 所述认证 请求消息中携带用户名和令牌码; 对所述用户名和令牌码进行认证; 将认 证结果发送至所述网管服务器。 The authentication server is configured to receive an authentication request message from the network management server, where the authentication request message carries a user name and token code; authenticate the user name and token code; and send the authentication result to the network management server.
14、 根据权利要求 13所述的系统, 其中, 所述网管服务器, 配置为当 认证服务器发送的所述认证结果为认证成功时, 确定为所述网管客户端的 用户分配资源和操作权限。 14. The system according to claim 13, wherein the network management server is configured to determine to allocate resources and operation permissions to the user of the network management client when the authentication result sent by the authentication server is successful authentication.
15、 根据权利要求 13所述的系统, 其中, 所述网管客户端, 配置为当 所述网管服务器发送的所述认证结果为认证成功时, 确定允许所述用户登 录; 当所述认证结果为认证失败时, 判断本次认证是否为新用户第一次认 证; 当判断的结果为是时, 为所述新用户提供输入个人识别码 PIN的入口, 在 PIN设置成功后, 为所述新用户提供输入认证请求消息的入口; 当判断 的结果为否时, 判断所述用户连续错误输入所述认证请求消息的次数是否 达到预设次数; 当判断的结果为是时, 确定所述用户为非法用户; 当判断 的结果为否时, 继续为用户提供输入认证请求消息的入口。 15. The system according to claim 13, wherein the network management client is configured to determine to allow the user to log in when the authentication result sent by the network management server is authentication successful; when the authentication result is When the authentication fails, determine whether this authentication is the first authentication of the new user; when the result of the determination is yes, provide the new user with an entrance to enter the personal identification code PIN. After the PIN is set successfully, provide the new user with an entry Provide an entrance for inputting the authentication request message; when the result of the judgment is no, judge whether the number of times the user has continuously incorrectly input the authentication request message reaches a preset number; when the result of the judgment is yes, determine that the user is illegal User; When the judgment result is no, continue to provide the user with an entrance to input the authentication request message.
16、 根据权利要求 13所述的系统, 其中, 所述认证服务器, 还配置为 从所述网管服务器接收 PIN设置消息, 所述 PIN设置消息中携带 PIN; 对 所述 PIN进行设置; 将所述 PIN的设置结果通过所述网管服务器发送至网 管客户端。 16. The system according to claim 13, wherein the authentication server is further configured to receive a PIN setting message from the network management server, and the PIN setting message carries a PIN; The PIN is set; and the setting result of the PIN is sent to the network management client through the network management server.
17、 一种计算机存储介质, 所述计算机存储介质中存储有计算机可执 行指令, 所述计算机可执行指令用于执行权利要求 1或 2所述的网管安全 认证方法。 17. A computer storage medium, the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the network management security authentication method described in claim 1 or 2.
18、 一种计算机存储介质, 所述计算机存储介质中存储有计算机可执 行指令, 所述计算机可执行指令用于执行权利要求 3或 4所述的网管安全 认证方法。 18. A computer storage medium, in which computer executable instructions are stored, and the computer executable instructions are used to execute the network management security authentication method described in claim 3 or 4.
19、 一种计算机存储介质, 所述计算机存储介质中存储有计算机可执 行指令, 所述计算机可执行指令用于执行权利要求 5或 6所述的网管安全 认证方法。 19. A computer storage medium, in which computer executable instructions are stored, and the computer executable instructions are used to execute the network management security authentication method described in claim 5 or 6.
PCT/CN2014/079516 2013-10-10 2014-06-09 Network management security authentication method, device and system, and computer storage medium WO2014180431A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2016521681A JP2016536678A (en) 2013-10-10 2014-06-09 Network management security authentication method, apparatus, system, and computer storage medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310469640.2A CN104580063A (en) 2013-10-10 2013-10-10 A network management security authentication method and device, and network management security authentication system
CN201310469640.2 2013-10-10

Publications (1)

Publication Number Publication Date
WO2014180431A1 true WO2014180431A1 (en) 2014-11-13

Family

ID=51866811

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/079516 WO2014180431A1 (en) 2013-10-10 2014-06-09 Network management security authentication method, device and system, and computer storage medium

Country Status (3)

Country Link
JP (1) JP2016536678A (en)
CN (1) CN104580063A (en)
WO (1) WO2014180431A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016202131A1 (en) * 2015-06-19 2016-12-22 中兴通讯股份有限公司 Method, system, network management server and mobile client for network management terminal mobilization in communication system
US20170257359A1 (en) * 2014-09-01 2017-09-07 Passlogy Co., Ltd. User authentication method and system for implementing same
US10484368B2 (en) 2015-11-13 2019-11-19 Ricoh Company, Ltd. Management system, management method, and recording medium for managing use of function to terminal

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107276963B (en) * 2016-04-06 2021-09-03 泰康之家(北京)投资有限公司 Method and device for updating authority
CN108023858B (en) * 2016-11-02 2019-03-01 视联动力信息技术股份有限公司 A kind of view networking network management safety certifying method and its system
CN117411733B (en) * 2023-12-15 2024-03-01 北京从云科技有限公司 Intranet access protection system based on user identity

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101431410A (en) * 2007-11-09 2009-05-13 康佳集团股份有限公司 Authentication method for network game client and server cluster
CN101753303A (en) * 2008-12-03 2010-06-23 北京天融信科技有限公司 Double-factor authentication method
CN101938473A (en) * 2010-08-24 2011-01-05 北京易恒信认证科技有限公司 Single-point login system and single-point login method

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000315997A (en) * 1999-04-30 2000-11-14 Toshiba Corp Encryption communication method and node unit
JP3526435B2 (en) * 2000-06-08 2004-05-17 株式会社東芝 Network system
JP4090251B2 (en) * 2002-03-05 2008-05-28 パスロジ株式会社 Authentication device, authentication method, and program
CN100413291C (en) * 2005-10-26 2008-08-20 广东省电信有限公司研究院 Method of implementing business discrimination and business service quality control on broadband network
CN100544278C (en) * 2006-05-10 2009-09-23 华为技术有限公司 A kind of method for managing user right and system based on XML
CN101222488B (en) * 2007-01-10 2010-12-08 华为技术有限公司 Method and network authentication server for controlling client terminal access to network appliance
JP4973292B2 (en) * 2007-04-10 2012-07-11 大日本印刷株式会社 Authentication device, authentication program, authentication system, password generation device, portable security device, and password generation program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101431410A (en) * 2007-11-09 2009-05-13 康佳集团股份有限公司 Authentication method for network game client and server cluster
CN101753303A (en) * 2008-12-03 2010-06-23 北京天融信科技有限公司 Double-factor authentication method
CN101938473A (en) * 2010-08-24 2011-01-05 北京易恒信认证科技有限公司 Single-point login system and single-point login method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170257359A1 (en) * 2014-09-01 2017-09-07 Passlogy Co., Ltd. User authentication method and system for implementing same
US10574647B2 (en) * 2014-09-01 2020-02-25 Passlogy Co., Ltd. User authentication method and system for implementing same
WO2016202131A1 (en) * 2015-06-19 2016-12-22 中兴通讯股份有限公司 Method, system, network management server and mobile client for network management terminal mobilization in communication system
US10484368B2 (en) 2015-11-13 2019-11-19 Ricoh Company, Ltd. Management system, management method, and recording medium for managing use of function to terminal

Also Published As

Publication number Publication date
JP2016536678A (en) 2016-11-24
CN104580063A (en) 2015-04-29

Similar Documents

Publication Publication Date Title
EP3550783B1 (en) Internet of things device burning verification method and apparatus
US10348715B2 (en) Computer-implemented systems and methods of device based, internet-centric, authentication
KR102018971B1 (en) Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium
KR102117584B1 (en) Local device authentication
CN109923830B (en) System and method for configuring wireless network access device
CN108512846B (en) Bidirectional authentication method and device between terminal and server
US11501294B2 (en) Method and device for providing and obtaining graphic code information, and terminal
TW201706900A (en) Method and device for authentication using dynamic passwords
CN114679293A (en) Access control method, device and storage medium based on zero trust security
CN107040513B (en) Trusted access authentication processing method, user terminal and server
WO2015101125A1 (en) Network access control method and device
CN106921663B (en) Identity continuous authentication system and method based on intelligent terminal software/intelligent terminal
CA2879910C (en) Terminal identity verification and service authentication method, system and terminal
WO2014180431A1 (en) Network management security authentication method, device and system, and computer storage medium
CN104144163A (en) Identity verification method, device and system
WO2013075661A1 (en) Login and open platform identifying method, open platform and system
TWI632798B (en) Server, mobile terminal, and network real-name authentication system and method
CN114788226A (en) Unmanaged tool for building decentralized computer applications
CN104580256A (en) Method and device for logging in through user equipment and verifying user's identity
CN109815666B (en) Identity authentication method and device based on FIDO protocol, storage medium and electronic equipment
CN105357224A (en) Intelligent household gateway register, remove method and system
CN105656854B (en) A kind of method, equipment and system for verifying Wireless LAN user sources
CN109460647B (en) Multi-device secure login method
CN116599719A (en) User login authentication method, device, equipment and storage medium
WO2018099407A1 (en) Account authentication login method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14794209

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2016521681

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14794209

Country of ref document: EP

Kind code of ref document: A1