WO2017054444A1 - Procédé d'ouverture de session de système, serveur, système, et dispositif de stockage en réseau - Google Patents

Procédé d'ouverture de session de système, serveur, système, et dispositif de stockage en réseau Download PDF

Info

Publication number
WO2017054444A1
WO2017054444A1 PCT/CN2016/080665 CN2016080665W WO2017054444A1 WO 2017054444 A1 WO2017054444 A1 WO 2017054444A1 CN 2016080665 W CN2016080665 W CN 2016080665W WO 2017054444 A1 WO2017054444 A1 WO 2017054444A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
algorithm
server
irreversible
account
Prior art date
Application number
PCT/CN2016/080665
Other languages
English (en)
Chinese (zh)
Inventor
张日和
成文俊
Original Assignee
深圳市先河系统技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市先河系统技术有限公司 filed Critical 深圳市先河系统技术有限公司
Publication of WO2017054444A1 publication Critical patent/WO2017054444A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Definitions

  • the present invention relates to network technologies, and in particular, to a method, a server, a system, and a network attached storage device for logging in to a system.
  • a server that provides shared resource services such as cloud data storage, data processing, and data management in a public network is called a public cloud server.
  • a server running a shared resource service that provides data storage, data processing, and data management in a local area network is called a private cloud server.
  • the public account and the private cloud When the same user has both an account with a public cloud and a private cloud, the public account and the private cloud often use the same account and password for the convenience of the user.
  • the account passwords of the public cloud and the private cloud are saved in a unified and complete account and corresponding passwords, and can be directly saved in a clear text manner or in an encrypted manner.
  • the public cloud server has a data leak, or the public cloud server is compromised, and the encryption method of the storage account password (if encryption is used) is also cracked, the user's public cloud account password is leaked. Once the public cloud account password is cracked, you can use this password to log in directly to the private cloud service system to obtain private information and private files in the private cloud service system.
  • the present invention proposes a method of logging in to a system.
  • the method for logging in to the system includes: the first system receives a login request of the first account that carries the first password; the first system obtains the access mode of the second system according to the first account; the first system requests the second system according to the access mode, Obtaining a second password obtained by using a first irreversible algorithm for the third password required to log in to the second system; matching the second password and the fourth password, wherein the fourth password is the first system uses the first password
  • An irreversible algorithm obtains; according to the matching result, in response to the login request, if the second password and the fourth password match, the first account is successfully logged into the first system, otherwise the login fails.
  • using the first irreversible algorithm refers to using the first hash algorithm; or, using the first irreversible algorithm means using the first hash algorithm after adding the first random string in the processed data, and the second system will be the first The random string is sent to the first system together with the second password; wherein the first hash algorithm is any one of MD5, SHA1, SHA2, SHA256, SHA512, PBKDF2.
  • the first system is a public cloud server
  • the second system is a private cloud server.
  • the present invention proposes a method of logging in to a system.
  • the method for logging in to the system includes: the first system receives a login request of the first account that carries the first password; the first system obtains the access mode of the second system according to the first account; the first system requests the second system according to the access mode, Obtaining a second password obtained by using a first irreversible algorithm for the third password required to log in to the second system; matching the fifth password and the sixth password, wherein the fifth password is the first system to the second password and the first password Seven passwords are obtained, the seventh password is a password obtained by using the second irreversible algorithm for the third password pre-stored by the first system, and the sixth password is obtained by combining the fourth password and the eighth password, wherein the fourth password is The first system obtains the first password by using a first irreversible algorithm, and the eighth password is obtained by the first system using the second irreversible algorithm for the first password; and responding to the login request according to the matching result
  • using the first irreversible algorithm refers to using the first hash algorithm; or, using the first irreversible algorithm means using the first hash algorithm after adding the first random string in the processed data, and the second system will be the first The random string is sent to the first system together with the second password; wherein the first hash algorithm is any one of MD5, SHA1, SHA2, SHA256, SHA512, PBKDF2.
  • using the second irreversible algorithm means that the second hash algorithm is used after extracting the partial digits of the processed data, and the first system saves the extracted digits; or the second irreversible encryption algorithm refers to extracting the partial bits of the processed data. After the number is added to the second random string, and then the second hash algorithm is used, the first system saves the extracted digits and the second random string; wherein the second hash algorithm is MD5, SHA1, SHA2, SHA256, SHA512, PBKDF2 Any one of them.
  • combining refers to splicing two processed data; or combining means splicing two processed data and using a third hashing algorithm; or combining means splicing and joining two processed data
  • the first system obtains the fifth password and the sixth password and then deletes the third random string; wherein the third hash algorithm is MD5, SHA1, SHA2, SHA256, SHA512 , PBKDF2 any one of them.
  • the first system is a public cloud server
  • the second system is a private cloud server.
  • the server includes: a receiving module, configured to receive a login request of the first account that carries the first password; an addressing module, configured to obtain an access mode of the second system according to the first account; and an obtaining module, configured to request the access mode according to the access method a second system, the second password is obtained by using a first irreversible algorithm for the third password required to log in to the second system; the matching module is configured to match the second password and the fourth password, wherein the fourth password is The first password is obtained by using the first irreversible algorithm; the response module is configured to respond to the login request according to the matching result, and if the second password and the fourth password match, the first account is successfully logged in, otherwise the login fails.
  • the matching module includes a first operation unit, configured to use a first irreversible algorithm for the first password to obtain a fourth password; wherein using the first irreversible algorithm refers to using the first hash algorithm; or, using the first irreversible algorithm is
  • the first hash algorithm is used after adding the first random string to the processed data, and the second system sends the first random string together with the second password to the server; the first hash algorithm is MD5, SHA1, SHA2 Any of SHA256, SHA512, and PBKDF2.
  • the server is a public cloud server, and the second system is a private cloud server.
  • the server includes: a receiving module, configured to receive a login request of the first account that carries the first password; an addressing module, configured to obtain an access mode of the second system according to the first account; and an obtaining module, configured to request the access mode according to the access method a second system, the second password is obtained by using a first irreversible algorithm for the third password required to log in to the second system; the matching module is configured to match the fifth password and the sixth password, wherein the fifth password is Obtaining a combination of the second password and the seventh password, the seventh password is a pre-stored password obtained by using a second irreversible algorithm for the third password, and the sixth password is obtained by combining the fourth password and the eighth password, wherein The fourth password is obtained by using the first irreversible algorithm for the first password, the eighth password is obtained by using the second irreversible algorithm for the first password, and the response module is configured to respond to the login request according to the matching result, if the
  • the matching module includes a first operation unit, configured to use a first irreversible algorithm for the first password to obtain a fourth password; wherein using the first irreversible algorithm refers to using the first hash algorithm; or, using the first irreversible algorithm is
  • the first hash algorithm is used after adding the first random string to the processed data, and the second system sends the first random string together with the second password to the server; wherein the first hash algorithm is MD5, SHA1, SHA2 , SHA256, SHA512, PBKDF2 any one of them.
  • the matching module includes a second operation unit, configured to use a second irreversible algorithm for the first password to obtain the eighth password, and a second irreversible algorithm for the third password to obtain the seventh password; using the second irreversible algorithm means
  • the second hash algorithm is used to extract the partial digits of the processed data, and the server saves the number of extracted digits; or the second irreversible encryption algorithm is to extract the partial digits of the processed data and then add the second random string, and then use
  • the second hash algorithm the server saves the extracted digits and the second random string; wherein the second hash algorithm is any one of MD5, SHA1, SHA2, SHA256, SHA512, PBKDF2.
  • the matching module includes a combining unit, configured to combine the second password and the seventh password to obtain a fifth password, and combine the fourth password and the eighth password to obtain a sixth password; wherein the combination means that the two are processed The data is spliced; or the combination means that the two processed data are spliced and then processed by using a third hash algorithm; or the combination refers to splicing the two processed data and adding the third random string to use the third haring
  • the algorithm performs processing, and the server deletes the third random string after obtaining the fifth password and the sixth password; wherein the third hash algorithm is any one of MD5, SHA1, SHA2, SHA256, SHA512, and PBKDF2.
  • the server is a public cloud server, and the second system is a private cloud server.
  • the present invention proposes a server.
  • the server comprises: a processor, a memory and a network communication circuit, wherein the memory and the network communication circuit are respectively connected to the processor; the processor is configured to run the service program to receive the login request of the first account carrying the first password through the network communication circuit; Obtaining an access mode of the second system; requesting, by the network communication circuit, the second system according to the access mode to obtain a second password, where the second password is obtained by using a first irreversible algorithm for the third password required to log in to the second system; a second password and a fourth password, wherein the fourth password is obtained by using the first irreversible algorithm for the first password; and responding to the login request according to the matching result, if the second password and the fourth password match, the first account is successfully logged in, otherwise the login fails.
  • the present invention proposes a server.
  • the server comprises: a processor, a memory and a network communication circuit, wherein the memory and the network communication circuit are respectively connected to the processor; the processor is configured to run the service program to receive the login request of the first account carrying the first password through the network communication circuit; Obtaining an access mode of the second system; requesting, by the network communication circuit, the second system according to the access mode to obtain a second password, where the second password is obtained by using a first irreversible algorithm for the third password required to log in to the second system; a fifth password and a sixth password, wherein the fifth password is obtained by combining the second password with the seventh password, and the seventh password is a password pre-stored on the memory and obtained by using a second irreversible algorithm for the third password, the sixth password It is obtained by combining the fourth password and the eighth password, wherein the fourth password is obtained by using the first irreversible algorithm for the first password, and the eighth password is obtained by using the second irreversible algorithm
  • the present invention proposes a system.
  • the system comprises: a server and a second system;
  • the server comprises: a processor, a memory and a network communication circuit, wherein the memory and the network communication circuit are respectively connected to the processor;
  • the processor is configured to run the service program to receive the first account by the network communication circuit
  • the second system access mode is obtained according to the account;
  • the second system is requested by the network communication circuit according to the access mode to obtain the second password
  • the second password is the third password required for logging in to the second system.
  • the present invention proposes a system.
  • the system comprises: a server and a second system;
  • the server comprises: a processor, a memory and a network communication circuit, wherein the memory and the network communication circuit are respectively connected to the processor;
  • the processor is configured to run the service program to receive the first account by the network communication circuit
  • the second system access mode is obtained according to the account;
  • the second system is requested by the network communication circuit according to the access mode to obtain the second password
  • the second password is the third password required for logging in to the second system.
  • the password obtained by the irreversible algorithm is obtained by combining the fourth password with the eighth password, wherein the fourth password is obtained by using the first irreversible algorithm for the first password, and the eighth password is for using the second irreversible for the first password.
  • the algorithm obtains; responds to the login request according to the matching result, if the fifth password and the sixth password match, The first account is successfully logged in, otherwise the login fails; the second system accepts the request for obtaining the second password sent by the server and sends the second password to the server in response to the request, and the second password is the third password required to log in to the second system. Obtained using the first irreversible algorithm.
  • the present invention proposes a network attached storage device.
  • the network attached storage device comprises: a processor, a hard disk and a routing circuit, wherein the hard disk and the routing circuit are respectively connected to the processor; the routing circuit is connected to the server through the Internet, and the processor is configured to run the service program to receive the obtained by the server through the routing circuit.
  • a second password request and in response to the request, the second password is sent to the server through the routing circuit for verifying the first password input by the user login server, or combining the first password pre-saved with the server with the first password.
  • the second password is obtained by using the first irreversible algorithm for the third password required by the service program running on the login processor, and the second password or the third password is saved on the hard disk; the seventh password is used for the third password.
  • the password obtained by the second irreversible algorithm is obtained by using the first irreversible algorithm for the third password required by the service program running on the login processor, and the second password or the third password is saved on the hard disk; the seventh password is used for the third password.
  • the beneficial effects of the present invention are that the first system and the second system use the same password, and the complete password is saved on the second system.
  • the password is not saved on the first system.
  • the first system requests the second system to obtain the complete password, and then verifies the password input by the user; or the first system only saves the password processed by the irreversible algorithm.
  • the complete password cannot be obtained.
  • the second system is requested to obtain the complete password, and the password input by the user is verified in combination with the saved password and the complete password. Since the complete user password is not saved on the first system, even if the first system is compromised, the complete user password cannot be obtained for accessing the second system, thereby ensuring the security of the second system.
  • FIG. 1 is a flow chart of a first embodiment of a method for logging in to the system of the present invention
  • FIG. 2 is a flow chart of a third embodiment of a method for logging in to the system of the present invention.
  • Figure 3 is a schematic illustration of a first embodiment of a server of the present invention.
  • Figure 4 is a schematic illustration of a second embodiment of the server of the present invention.
  • Figure 5 is a schematic illustration of a third embodiment of the server of the present invention.
  • Figure 6 is a schematic view showing a fourth embodiment of the server of the present invention.
  • Figure 7 is a schematic view showing a fifth embodiment of the server of the present invention.
  • Figure 8 is a schematic view of a sixth embodiment of the server of the present invention.
  • Figure 9 is a schematic illustration of an embodiment of the system of the present invention.
  • FIG. 10 is a schematic diagram of an embodiment of a network attached storage device of the present invention.
  • the first embodiment of the method for logging in to the system of the present invention includes:
  • the first system receives the login request of the first account that carries the first password.
  • the user enters the first account and the first password on the client (such as a browser or an application) to attempt to log in to the first system, the first system is a server, the service program is run, and the database can be further run.
  • client such as a browser or an application
  • S120 The first system obtains the access mode of the second system according to the first account.
  • the first account uses the same password in both the first system and the second system.
  • the database of the first system records the information of another system corresponding to the account and the account for obtaining the password for verification.
  • the first system searches for the first account in the database, and obtains the address and port information of the second system corresponding to the account.
  • S130 The first system requests the second system according to the access mode to obtain the second password.
  • the first system establishes a connection with the second system according to the address and port information of the corresponding second system, and sends a request for acquiring the second password to the second system, where the second password is the third password used for logging in to the second system.
  • the user password confirmed by the user when completing the setting of the first account is the third password, and the password used for logging in to the first system and the second system is the third password.
  • the second system may save the third password, and after receiving the request of the first system, use the first irreversible algorithm to obtain the second password for the third password, and then send the second password to the first system; or use the first irreversible algorithm to obtain the third password.
  • the second password is saved and the second password is saved, and the second password is directly sent after receiving the request of the first system. According to the second password, the third password cannot be deduced, and the user password is prevented from being intercepted during the data transmission process.
  • the first system uses the first irreversible algorithm to obtain the fourth password for the first password input by the user, and matches the second password and the fourth password, and determines whether the second password and the fourth password are completely the same or the relationship between the two meets the predetermined condition. .
  • the first system passes The login request of the first account, otherwise the first system rejects the login request of the first account and returns an error prompt.
  • an account has a master password and at least one sub-password. There is a correspondence between the sub-password and the master password.
  • the sub-password is part of the main password.
  • the first system and the second system use the same password, and the complete password is saved on the second system.
  • the password is not saved on the first system.
  • the first system requests the second system to obtain a password, and then verifies the password input by the user.
  • the user password cannot be obtained for accessing the second system, and the security of the second system data is ensured.
  • a hash algorithm may be used as the first irreversible algorithm, that is, the first system requests the second system to obtain the HASH value (second password) of the complete password (third password), and calculates the user input password (first password).
  • the HASH value (fourth password) then the two HASH values are matched, and the user's login request is responded according to the matching result.
  • the use of the first irreversible algorithm refers to using a first hash algorithm after adding the first random string to the processed data, that is, using the salted HASH algorithm to process the first password and the third password, the first random The string is the first salt value, which can be added before or after the password, or inserted in the number of digits specified in the password.
  • the salt-adding HASH algorithm is used to combat the traditional HASH algorithm, such as dictionary method, table lookup method or rainbow table. Adding a sufficient length of salt value (random string) to the password, and then using HASH algorithm encryption, can make the traditional The method of the HASH algorithm is difficult to implement.
  • the second system saves the third password, after receiving the request of the first system, adding the first random string to the third password, using the first hash algorithm to obtain the second password, and the second password and the first random
  • the string is sent to the first system, and the first random string is deleted after the sending is completed; if the second system saves the second password and the first random string, the second password is directly sent after receiving the request of the first system.
  • a random string
  • the first hash algorithm is any one of MD5, SHA1, SHA2, SHA256, SHA512, and PBKDF2.
  • the password is encrypted by using the tested hash algorithm to ensure the security of the password.
  • a third embodiment of the method for logging in to the system of the present invention includes:
  • S210 The first system receives the login request of the first account that carries the first password.
  • the user enters the first account and the first password on the client (such as a browser or an application) to attempt to log in to the first system, the first system being a server, running the service program and the database.
  • client such as a browser or an application
  • S220 The first system obtains the access mode of the second system according to the first account.
  • the first account uses the same password in both the first system and the second system.
  • the database of the first system records the information of another system corresponding to the account and the account for obtaining the password for verification.
  • the first system searches for the first account in the database, and obtains the address and port information of the second system corresponding to the account.
  • S230 The first system requests the second system according to the access mode to obtain the second password.
  • the first system establishes a connection with the second system according to the address and port information of the corresponding second system, and sends a request for acquiring the second password to the second system, where the second password is the third password used for logging in to the second system.
  • the user password confirmed by the user when completing the setting of the first account is the third password, and the passwords used to log in to the first system and the second system are the third passwords.
  • the second system may save the third password, and after receiving the request of the first system, use the first irreversible algorithm to obtain the second password for the third password, and then send the second password to the first system; or use the first irreversible algorithm to obtain the third password.
  • the second password is saved and the second password is saved, and the second password is directly sent after receiving the request of the first system. According to the second password, the third password cannot be deduced, and the user password is prevented from being intercepted during the data transmission process.
  • the seventh password is pre-stored on the first system. After the user confirms to modify the user password, the first system uses the second irreversible algorithm to obtain the seventh password and saves the modified third password.
  • the first system combines the second password and the seventh password to obtain a fifth password; the first system further obtains a fourth password by using a first irreversible algorithm for the first password input by the user, and obtains a fourth password by using a second irreversible algorithm for the first password. a password, and then combining the fourth password and the eighth password to obtain a sixth password; then the first system matches the fifth password and the sixth password to determine whether the fifth password and the sixth password are identical or the relationship satisfies a predetermined condition .
  • the first system passes the first A login request for an account, otherwise returning to the first system to reject the login request of the first account, and returning an error message.
  • an account has a master password and at least one sub-password. There is a correspondence between the sub-password and the master password.
  • the sub-password is part of the main password.
  • the first system and the second system use the same password, and the second system saves the complete password.
  • the first system only stores the password processed by the irreversible algorithm, and the password saved according to the first system cannot be obtained.
  • the complete user password when the user logs in to the first system, requests the second system to obtain the complete password, and combines the saved password and the complete password to verify the password entered by the user. In this way, even if the first system is broken, the complete user password cannot be obtained to access the second system, and the security of the second system data is guaranteed.
  • the first system uses the second irreversible algorithm to obtain the eighth password for the first password, and matches the pre-saved seventh password, and if the matching succeeds, the user logs in through the request, otherwise Login failed.
  • the seventh password cannot completely contain the information in the third password, that is, the first password input may not be identical to the third password, and the login may be successful, but the seventh password cannot be connected as the second system.
  • Auxiliary verification tools that enhance the system's immunity to interference.
  • the fourth embodiment of the method for logging in to the system of the present invention is based on the third embodiment of the method for logging in to the system, using the first hash algorithm as the first irreversible algorithm, that is, the first system requests the second system to obtain The HASH value (second password) of the complete password (third password), and the HASH value (fourth password) of the user input password (first password) is calculated for verification.
  • using the first irreversible algorithm means that the first hash algorithm is added after the first random string is added to the processed data, that is, the salted HASH algorithm is used, and the first random string is the first salt value, which can be added to Insert the first random string before or after the password, or the number of digits specified in the password.
  • the second system saves the third password, after receiving the request of the first system, adding the first random string to the third password, using the first hash algorithm to obtain the second password, and the second password and the first random
  • the string is sent to the first system, and the first random string is deleted after the sending is completed; if the second system saves the second password and the first random string, the second password is directly sent after receiving the request of the first system.
  • the first hash algorithm is any one of MD5, SHA1, SHA2, SHA256, SHA512, and PBKDF2.
  • the fourth embodiment of the method for logging in to the system of the present invention is based on the third embodiment of the method for logging in to the system, and the second hash algorithm is used as the second irreversible algorithm after extracting the partial digits.
  • the first system extracts a partial digit from the user password set by the user (ie, the third password), and then uses the second hash algorithm to process the seventh password, and then saves the seventh password and the extracted digits.
  • This operation is performed after the user completes setting the user password, such as when completing the registration account and setting the password, or when the password is changed.
  • the second hash algorithm is also cracked, and the obtained user password is not directly used to log in to the second system.
  • the same operation is performed on the first password to obtain the eighth password for verification.
  • the salted HASH algorithm may also be used to process the extracted password, for example, after extracting a partial digit for the third password, adding a second random string and then using a second hash algorithm to obtain the seventh password.
  • the second random string is the second salt value, and the second random string may be added before or after the third password after the extraction, or may be inserted into the digit specified by the third password after the extraction.
  • the first system saves the seventh password, the extracted number of bits, and the second salt value, and performs the same operation on the first password when the user logs in to obtain the eighth password for verification.
  • the second hash algorithm is any one of MD5, SHA1, SHA2, SHA256, SHA512, and PBKDF2.
  • the fourth embodiment of the method for logging in to the system of the present invention is based on the third embodiment of the method for logging in to the system, using a splicing manner to combine two processed data, for example, the second password is in the first seventh password. After the stitching constitutes the fifth password, or vice versa.
  • the above combination may also mean that the two passwords are spliced and then processed using a third hash algorithm.
  • the above combination may also be performed by splicing two passwords and adding a third random string, and then processing the third hash algorithm.
  • the third random string may be placed in front of the string composed of two passwords, or may be placed. After the string, you can also insert it into the string. After the first system obtains the fifth password and the sixth password, the third random string is deleted. Regardless of the manner in which the second password and the seventh password are combined to obtain a fifth password, the same combination operation is performed on the fourth password and the eighth password to obtain a sixth password.
  • the third hash algorithm is any one of MD5, SHA1, SHA2, SHA256, SHA512, and PBKDF2.
  • the fourth, fifth, and sixth embodiments of the method for logging in to the system of the present invention may be combined with each other.
  • the first hash algorithm, the second hash algorithm, and the third hash algorithm may be the same or different.
  • the first system is a public cloud server and the second system is a private cloud server.
  • the public cloud is mainly used to manage user information, private cloud device information, and the mapping relationship of the user's private cloud.
  • the private cloud is mainly used to store user private information and private files. This embodiment can be combined with an embodiment of any of the above methods of logging into the system.
  • the first embodiment of the server of the present invention includes:
  • the receiving module 11 is configured to receive a login request of the first account that carries the first password; and run a service program on the server to accept the login request of the user.
  • the addressing module 12 is configured to obtain the access mode of the second system according to the first account.
  • the server further runs a database for recording the information of the account and the other system corresponding to the account for obtaining the password for verification. Find the first account in the database, and obtain the address and port of the corresponding second system. If the corresponding account information is not found, the login request is rejected and an error message is returned.
  • the obtaining module 13 is configured to request the second system according to the access mode to obtain the second password, where the second password is obtained by using the first irreversible algorithm for the third password required to log in to the second system; and the user completes the setting of the first account.
  • the user password confirmed at the time is the third password, and the password used by the login server and the second system is the third password. According to the second password, the third password cannot be deduced, and the user password is prevented from being intercepted during the data transmission process.
  • the matching module 14 is configured to match the second password and the fourth password, wherein the fourth password is obtained by using the first irreversible algorithm for the first password; obtaining the first password from the receiving module 11 and calculating the fourth password, and the obtaining module 13 Get the second password and compare the two.
  • the response module 15 is configured to respond to the login request according to the matching result. If the second password and the fourth password match, the first account is successfully logged in, otherwise the login fails; if the second password and the fourth password are identical or the relationship is satisfied.
  • the condition determines that the first password and the third password are identical or the relationship between the two meets the predetermined condition, the server passes the login request of the first account, otherwise rejects the login request of the first account, and returns an error prompt.
  • an account has a master password and at least one sub-password. There is a correspondence between the sub-password and the master password. For example, the sub-password is part of the main password. When the first password entered by the user is any sub-password, the login can be successfully performed. At this time, the relationship between the second password and the fourth password, the relationship between the first password and the third password satisfies a predetermined condition.
  • the user password is not saved on the server.
  • the server requests the second system using the same password to obtain the password, and then verifies the password input by the user.
  • the user password cannot be obtained for accessing the second system to ensure the security of the second system data.
  • the matching module 14 further includes a first operation unit 141, configured to use the first irreversible algorithm for the first password. Get the fourth password.
  • the use of the first irreversible algorithm refers to using the first hash algorithm; that is, calculating the HASH value (fourth password) of the first password input by the user for matching with the acquired second password (the HASH value of the user password).
  • the use of the first irreversible algorithm refers to using the first hash algorithm after adding the first random string to the processed data, that is, using the salt-adding HASH algorithm, the first random string is the first salt value, which may be added.
  • the server acquires the first random string simultaneously when acquiring the second password from the second system.
  • the first hash algorithm is any one of MD5, SHA1, SHA2, SHA256, SHA512, and PBKDF2.
  • the password is encrypted by using the tested hash algorithm to ensure the security of the password.
  • a third embodiment of the server of the present invention includes:
  • the receiving module 21 is configured to receive a login request of the first account that carries the first password; run a service program on the server to accept the login request of the user, and store the user information in the database.
  • the addressing module 22 is configured to obtain the access mode of the second system according to the first account.
  • the server further runs a database for recording the information of the account and the other system corresponding to the account for obtaining the password for verification. Find the first account in the database, and obtain the address and port of the corresponding second system. If the corresponding account information is not found, the login request is rejected and an error message is returned.
  • the obtaining module 23 is configured to request the second system according to the access mode to obtain the second password, where the second password is obtained by using the first irreversible algorithm for the third password required to log in to the second system; and the user completes the setting of the first account.
  • the user password confirmed at the time is the third password, and the password used by the login server and the second system is the third password. According to the second password, the third password cannot be deduced, and the user password is prevented from being intercepted during the data transmission process.
  • the matching module 24 is configured to match the fifth password and the sixth password, wherein the fifth password is obtained by combining the second password and the seventh password acquired from the obtaining module 13, and the seventh password is pre-saved for the third password.
  • a password obtained by the second irreversible algorithm the sixth password is obtained by combining the fourth password and the eighth password, wherein the fourth password is obtained by using the first irreversible algorithm for the first password acquired from the receiving module 11, and the eighth password is
  • the second password obtained from the receiving module 11 is obtained by using a second irreversible algorithm; the second irreversible algorithm is different from the first irreversible algorithm, and even if the second irreversible algorithm is cracked, the obtained result is different from the third password, and cannot be cracked according to the third password.
  • the result is a complete third password.
  • the response module 25 is configured to respond to the login request according to the matching result. If the fifth password and the sixth password match, the first account is successfully logged in, otherwise the login fails; if the fifth password and the sixth password are identical or the relationship is satisfied.
  • the condition determines that the first password and the third password are identical or the relationship between the two meets the predetermined condition, the server passes the login request of the first account, otherwise rejects the login request of the first account, and returns an error prompt.
  • an account has a master password and at least one sub-password. There is a correspondence between the sub-password and the master password. For example, the sub-password is part of the main password. When the first password entered by the user is any sub-password, the login can be successfully performed. At this time, the relationship between the fifth password and the sixth password, the relationship between the first password and the third password satisfies a predetermined condition.
  • the server requests the second system using the same password to obtain the complete password, and authenticates the password entered by the user in combination with the saved password and the complete password. In this way, even if the server is compromised, the complete user password cannot be obtained to access the second system to ensure the security of the second system data.
  • the obtaining module 23 is configured to notify the matching module 24 that the second system cannot be connected; the matching module 24 is configured to use the second irreversible algorithm to obtain the eighth password for the first password, and the pre-saved The seven passwords are matched; the response module 25 is configured to respond to the login request according to the matching result, and if the matching succeeds, the user's login request is passed, otherwise the login fails.
  • the seventh password cannot completely contain the information in the third password, that is, the first password input may not be identical to the third password, and the login may be successful, but the seventh password cannot be connected as the second system.
  • a secondary verification tool that enhances the server's immunity to interference.
  • the matching module further includes a first operation unit 241, a second operation unit 242, and a combination unit 243.
  • the first operation unit 241 is configured to use the first irreversible algorithm for the first password to obtain the fourth password.
  • the use of the first irreversible algorithm refers to using the first hash algorithm; that is, calculating the HASH value (fourth password) of the first password input by the user for matching with the acquired second password (the HASH value of the user password).
  • the use of the first irreversible algorithm refers to using the first hash algorithm after adding the first random string to the processed data, that is, using the salt-adding HASH algorithm, the first random string is the first salt value, which may be added. Insert before or after the password, or the number of digits specified in the password.
  • the server acquires the first random string simultaneously when acquiring the second password from the second system.
  • the second operation unit 242 is configured to use a second irreversible algorithm for the first password to obtain the eighth password, and a second irreversible algorithm for the third password to obtain the seventh password.
  • the second operation unit 242 After the user completes the setting of the user password, for example, after completing the registration of the account and setting the password, or completing the modification of the password, the second operation unit 242 is configured to obtain the seventh password by using the second irreversible algorithm for the third password, and the seventh password is saved. On the server.
  • the second operation unit 242 is configured to perform the same operation on the first password to obtain an eighth password for verification.
  • the second irreversible algorithm is used to extract the partial digits of the processed data and then use the second hash algorithm, and the server saves the extracted digits.
  • the use of the second irreversible encryption algorithm refers to adding a second random string to the processed data, and then using the second hash algorithm, that is, using the salted HASH algorithm.
  • the second random string may be added before or after the extracted password, or may be inserted into the number of bits specified by the extracted password.
  • the server saves the extracted digits and the second random string.
  • the combining unit 243 is configured to combine the second password and the seventh password to obtain a fifth password, and combine the fourth password and the eighth password to obtain a sixth password, obtain a combination manner of the fifth password, and obtain a sixth password.
  • the combination used is the same.
  • the combination may refer to splicing two processed data, for example, the second password is spliced to form a fifth password after the first seventh password, or vice versa.
  • the combination may also refer to processing the two processed data and then using the third hash algorithm.
  • the combination may also be that the two processed data are spliced and the third random string is added, and then the third hash algorithm is used for processing.
  • the third random string may be placed in front of the string composed of two passwords, or After the string is placed, it can also be inserted into the string, and the server deletes the third random string after obtaining the fifth password and the sixth password.
  • the first hash algorithm, the second hash algorithm, and the third hash algorithm are any one of MD5, SHA1, SHA2, SHA256, SHA512, and PBKDF2, and the password is encrypted by using the tested hash algorithm.
  • the security of the password may be the same or different.
  • a fifth embodiment of the server of the present invention includes:
  • a processor, a memory and a network communication circuit, the memory and the network communication circuit are respectively connected to the processor; the processor is configured to run the service program to receive the login request of the first account carrying the first password; and obtain the access mode of the second system according to the account; Receiving, by the network communication circuit, the second system according to the access mode to obtain a second password obtained by using a first irreversible algorithm for the third password required to log in to the second system; matching the second password and the fourth password, wherein The fourth password is obtained by using the first irreversible algorithm for the first password; and responding to the login request according to the matching result, if the second password and the fourth password match, the first account is successfully logged in, otherwise the login fails.
  • a sixth embodiment of the server of the present invention includes:
  • a processor, a memory and a network communication circuit, the memory and the network communication circuit are respectively connected to the processor; the processor is configured to run the service program to receive the login request of the first account carrying the first password; and obtain the access mode of the second system according to the account; Receiving, by the network communication circuit, the second system according to the access mode to obtain a second password obtained by using a first irreversible algorithm for the third password required to log in to the second system; matching the fifth password and the sixth password, wherein The fifth password is obtained by combining the second password with the seventh password, and the seventh password is a password obtained by using a second irreversible algorithm for the third password pre-stored on the memory, and the sixth password is for the fourth password and the eighth password.
  • the combination of the passwords is obtained, wherein the fourth password is obtained by using the first irreversible algorithm for the first password, and the eighth password is obtained by using the second irreversible algorithm for the first password; responding to the login request according to the matching result, if the fifth password and the sixth password If the password matches, the first account is successfully logged in, otherwise the login fails.
  • the server is a public cloud server and the second system is a private cloud server.
  • the public cloud is mainly used to manage user information, private cloud device information, and the mapping relationship of the user's private cloud.
  • the private cloud is mainly used to store user private information and private files. This embodiment can be combined with an embodiment of any of the above servers.
  • a server and a second system are included; wherein the server is the server described in any one of the embodiments of the server of the present invention, and the second system accepts the second password obtained by the server.
  • the second password is sent to the server in response to the request, and the second password is obtained using the first irreversible algorithm for the third password required to log in to the second system.
  • the second system may save the third password, and after receiving the request of the server, use the first irreversible algorithm to obtain the second password, and then send the second password to the server; or use the first irreversible algorithm to obtain the second password for the third password. And save the second password, and send the second password directly after receiving the request from the server.
  • the method includes: a processor, a hard disk, and a routing circuit, wherein the hard disk and the routing circuit are respectively connected to the processor; the WAN interface of the routing circuit is connected to the server through the Internet, and the LAN The interfaces are respectively connected to the intranet devices, and the routing circuit is used to complete the transmission of the data packets between the processor and the corresponding interface.
  • the processor is used to exchange routing information, look up the routing table and forward the data packet, and cooperate with the routing circuit to realize the routing functions such as interconnection of the local area network and the wide area network, data processing and distribution, and flow control.
  • the processor is further configured to run a service program to receive a request for obtaining the second password sent by the server through the routing circuit, and send the second password to the server through the routing circuit in response to the request, for the first input to the user login server
  • the password is verified or combined with the pre-saved seventh password on the server to verify the first password.
  • the second password is obtained by using a first irreversible algorithm for the third password required by the service program running on the login processor, and the second password or the third password is saved on the hard disk; the seventh password is the second irreversible for the third password.
  • the password obtained by the algorithm is further configured to run a service program to receive a request for obtaining the second password sent by the server through the routing circuit, and send the second password to the server through the routing circuit in response to the request, for the first input to the user login server
  • the password is verified or combined with the pre-saved seventh password on the server to verify the first password.
  • the second password is obtained by using a first irreversible algorithm for the
  • the first password is used to obtain the second password for the third password, and then sent to the server. If the second password is saved on the hard disk, the second password is directly sent after receiving the request from the server.
  • the service program can also accept the user's login request, use the saved password to verify the password entered by the user, and respond to the login request according to the verification result. This operation does not require data exchange with the server.
  • the network attached storage device is generally used as a private cloud server and stores a complete user password.
  • the public cloud server requests a password, it responds to the request and sends the HASH value of the user password to the public cloud server for the public cloud server to verify the password.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé d'ouverture de session de système, un premier système et un second système utilisant le même mot de passe, le mot de passe complet étant sauvegardé sur le second système. Le mot de passe n'est pas sauvegardé sur le premier système, et lorsqu'un utilisateur ouvre une session dans le premier système, le premier système demande l'acquisition du mot de passe complet du second système, et en conséquence met en oeuvre une authentification du mot de passe entré par l'utilisateur; ou le premier système stocke uniquement un mot de passe qui a subi un traitement par algorithme irréversible, et le mot de passe complet ne peut pas être obtenu sur la base du mot de passe stocké dans le premier système, de telle sorte lorsque l'utilisateur ouvre une session dans le premier système, l'acquisition du mot de passe complet est demandé par le second système, et le mot de passe entré par l'utilisateur est authentifié en association avec le mot de passe stocké et le mot de passe complet. La présente invention concerne également un serveur, un système, et un dispositif de stockage en réseau.
PCT/CN2016/080665 2015-09-30 2016-04-29 Procédé d'ouverture de session de système, serveur, système, et dispositif de stockage en réseau WO2017054444A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510642607.4 2015-09-30
CN201510642607.4A CN105306456B (zh) 2015-09-30 2015-09-30 一种登录系统的方法、服务器、系统及网络附属存储设备

Publications (1)

Publication Number Publication Date
WO2017054444A1 true WO2017054444A1 (fr) 2017-04-06

Family

ID=55203208

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/080665 WO2017054444A1 (fr) 2015-09-30 2016-04-29 Procédé d'ouverture de session de système, serveur, système, et dispositif de stockage en réseau

Country Status (2)

Country Link
CN (1) CN105306456B (fr)
WO (1) WO2017054444A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112559991A (zh) * 2020-12-21 2021-03-26 深圳市科力锐科技有限公司 系统安全登录方法、装置、设备及存储介质
CN113139200A (zh) * 2021-05-11 2021-07-20 中国电子科技集团公司第三十研究所 一种密码快速破解方法、系统、计算机程序及存储介质

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105306456B (zh) * 2015-09-30 2019-02-22 深圳市先河系统技术有限公司 一种登录系统的方法、服务器、系统及网络附属存储设备
CN106453238B (zh) * 2016-08-22 2020-02-21 深圳市先河系统技术有限公司 登录方法和系统、电子终端、公网服务器及私有云设备
CN106453347A (zh) * 2016-10-31 2017-02-22 努比亚技术有限公司 一种用于云服务的用户登录装置及方法
CN106657110B (zh) * 2016-12-30 2020-12-04 北京奇虎科技有限公司 一种流数据的加密传输方法和装置
CN107317804B (zh) * 2017-06-19 2020-12-29 努比亚技术有限公司 私有云加密数据访问方法、终端及存储介质
CN107395344A (zh) * 2017-07-18 2017-11-24 北京深思数盾科技股份有限公司 用户信息保护方法及装置
CN107920081B (zh) * 2017-12-01 2020-08-14 华为技术有限公司 登录认证方法及装置
CN109753787B (zh) * 2019-01-21 2021-04-27 山西晟视汇智科技有限公司 一种具有唯一性的设备登录密码生成及管理方法、装置、系统、存储设备和终端
CN112671841B (zh) * 2020-12-10 2022-02-15 清研灵智信息咨询(北京)有限公司 基于微服务技术架构的数据安全管理方法及系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469080A (zh) * 2010-11-11 2012-05-23 中国电信股份有限公司 实现通行证用户安全登录应用客户端的方法和系统
CN103067406A (zh) * 2013-01-14 2013-04-24 暨南大学 一种公有云与私有云之间的访问控制系统及方法
CN103259663A (zh) * 2013-05-07 2013-08-21 南京邮电大学 一种云计算环境下的用户统一认证方法
CN103975333A (zh) * 2011-12-01 2014-08-06 国际商业机器公司 跨系统安全登录
US8813174B1 (en) * 2011-05-03 2014-08-19 Symantec Corporation Embedded security blades for cloud service providers
CN105306456A (zh) * 2015-09-30 2016-02-03 深圳市先河系统技术有限公司 一种登录系统的方法、服务器、系统及网络附属存储设备

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739708B (zh) * 2011-04-07 2015-02-04 腾讯科技(深圳)有限公司 一种基于云平台访问第三方应用的系统及方法
CN104917748B (zh) * 2015-04-14 2019-09-20 百度在线网络技术(北京)有限公司 一种用于对密码信息进行换算和处理的方法和装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469080A (zh) * 2010-11-11 2012-05-23 中国电信股份有限公司 实现通行证用户安全登录应用客户端的方法和系统
US8813174B1 (en) * 2011-05-03 2014-08-19 Symantec Corporation Embedded security blades for cloud service providers
CN103975333A (zh) * 2011-12-01 2014-08-06 国际商业机器公司 跨系统安全登录
CN103067406A (zh) * 2013-01-14 2013-04-24 暨南大学 一种公有云与私有云之间的访问控制系统及方法
CN103259663A (zh) * 2013-05-07 2013-08-21 南京邮电大学 一种云计算环境下的用户统一认证方法
CN105306456A (zh) * 2015-09-30 2016-02-03 深圳市先河系统技术有限公司 一种登录系统的方法、服务器、系统及网络附属存储设备

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112559991A (zh) * 2020-12-21 2021-03-26 深圳市科力锐科技有限公司 系统安全登录方法、装置、设备及存储介质
CN113139200A (zh) * 2021-05-11 2021-07-20 中国电子科技集团公司第三十研究所 一种密码快速破解方法、系统、计算机程序及存储介质
CN113139200B (zh) * 2021-05-11 2023-01-31 中国电子科技集团公司第三十研究所 一种密码快速破解方法、系统、计算机程序及存储介质

Also Published As

Publication number Publication date
CN105306456B (zh) 2019-02-22
CN105306456A (zh) 2016-02-03

Similar Documents

Publication Publication Date Title
WO2017054444A1 (fr) Procédé d'ouverture de session de système, serveur, système, et dispositif de stockage en réseau
CN107682331B (zh) 基于区块链的物联网身份认证方法
US8627417B2 (en) Login administration method and server
WO2016169410A1 (fr) Procédé et dispositif d'ouverture de session, serveur et système d'ouverture de session
JP3466025B2 (ja) コンピュータ・ネットワークにおけるマスカレード・アタック保護方法及びその装置
WO2020220413A1 (fr) Procédé et système de preuve à divulgation nulle de connaissance pour informations personnelles, et support de données
US8220032B2 (en) Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith
US9237021B2 (en) Certificate grant list at network device
US20150341324A1 (en) Transferring encrypted and unencrypted data between processing devices
WO2021003975A1 (fr) Procédé de test d'interface de passerelle, dispositif terminal, support de stockage et appareil
CN111416807A (zh) 数据获取方法、装置及存储介质
WO2021150032A1 (fr) Procédé permettant de fournir un service d'authentification à l'aide d'une identité décentralisée, et serveur utilisant ledit procédé
US8515996B2 (en) Secure configuration of authentication servers
WO2021072881A1 (fr) Procédé, appareil et dispositif de traitement de demande fondée sur un stockage d'objet, et support de stockage
US20180053009A1 (en) Method for secure data management in a computer network
WO2020117020A1 (fr) Procédé pour générer une clé pki sur la base d'informations biométriques et dispositif pour générer une clé au moyen de ce procédé
WO2019182377A1 (fr) Procédé, dispositif électronique et support d'enregistrement lisible par ordinateur permettant de générer des informations d'adresse utilisées pour une transaction de cryptomonnaie à base de chaîne de blocs
WO2019125041A1 (fr) Système d'authentification utilisant une séparation, puis un stockage distribué d'informations personnelles utilisant une chaîne de blocs
WO2019205288A1 (fr) Procédé, système, et dispositif d'établissement de connexion, et support de stockage lisible par ordinateur
WO2015178597A1 (fr) Système et procédé de mise à jour de clé secrète au moyen d'un module puf
WO2020211348A1 (fr) Procédé de chiffrement et de déchiffrement d'informations d'utilisateur, système et dispositif informatique
CN112733129B (zh) 一种服务器带外管理的可信接入方法
WO2018004114A2 (fr) Système d'authentification de proxy, et procédé d'authentification pour fournir un service de proxy
JP4065850B2 (ja) 移動ネットワーク環境におけるデータトラフィックの保護方法
WO2022055301A1 (fr) Procédé, appareil et programme d'embarquement pour authentificateur de groupe

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16850069

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16850069

Country of ref document: EP

Kind code of ref document: A1