WO2020228278A1 - Single-point login tamper-proof method, apparatus, computer device and storage medium - Google Patents

Single-point login tamper-proof method, apparatus, computer device and storage medium Download PDF

Info

Publication number
WO2020228278A1
WO2020228278A1 PCT/CN2019/117662 CN2019117662W WO2020228278A1 WO 2020228278 A1 WO2020228278 A1 WO 2020228278A1 CN 2019117662 W CN2019117662 W CN 2019117662W WO 2020228278 A1 WO2020228278 A1 WO 2020228278A1
Authority
WO
WIPO (PCT)
Prior art keywords
private key
public key
server
key
tag
Prior art date
Application number
PCT/CN2019/117662
Other languages
French (fr)
Chinese (zh)
Inventor
祝伟
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020228278A1 publication Critical patent/WO2020228278A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • This application relates to the field of computer security technology, and in particular to a single sign-on anti-tampering method, device, computer equipment and storage medium.
  • the login process is: the central system provides a unified CAS.JAR program package for login, access in the user terminal During the process of the target address, the CAS.JAR package will intercept the access of the user terminal by default. When the user completes the account and password login, the access to the target address is allowed. After the login is completed, the user’s login information is recorded through the CAS.JAR package for label storage In the session, the user does not need to enter the account password next time.
  • the login information includes the user ID, login time and login password.
  • SESSION session control refers to the time that elapses from the time the user terminal logs into the system to log out and exits the system. If necessary, there is a certain operating space; if the illegal person puts the user ID and the user ID into the session through SESSION At login time, the system will search for the tag corresponding to the user ID in the CAS.JAR package according to the user ID. After verifying that the login time matches the time associated with the tag, it may cause the CAS.JAR package to misjudge during the login process.
  • the login information allows illegal persons to bypass the login process of entering the account and password through the CAS single sign-on method, so there are hidden dangers.
  • this application proposes a single sign-on anti-tampering method, device, computer equipment and storage medium, aiming to solve the problem of illegal persons entering the system through single sign-on.
  • This application provides a single sign-on anti-tampering method, including:
  • the server Obtain the first login information of the user logging in to the server for the first time, and determine whether the user enters a single sign-on instruction, the single sign-on instruction being an instruction for the user to log in to the server without entering the first login information;
  • the public key corresponding to the private key is found from the conversation library, and the public key is decrypted by the private key to obtain the first label, which is called by the first label
  • the first login information to log in to the server again.
  • This application provides a single sign-on anti-tampering device, including:
  • the first login unit is used to obtain the first login information of the user logging in to the server for the first time, and determine whether the user enters a single sign-on instruction, the single sign-on instruction is for the user to log in to the server without entering the first login information instruction;
  • the tag association unit is configured to generate a first tag if yes, and associate the first login information with the first tag, where the first tag is a tag for calling the first login information to log in to the server ;
  • the encapsulation encryption unit is configured to generate a private key and a public key that are bound to each other, encapsulate the first label in the public key, and store the public key of the encapsulated first label in the session database , And sending the private key to the pre-associated terminal device;
  • the private key obtaining unit is configured to obtain the private key to be verified input by the user when the user uses the single sign-on to log in to the server, and verify whether the private key to be verified is the same as the private key;
  • the second login unit is configured to, if the same, find the public key corresponding to the private key from the conversation library, and decrypt the public key by the private key to obtain the first label,
  • the first login information is called through the first tag to log in to the server again.
  • the present application provides a computer device including a memory and a processor, the memory stores a computer program, and the processor implements the steps of the single sign-on anti-tampering method when executing the computer program.
  • the present application also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the aforementioned single sign-on anti-tampering method are realized.
  • the server obtains the first login information of the user logging in to the server, associates the first login information with the first tag, generates a private key and public key that are bound to each other, encapsulates the first tag in the public key, and encapsulates the first tag.
  • the public key of a label is stored in the server’s session library to achieve label encryption, preventing illegal persons from entering the label into the session library and directly entering the server, sending the private key to the pre-associated terminal device; when the user needs single sign-on,
  • the server obtains the private key to be verified entered by the user through the terminal device, and judges whether the private key to be verified is the same as the private key. If they are the same, it checks whether there is a public key corresponding to the private key from the session database.
  • the private key is used
  • the public key is decrypted to obtain the first tag, and the first login information is obtained according to the first tag to log in to the server again through the first login information, thereby realizing the user's single sign-on; because the encryption protection of the first tag is adopted, it is guaranteed The first label will not be stolen, which effectively prevents illegal persons from entering the first label into SESSION and bypassing the user login process.
  • FIG. 1 is a schematic flowchart of an embodiment of the single sign-on anti-tampering method of this application
  • FIG. 2 is a structural block diagram of an embodiment of the single sign-on anti-tampering device of this application;
  • FIG. 3 is a schematic block diagram of the structure of an embodiment of a computer device of this application.
  • the flow diagram of the single sign-on anti-tampering method provided by this application includes:
  • S100 Obtain the first login information of the user logging in to the server for the first time, and determine whether the user inputs a single sign-on instruction.
  • the single sign-on instruction is an instruction for the user to log in to the server without entering the first login information.
  • the first login information includes user ID and password information.
  • the user needs to register before logging in to the server for the first time.
  • the user registers in the server through the terminal device to obtain the login information; the login information can be multiple according to different users.
  • the user inputs the first login information to the terminal device to log in to the server.
  • the server determines whether the user operates the terminal device to enter a single sign-on instruction. For example, the user enters the first login information in the terminal device application, and the server determines whether the user selects "Remember the first” in the application program. "Login information" and other instructions, so as to realize the process of the server to determine whether the user enters a single sign-on instruction.
  • the server creates a first tag, and the first tag is associated with the first login information.
  • the first tag is used to find the first login information corresponding to the first tag in the session database of the server. To help users achieve single sign-on.
  • S300 Generate a private key and a public key that are bound to each other, encapsulate and encrypt the first label in the public key, and store the public key in the session database of the server that has encapsulated the first label, and send the private key to the pre-association Terminal equipment;
  • the server generates the first tag associated with the first login information, and replaces the first login information with the first tag to help users single sign-on to enter the server, but to prevent illegal persons from stealing the first tag, then Enter the first label to the server, and enter the technical problem of the user's server account, propose the following technical means:
  • the server generates a private key and a public key that are bound to each other.
  • the private key can be understood as a key
  • the public key can be understood as a lockbox.
  • the first label is encapsulated in the public key, and the first label is encrypted by the public key to ensure that the first label is obtained.
  • a tag needs to decrypt the public key first to achieve the anti-theft effect of the first tag.
  • the public key encapsulated in the first tag is stored in the session database of the server.
  • the illegal person enters the session database through SESSION, but because of the public key Encrypt the first label so that illegal persons cannot steal the first label.
  • the above private key is a random number, and the server sends the private key to the terminal device.
  • S400 When the user uses the single sign-on to log in to the server, obtain the private key to be verified input by the user, and verify whether the private key to be verified is the same as the private key.
  • the user After obtaining the private key through the terminal device, the user inputs the private key to be verified to the server through the terminal device, and the server verifies whether the private key to be verified and the private key are the same.
  • the private key is a random number, so the user operates the terminal device to input the private key to be verified on the application program, and the server verifies the private key to be verified.
  • the server determines that the private key to be verified is the same as the private key, it queries the server’s session database for the public key through the private key.
  • the query method is: import the private key into the pre-associated random formula, where the random formula is to generate the private key.
  • the server imports X into the formula to determine whether Z can be found. If Z is obtained, the server determines that the entered private key X is correct.
  • the server verifies that the private key is correct, the corresponding public key can be found through the above random formula, and the public key can be decrypted, so that the computer device can obtain the first label. From the above, it can be seen that when the user logs in to the server, The first tag has been associated with the first login information, so the server can obtain the first login information, and log in to the server again according to the first login information.
  • the first tag By attaching the encryption relationship between the private key and the public key to the first tag, the first tag is not easily stolen.
  • the user can log in to the server again by using a different terminal to enter the private key to log in to the server again, for example: The terminal logs in to the server and obtains the private key fed back by the server. The user can input the private key to be verified into the second terminal. After the server verifies that the private key to be verified is correct, the second terminal can log in to the server to realize the second terminal single sign-on server The effect of this greatly improves the convenience of logging in and at the same time enhances security.
  • the step of generating a private key and a public key that are bound to each other includes:
  • S201 Generate a random formula.
  • the random formula is any combination of mathematical calculations between evaluation, obtained value and other values, and the obtained value and other values are randomly generated constants;
  • the evaluation in the random formula is regarded as a private key, and the value obtained in the random formula is regarded as a public key.
  • the server randomly generates a random formula, any combination of mathematical calculations between the obtained value and other values, the obtained value and other values are randomly generated constants, the evaluation in the random formula is regarded as a private key, and the random formula is The value of is regarded as the public key, as follows:
  • the server generates a random formula.
  • the random formula includes evaluation, obtained value and other values.
  • the evaluation is regarded as a private key.
  • the user enters the private key (ie, evaluation).
  • the step of searching whether there is a public key corresponding to the private key in the session database includes:
  • S501 Obtain a first random formula binding a private key and a public key, so as to find a public key corresponding to the private key through the first random formula.
  • This embodiment is a specific method for finding the public key corresponding to the private key in the session database.
  • the step of decrypting the public key with the private key to obtain the first tag and obtaining the first login information corresponding to the first tag includes:
  • the first evaluation X corresponding to the private key is imported into the first random calculation. If the first value Z of the public key can be obtained correctly, the computer device determines that the public key is private The key is decrypted, and then the server can obtain the first label in the encapsulated encryption and public key.
  • S520 Acquire first login information associated with the first tag.
  • the computer device After the computer device obtains the first tag, because the first tag and the first login information are already associated with each other when the user first registers to log in to the server, the computer device can obtain the first tag after obtaining the first tag.
  • the first login information is already associated with each other when the user first registers to log in to the server.
  • the random calculation uses RSA algorithm (RSA encryption algorithm), AES algorithm (Advanced Encryption Standard (Advanced Encryption Standard) and ElGamal algorithm; but in another embodiment, the random calculation formula can also be various equations, such as a linear equation, Ohm's law equation, etc.
  • the step of sending the private key to the pre-associated terminal device includes:
  • S310 Obtain the terminal number entered when the user operates the terminal device to log in to the server for the first time, and the terminal number is a number applied to the terminal device;
  • S320 Send the private key to the terminal device corresponding to the terminal number.
  • Terminal devices include computer equipment, smart phones, and tablet phones.
  • the server When a user logs in to the server for the first time by operating a terminal device, the server will request the user to register, and the user’s registration information is the login information. At this time, the server also requests the user to input and the terminal device The associated terminal number to bind the login information with the mobile terminal.
  • the public key is stored in the server's session library, and the private key is sent to the mobile terminal bound to the terminal number.
  • the steps of obtaining the private key to be verified input by the user and verifying whether the private key to be verified is the same as the private key include:
  • S410 Receive a login instruction input by a terminal device
  • S420 Generate a private key input request according to the login instruction, and send the private key input request to the terminal device;
  • S430 Obtain the private key to be verified input by the user according to the private key input request to verify whether the private key to be verified is the same as the private key.
  • the server If the user needs to log in to the server with one-key single sign-on, enter the login instruction to the terminal to log in to the server again with one-click through the login instruction; the server records the first login information for the first login, and the server outputs the first login information after obtaining the login instruction.
  • the login information corresponds to the private key input request of the associated private key to the terminal device to request the user to input the private key to be verified through the private key input request.
  • the server After the user enters the private key to be verified, compare whether the private key to be verified and the private key are the same, If it is the same, the server searches the session database for the first random algorithm bound to the private key and calculates the public key, so that the computer device obtains the first label after decrypting the public key, and logs in to the server through the first label to achieve login the process of.
  • the server obtains the first login information of the user logging in to the server, and associates the first login information with the first tag, generates a private key and public key that are bound to each other, and encapsulates and encrypts the first tag in the public key , Store the public key of the encapsulated first label in the session library of the server to realize the encryption of the label, prevent illegal persons from entering the label into the session library and directly enter the server, and send the private key to the pre-associated terminal device; when the user needs During single sign-on, the server obtains the private key to be verified entered by the user through the terminal device, and judges whether the private key to be verified is the same as the private key.
  • the session database searches the session database to see if there is a public key corresponding to the private key.
  • the public key is decrypted by the private key to obtain the first tag, and the first login information is obtained according to the first tag, so as to log in to the server again through the first login information, so as to realize the user's single sign-on; Encryption protection ensures that the first label will not be stolen, and effectively prevents illegal persons from entering the first label into SESSION and bypassing the user login process.
  • the structure block diagram of the single sign-on tamper-proof device provided by this application, the device includes:
  • the first login unit 10 is configured to obtain the first login information of the user logging in to the server for the first time, and determine whether the user enters a single sign-on instruction.
  • the single sign-on instruction is an instruction for the user to log in to the server without entering the first login information.
  • the first login information includes user ID and password information.
  • the user needs to register before logging in to the server for the first time.
  • the user registers in the server through the terminal device to obtain the login information; the login information can be multiple according to different users.
  • the user inputs the first login information to the terminal device to log in to the server.
  • the server determines whether the user operates the terminal device to enter a single sign-on instruction. For example, the user enters the first login information in the terminal device application, and the server determines whether the user selects "Remember the first” in the application program. "Login information" and other instructions, so as to realize the process of the server to determine whether the user enters a single sign-on instruction.
  • the tag associating unit 20 is configured to, if yes, generate a first tag and associate the first login information with the first tag, the first tag being a tag for calling the first login information to log in to the server;
  • the server creates a first tag, and the first tag is associated with the first login information.
  • the first tag is used to find the first login information corresponding to the first tag in the session database of the server. To help users achieve single sign-on.
  • the encapsulation encryption unit 30 is used to generate a private key and a public key that are bound to each other, encapsulate and encrypt the first label in the public key, and store the public key of the first label in the session database of the server, and send Private key to pre-associated terminal equipment;
  • the server generates the first tag associated with the first login information, and replaces the first login information with the first tag to help users single sign-on to enter the server, but to prevent illegal persons from stealing the first tag, then
  • the server enters the first label and enters the technical problem of the user's server account, and proposes the following technical means:
  • the server generates a private key and a public key that are bound to each other.
  • the private key can be understood as a key
  • the public key can be understood as a lockbox.
  • the first label is encapsulated in the public key, and the first label is encrypted by the public key to ensure that the first label is obtained.
  • a tag needs to decrypt the public key first to achieve the anti-theft effect of the first tag.
  • the public key encapsulated in the first tag is stored in the session database of the server.
  • the illegal person enters the session database through SESSION, but because of the public key Encrypt the first label so that illegal persons cannot steal the first label.
  • the above private key is a random number, and the server sends the private key to the terminal device.
  • the private key obtaining unit 40 is configured to obtain the private key to be verified input by the user when the user uses the single sign-on to log in to the server, and verify whether the private key to be verified is the same as the private key.
  • the user After obtaining the private key through the terminal device, the user inputs the private key to be verified to the server through the terminal device, and the server verifies whether the private key to be verified and the private key are the same.
  • the private key is a random number, so the user operates the terminal device to input the private key to be verified on the application program, and the server verifies the private key to be verified.
  • the second login unit 50 is used to find the public key corresponding to the private key from the session database if the same, and decrypt the public key by the private key to obtain the first label, and call the first login information through the first label to again Log in to the server.
  • the server determines that the private key to be verified is the same as the private key, it queries the server’s session database for the public key through the private key.
  • the query method is: import the private key into the pre-associated random formula, where the random formula is to generate the private key.
  • the server imports X into the formula to determine whether Z can be found. If Z is obtained, the server determines that the entered private key X is correct.
  • the server verifies that the private key is correct, the corresponding public key can be found through the above random formula, and the public key can be decrypted, so that the computer device can obtain the first label. From the above, it can be seen that when the user logs in to the server, The first tag has been associated with the first login information, so the server can obtain the first login information, and log in to the server again according to the first login information.
  • the first tag By attaching the encryption relationship between the private key and the public key to the first tag, the first tag is not easily stolen.
  • the user can log in to the server again by using a different terminal to enter the private key to log in to the server again, for example: The terminal logs in to the server and obtains the private key fed back by the server. The user can input the private key to be verified into the second terminal. After the server verifies that the private key to be verified is correct, the second terminal can log in to the server to realize the second terminal single sign-on server The effect of this greatly improves the convenience of logging in and at the same time enhances security.
  • the encapsulation encryption unit 30 includes:
  • the formula association module is used to generate random formulas.
  • a random formula is any combination of mathematical calculations between evaluation, obtained value and other values. The obtained value and other values are randomly generated constants;
  • the key determination module is used to treat the evaluation in the random formula as the private key and the value in the random formula as the public key.
  • the server randomly generates a random formula, any combination of mathematical calculations between the obtained value and other values, the obtained value and other values are randomly generated constants, the evaluation in the random formula is regarded as a private key, and the random formula is The value of is regarded as the public key, as follows:
  • the server generates a random formula.
  • the random formula includes evaluation, obtained value and other values.
  • the evaluation is regarded as a private key.
  • the user enters the private key (ie, evaluation).
  • the second login unit 50 includes:
  • the public key search module is used to obtain the first random formula binding the private key and the public key, so as to find the public key corresponding to the private key through the first random formula.
  • This embodiment is a specific method for finding the public key corresponding to the private key in the session database.
  • the second login unit 50 further includes:
  • the decryption module is used to determine that the public key is decrypted by the private key if the first evaluation of the private key is imported into the first random calculation to obtain the first value corresponding to the public key, and the package is encrypted in the public key The first label.
  • the first evaluation X corresponding to the private key is imported into the first random calculation. If the first value Z of the public key can be obtained correctly, the computer device determines that the public key is private The key is decrypted, and then the server can obtain the first label in the encapsulated encryption and public key.
  • the computer device After the computer device obtains the first tag, because the first tag and the first login information are already associated with each other when the user first registers to log in to the server, the computer device can obtain the first tag after obtaining the first tag.
  • the first login information is already associated with each other when the user first registers to log in to the server.
  • the random calculation uses RSA algorithm (RSA encryption algorithm), AES algorithm (Advanced Encryption Standard (Advanced Encryption Standard) and ElGamal algorithm; but in another embodiment, the random calculation formula can also be various equations, such as a linear equation, Ohm's law equation, etc.
  • the encapsulation encryption unit 30 includes:
  • the number obtaining module is used to obtain the terminal number entered when the user operates the terminal device to log in to the server for the first time, and the terminal number is the number applied to the terminal device;
  • the private key sending module is used to send the private key to the terminal device corresponding to the terminal number.
  • Terminal devices include computer equipment, smart phones, and tablet phones.
  • the server When a user logs in to the server for the first time by operating a terminal device, the server will request the user to register, and the user’s registration information is the login information. At this time, the server also requests the user to input and the terminal device The associated terminal number to bind the login information with the mobile terminal.
  • the public key is stored in the server's session library, and the private key is sent to the mobile terminal bound to the terminal number.
  • the private key acquisition unit includes:
  • the instruction receiving module is used to receive the login instruction input by the terminal device
  • the request generation module is used to generate a private key input request according to the login instruction, and send the private key input request to the terminal device;
  • the obtaining module is used to obtain the private key to be verified input by the user according to the private key input request to verify whether the private key to be verified is the same as the private key.
  • the server If the user needs to log in to the server with one-key single sign-on, enter the login instruction to the terminal to log in to the server again with one-click through the login instruction; the server records the first login information for the first login, and the server outputs the first login information after obtaining the login instruction.
  • the login information corresponds to the private key input request of the associated private key to the terminal device to request the user to input the private key to be verified through the private key input request.
  • the server After the user enters the private key to be verified, compare whether the private key to be verified and the private key are the same, If it is the same, the server searches the session database for the first random algorithm bound to the private key and calculates the public key, so that the computer device obtains the first label after decrypting the public key, and logs in to the server through the first label to achieve login the process of.
  • an embodiment of the present application also provides a computer device.
  • the computer device may be a server, and its internal structure may be as shown in FIG. 3.
  • the computer equipment includes a processor, a memory, a network interface and a database connected through a system bus. Among them, the computer designed processor is used to provide calculation and control capabilities.
  • the memory of the computer device includes a non-volatile storage medium and an internal memory.
  • the non-volatile storage medium stores an operating system, a computer program, and a database.
  • the internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage medium.
  • the database of the computer equipment is used to store test data tables and other data.
  • the network interface of the computer device is used to communicate with an external terminal through a network connection.
  • the computer program is executed by the processor to realize a single sign-on anti-tampering method.
  • An embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of a single sign-on anti-tampering method are realized.
  • the computer-readable storage medium is, for example, a non-volatile computer-readable storage medium or a volatile computer-readable storage medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

Provided in the present application are a single-point login tamper-proof method and apparatus, a computer device and a storage medium, the method comprising: obtaining first login information of a user logging in to a server, and associating the first login information with a first label to generate a mutually bound private key and public key, the first label being encapsulated and encrypted in the public key, and the public key being stored in a session library of the server to achieve the encryption of the label so as to prevent an unauthorized person from inputting a label into the session library and directly entering the server; then sending the private key to a pre-associated terminal device; obtaining a private key to be verified that is inputted by a user by means of a terminal device; determining whether the private key to be verified is the same as the private key, and if the same, finding out from in the session library whether a public key corresponding to the private key is present, and if present, decrypting the public key using the private key to obtain the first label, and obtaining first login information corresponding to the first label so as to log in to the server again by means of the first login information, thereby achieving user single-point login.

Description

单点登录防篡改方法、装置、计算机设备及存储介质Single sign-on anti-tampering method, device, computer equipment and storage medium
本申请要求于2019年5月13日提交中国专利局、申请号为2019103945301,申请名称为“单点登录防篡改方法、装置、计算机设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on May 13, 2019, with the application number 2019103945301, and the application titled "Single Sign-On Tamper-proof Method, Device, Computer Equipment, and Storage Medium", and its entire contents Incorporated in this application by reference.
技术领域Technical field
本申请涉及计算机安全技术领域,特别涉及一种单点登录防篡改方法、装置、计算机设备及存储介质。This application relates to the field of computer security technology, and in particular to a single sign-on anti-tampering method, device, computer equipment and storage medium.
背景技术Background technique
CAS(中央认证服务,Central Authentication Service),目前业务系统的登录通过CAS认证的方式实现单点登录,其登录的流程为:中央系统提供统一用于登录的CAS.JAR程序包,在用户终端访问目标地址的过程中,CAS.JAR程序包会默认拦截用户终端的访问,当用户完成账号密码登入后,则允许访问目标地址,登录完成后通过CAS.JAR程序包记录用户的登录信息为标签存储至会话中,并在下次用户无需输入账号密码,登录信息包括用户ID、登录时间和登录密码。CAS (Central Authentication Service, Central Authentication Service), the current business system login through the CAS authentication method to achieve single sign-on, the login process is: the central system provides a unified CAS.JAR program package for login, access in the user terminal During the process of the target address, the CAS.JAR package will intercept the access of the user terminal by default. When the user completes the account and password login, the access to the target address is allowed. After the login is completed, the user’s login information is recorded through the CAS.JAR package for label storage In the session, the user does not need to enter the account password next time. The login information includes the user ID, login time and login password.
故存在问题,SESSION(会话控制),指从用户终端注册进入系统到注销退出系统之间所经过的时间,如果需要的话存在一定的操作空间;若非法者通过SESSION向会话中放入用户ID和登录时间,系统会根据用户ID在CAS.JAR程序包中查找与用户ID对应的标签,在验证登录时间与标签向关联的时间匹配后,可导致在登录的过程中CAS.JAR程序包误判登录信息,使非法者通过CAS的单点登录方法绕过输入账号、密码的登录过程,故存在隐患。Therefore, there is a problem. SESSION (session control) refers to the time that elapses from the time the user terminal logs into the system to log out and exits the system. If necessary, there is a certain operating space; if the illegal person puts the user ID and the user ID into the session through SESSION At login time, the system will search for the tag corresponding to the user ID in the CAS.JAR package according to the user ID. After verifying that the login time matches the time associated with the tag, it may cause the CAS.JAR package to misjudge during the login process. The login information allows illegal persons to bypass the login process of entering the account and password through the CAS single sign-on method, so there are hidden dangers.
技术问题technical problem
针对现有技术不足,本申请提出一种单点登录防篡改方法、装置、计算机设备及存储介质,旨在解决非法者通过单点登录的方式进入系统的问题。In view of the shortcomings of the prior art, this application proposes a single sign-on anti-tampering method, device, computer equipment and storage medium, aiming to solve the problem of illegal persons entering the system through single sign-on.
技术解决方案Technical solutions
本申请提出的技术方案是:The technical solution proposed in this application is:
本申请提供一种单点登录防篡改方法,包括:This application provides a single sign-on anti-tampering method, including:
获取用户首次登入服务器的第一登录信息,并判断用户是否输入单点登录指令,所述单点登录指令为用户登入所述服务器时无需输入所述第一登录信息的指令;Obtain the first login information of the user logging in to the server for the first time, and determine whether the user enters a single sign-on instruction, the single sign-on instruction being an instruction for the user to log in to the server without entering the first login information;
若是,则生成第一标签,并将所述第一登录信息与所述第一标签关联,所述第一标签为调用所述第一登录信息以登入所述服务器的标签;If so, generate a first tag, and associate the first login information with the first tag, where the first tag is a tag that calls the first login information to log in to the server;
生成相互绑定的私钥与公钥,将所述第一标签封装在所述公钥中,并将已封装所述第一标签的所述公钥存储至会话库中,以及将所述私钥发送至预关联的终端设备;Generate a private key and a public key that are bound to each other, encapsulate the first tag in the public key, store the public key of the encapsulated first tag in the session database, and store the private The key is sent to the pre-associated terminal device;
当用户使用所述单点登录所述服务器时,获取用户输入的待验证私钥,并验证所述待验证私钥是否与所述私钥相同;When the user uses the single sign-on to log in to the server, obtain the private key to be verified input by the user, and verify whether the private key to be verified is the same as the private key;
若相同,则从所述会话库中查找出与所述私钥对应的所述公钥,并由所述私钥解密所述公钥而获得所述第一标签,通过所述第一标签调用所述第一登录信息以再次登入所述服务器。If they are the same, the public key corresponding to the private key is found from the conversation library, and the public key is decrypted by the private key to obtain the first label, which is called by the first label The first login information to log in to the server again.
本申请提供一种单点登录防篡改装置,包括:This application provides a single sign-on anti-tampering device, including:
第一登录单元,用于获取用户首次登入服务器的第一登录信息,并判断用户是否输入单点登录指令,所述单点登录指令为用户登入所述服务器时无需输入所述第一登录信息的指令;The first login unit is used to obtain the first login information of the user logging in to the server for the first time, and determine whether the user enters a single sign-on instruction, the single sign-on instruction is for the user to log in to the server without entering the first login information instruction;
标签关联单元,用于若是,则生成第一标签,并将所述第一登录信息与所述第一标签关联,所述第一标签为调用所述第一登录信息以登入所述服务器的标签;The tag association unit is configured to generate a first tag if yes, and associate the first login information with the first tag, where the first tag is a tag for calling the first login information to log in to the server ;
封装加密单元,用于生成相互绑定的私钥与公钥,将所述第一标签封装在所述公钥中,并将已封装所述第一标签的所述公钥存储至会话库中,以及将所述私钥发送至预关联的终端设备;The encapsulation encryption unit is configured to generate a private key and a public key that are bound to each other, encapsulate the first label in the public key, and store the public key of the encapsulated first label in the session database , And sending the private key to the pre-associated terminal device;
私钥获取单元,用于当用户使用所述单点登录所述服务器时,获取用户输入的待验证私钥,并验证所述待验证私钥是否与所述私钥相同;The private key obtaining unit is configured to obtain the private key to be verified input by the user when the user uses the single sign-on to log in to the server, and verify whether the private key to be verified is the same as the private key;
第二登录单元,用于若相同,则从所述会话库中查找出与所述私钥对应的所述公钥,并由所述私钥解密所述公钥而获得所述第一标签,通过所述第一标签调用所述第一登录信息以再次登入所述服务器。The second login unit is configured to, if the same, find the public key corresponding to the private key from the conversation library, and decrypt the public key by the private key to obtain the first label, The first login information is called through the first tag to log in to the server again.
本申请提供一种计算机设备,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器执行所述计算机程序时实现上述的单点登录防篡改方法的步骤。The present application provides a computer device including a memory and a processor, the memory stores a computer program, and the processor implements the steps of the single sign-on anti-tampering method when executing the computer program.
本申请还提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述的单点登录防篡改方法的步骤。The present application also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the aforementioned single sign-on anti-tampering method are realized.
有益效果Beneficial effect
服务器通过获取用户登入服务器的第一登录信息,并将第一登录信息与第一标签关联,生成相互绑定的私钥与公钥,将第一标签封装加密在公钥中,将已封装第一标签的公钥存储在服务器的会话库中,实现标签的加密,防止非法者向会话库中输入标签而直接进入服务器,发送私钥至预关联的终端设备;当用户需要单点登录时,服务器获取用户通过终端设备输入的待验证私钥,判断待验证私钥与私钥否相同,若相同,则从会话库中查找是否存在与私钥对应的公钥,若存在,则由私钥解密公钥而获得第一标签,根据第一标签获取第一登录信息,以通过第一登录信息再次登入服务器,从而实现用户的单点登录;因为采用了对第一标签的加密保护,保证了第一标签不会被盗取,有效的防止了非法者向SESSION输入第一标签而绕过用户登录过程。The server obtains the first login information of the user logging in to the server, associates the first login information with the first tag, generates a private key and public key that are bound to each other, encapsulates the first tag in the public key, and encapsulates the first tag. The public key of a label is stored in the server’s session library to achieve label encryption, preventing illegal persons from entering the label into the session library and directly entering the server, sending the private key to the pre-associated terminal device; when the user needs single sign-on, The server obtains the private key to be verified entered by the user through the terminal device, and judges whether the private key to be verified is the same as the private key. If they are the same, it checks whether there is a public key corresponding to the private key from the session database. If it exists, the private key is used The public key is decrypted to obtain the first tag, and the first login information is obtained according to the first tag to log in to the server again through the first login information, thereby realizing the user's single sign-on; because the encryption protection of the first tag is adopted, it is guaranteed The first label will not be stolen, which effectively prevents illegal persons from entering the first label into SESSION and bypassing the user login process.
附图说明Description of the drawings
图1为本申请的单点登录防篡改方法一实施例的流程示意图;FIG. 1 is a schematic flowchart of an embodiment of the single sign-on anti-tampering method of this application;
图2为本申请的单点登录防篡改装置一实施例的结构框图;2 is a structural block diagram of an embodiment of the single sign-on anti-tampering device of this application;
图3为本申请的计算机设备一实施例的结构示意框图。FIG. 3 is a schematic block diagram of the structure of an embodiment of a computer device of this application.
本申请的最佳实施方式The best implementation of this application
参考附图1,为本申请所提供的单点登录防篡改方法的流程示意图,其中包括:Referring to Figure 1, the flow diagram of the single sign-on anti-tampering method provided by this application includes:
S100,获取用户首次登入服务器的第一登录信息,并判断用户是否输入单点登录指令,单点登录指令为用户登入服务器时无需输入第一登录信息的指令。S100: Obtain the first login information of the user logging in to the server for the first time, and determine whether the user inputs a single sign-on instruction. The single sign-on instruction is an instruction for the user to log in to the server without entering the first login information.
第一登录信息包括用户ID和密码信息,在用户首次登入服务器之前需要进行注册,用户通过终端设备在服务器中进行注册,得到登录信息;登录信息可根据不同的用户具有多个,在本方案中用户通过向终端设备输入第一登录信息以登入服务器。The first login information includes user ID and password information. The user needs to register before logging in to the server for the first time. The user registers in the server through the terminal device to obtain the login information; the login information can be multiple according to different users. In this solution The user inputs the first login information to the terminal device to log in to the server.
在用户首次登入服务器时,服务器判断用户操作终端设备是否输入单点登录指令,例如:用户在终端设备的应用程序中输入第一登录信息,服务器判断用户是否在应用程序中选择“记住第一登录信息”等的指令,从而实现服务器判断用户是否输入单点登录指令的过程。When the user logs in to the server for the first time, the server determines whether the user operates the terminal device to enter a single sign-on instruction. For example, the user enters the first login information in the terminal device application, and the server determines whether the user selects "Remember the first" in the application program. "Login information" and other instructions, so as to realize the process of the server to determine whether the user enters a single sign-on instruction.
S200,若是,则生成第一标签,并将第一登录信息与第一标签关联,第一标签为调用第一登录信息以登入服务器的标签;S200, if yes, generate a first tag, and associate the first login information with the first tag, where the first tag is a tag for calling the first login information to log in to the server;
服务器建立一个第一标签,由第一标签关联第一登录信息,在用户通过终端设备进行单点登录时,通过第一标签在服务器的会话库中找到与第一标签对应的第一登录信息,以帮助用户实现单点登录。The server creates a first tag, and the first tag is associated with the first login information. When the user performs single sign-on through the terminal device, the first tag is used to find the first login information corresponding to the first tag in the session database of the server. To help users achieve single sign-on.
S300,生成相互绑定的私钥与公钥,将第一标签封装加密在公钥中,并已封装所述第一标签的将公钥存储在服务器的会话库中,发送私钥至预关联的终端设备;S300: Generate a private key and a public key that are bound to each other, encapsulate and encrypt the first label in the public key, and store the public key in the session database of the server that has encapsulated the first label, and send the private key to the pre-association Terminal equipment;
由上述S200可知,服务器生成与第一登录信息关联的第一标签,通过第一标签替换第一登录信息,实现帮助用户单点登录进入服务器,但为防止非法者通过盗取第一标签,随后向服务器输入第一标签,而进入用户的服务器账户中的技术问题,提出如下技术手段:It can be seen from the above S200 that the server generates the first tag associated with the first login information, and replaces the first login information with the first tag to help users single sign-on to enter the server, but to prevent illegal persons from stealing the first tag, then Enter the first label to the server, and enter the technical problem of the user's server account, propose the following technical means:
服务器生成相互绑定的私钥与公钥,私钥可以理解为钥匙,公钥可以理解为密码箱,将第一标签封装在公钥中,由公钥对第一标签进行加密,以保证获取第一标签需要先对公钥进行解密,达到第一标签防盗的效果,随后,将封装好第一标签的公钥存储至服务器的会话库中,非法者通过SESSION进入会话库,但因为有公钥加密第一标签,从而使非法者不能盗取第一标签。The server generates a private key and a public key that are bound to each other. The private key can be understood as a key, and the public key can be understood as a lockbox. The first label is encapsulated in the public key, and the first label is encrypted by the public key to ensure that the first label is obtained. A tag needs to decrypt the public key first to achieve the anti-theft effect of the first tag. Then, the public key encapsulated in the first tag is stored in the session database of the server. The illegal person enters the session database through SESSION, but because of the public key Encrypt the first label so that illegal persons cannot steal the first label.
上述私钥为随机的数字,服务器将私钥发送至终端设备。The above private key is a random number, and the server sends the private key to the terminal device.
S400,当用户使用所述单点登录所述服务器时,获取用户输入的待验证私钥,并验证待验证私钥是否与私钥相同。S400: When the user uses the single sign-on to log in to the server, obtain the private key to be verified input by the user, and verify whether the private key to be verified is the same as the private key.
用户通过终端设备获知到私钥后,通过终端设备向服务器输入待验证私钥,服务器验证待验证私钥和私钥否相同。After obtaining the private key through the terminal device, the user inputs the private key to be verified to the server through the terminal device, and the server verifies whether the private key to be verified and the private key are the same.
由上述可知,私钥为随机数字,故用户操作终端设备在应用程序上输入待验证私钥,由服务器验证待验证私钥。It can be seen from the above that the private key is a random number, so the user operates the terminal device to input the private key to be verified on the application program, and the server verifies the private key to be verified.
S500,若相同,则从会话库中查找出与私钥对应的公钥,并由私钥解密公钥而获得第一标签,通过第一标签调用第一登录信息以再次登入服务器。S500, if they are the same, find the public key corresponding to the private key from the session database, decrypt the public key by the private key to obtain the first tag, and call the first login information through the first tag to log in to the server again.
若服务器判定待验证私钥与私钥相同,则通过私钥向服务器的会话库中查询出公钥,查询的方式为:将私钥导入至预关联的随机公式中,其中随机公式为生成私钥时与私钥绑定的公式,通过识别出的私钥导入至随机公式中以判断是否能够求出公钥,以确定输入的私钥是否正确。例如:X+Y=Z,其中X为私钥、Y为其它值、Z为公钥,Y和Z均是锁定的,服务器将X导入至该公式中,判断是否能够求出Z,若能求出Z,则服务器判定输入的私钥X为正确的。If the server determines that the private key to be verified is the same as the private key, it queries the server’s session database for the public key through the private key. The query method is: import the private key into the pre-associated random formula, where the random formula is to generate the private key. When the key is the formula bound to the private key, the recognized private key is imported into the random formula to determine whether the public key can be obtained to determine whether the entered private key is correct. For example: X+Y=Z, where X is the private key, Y is other value, Z is the public key, and both Y and Z are locked. The server imports X into the formula to determine whether Z can be found. If Z is obtained, the server determines that the entered private key X is correct.
若服务器验证私钥是正确的,既能够通过上述的随机公式查询出对应的公钥,并对公钥进行解密,从而计算机设备获取到第一标签,由上述可知,在用户注册登入服务器时,第一标签与第一登录信息已进行了关联,故服务器能获取第一登录信息,并根据第一登录信息再次登入服务器。If the server verifies that the private key is correct, the corresponding public key can be found through the above random formula, and the public key can be decrypted, so that the computer device can obtain the first label. From the above, it can be seen that when the user logs in to the server, The first tag has been associated with the first login information, so the server can obtain the first login information, and log in to the server again according to the first login information.
通过对第一标签附加私钥和公钥的加密关系,使得第一标签不易被盗取。By attaching the encryption relationship between the private key and the public key to the first tag, the first tag is not easily stolen.
在另一实施例,用户首次通过第一登录信息登入服务器,并向服务器输入单点登录指令之后,用户再次登录服务器可以采用不同的终端输入私钥,达到再次登入服务器,例如:用户在第一终端登入服务器,获取到服务器反馈的私钥,用户可以向第二终端输入待验证私钥,在服务器验证待验证私钥无误后,可通过第二终端登入服务器,实现第二终端单点登入服务器的效果,极大的提升了登录的便捷性,同时提升安全性。In another embodiment, after the user logs in to the server through the first login information for the first time and inputs a single sign-on instruction to the server, the user can log in to the server again by using a different terminal to enter the private key to log in to the server again, for example: The terminal logs in to the server and obtains the private key fed back by the server. The user can input the private key to be verified into the second terminal. After the server verifies that the private key to be verified is correct, the second terminal can log in to the server to realize the second terminal single sign-on server The effect of this greatly improves the convenience of logging in and at the same time enhances security.
在一个实施例中,生成相互绑定的私钥与公钥的步骤,包括:In an embodiment, the step of generating a private key and a public key that are bound to each other includes:
S201,生成随机公式,随机公式为求值、得值和其他值三者之间的任意数学计算组合,得值和其他值为随机生成的常数;S201: Generate a random formula. The random formula is any combination of mathematical calculations between evaluation, obtained value and other values, and the obtained value and other values are randomly generated constants;
S202,将随机公式中的求值视为私钥,以及将随机公式中的得值视为公钥。In S202, the evaluation in the random formula is regarded as a private key, and the value obtained in the random formula is regarded as a public key.
服务器随机的生成随机公式,得值和其他值三者之间的任意数学计算组合,得值和其他值为随机生成的常数,将随机公式中的求值视为私钥,以及将随机公式中的得值视为公钥,具体如下:The server randomly generates a random formula, any combination of mathematical calculations between the obtained value and other values, the obtained value and other values are randomly generated constants, the evaluation in the random formula is regarded as a private key, and the random formula is The value of is regarded as the public key, as follows:
服务器生成随机公式,随机公式包括求值、得值和其它值,求值视为私钥,在私钥解密公开时,由用户输入私钥(即求值),若服务器判定随机公式成立,则解密成功;得值视为公钥,数值是锁定的;其他值也是锁定的,继续采用上述例子:X+Y=Z,X为求值、Y为其他值、Z为得值,X可以理解为私钥由用户输入,Y与Z数值是锁定的,通过服务器生成的随机公式进一步的确定私钥与公钥的生成,从而实现私钥和公钥的生成以及相互绑定。The server generates a random formula. The random formula includes evaluation, obtained value and other values. The evaluation is regarded as a private key. When the private key is decrypted and disclosed, the user enters the private key (ie, evaluation). If the server determines that the random formula is valid, then Decryption is successful; the value obtained is regarded as the public key, the value is locked; other values are also locked, continue to use the above example: X+Y=Z, X is evaluation, Y is other value, Z is obtained value, X can be understood Since the private key is input by the user, the Y and Z values are locked, and the generation of the private key and the public key is further determined by the random formula generated by the server, so as to realize the generation and mutual binding of the private key and the public key.
在一个实施例中,在会话库中查找是否存在与私钥对应的公钥的步骤,包括:In one embodiment, the step of searching whether there is a public key corresponding to the private key in the session database includes:
S501,获取绑定私钥与公钥的第一随机公式,以通过第一随机公式查找出与私钥对应的公钥。S501: Obtain a first random formula binding a private key and a public key, so as to find a public key corresponding to the private key through the first random formula.
本实施例为在会话库中查找与私钥对应的公钥的具体手段,第一随机算式为服务器生成私钥时携带生成的与私钥绑定的算式,并将该第一随机算式存储至服务器的会话库中,服务器在会话库中识别出与私钥绑定的第一随机算式;随后,继续沿用上述例子:X+Y=Z,将私钥对应的第一求值X导入至第一随机算式中,若能够正确求得公钥的第一得值Z,则计算机设备认定第一得值对应的公钥为与私钥绑定的公钥。This embodiment is a specific method for finding the public key corresponding to the private key in the session database. The first random calculation is the calculation that is bound to the private key carried when the server generates the private key, and the first random calculation is stored in In the server’s session database, the server recognizes the first random formula bound to the private key in the session database; then, continue to use the above example: X+Y=Z, import the first evaluation X corresponding to the private key to the first In a random calculation formula, if the first value Z of the public key can be obtained correctly, the computer device determines that the public key corresponding to the first value is the public key bound to the private key.
在一个实施例中,私钥解密公钥而获得第一标签,并获得与第一标签对应的第一登录信息的步骤,包括:In one embodiment, the step of decrypting the public key with the private key to obtain the first tag and obtaining the first login information corresponding to the first tag includes:
S510,若私钥的第一求值导入至第一随机算式中能够求得与公钥对应的第一得值,则判定公钥被私钥解密,而获得封装加密于公钥中的第一标签。S510: If the first evaluation of the private key is imported into the first random formula and the first value corresponding to the public key can be obtained, it is determined that the public key is decrypted by the private key, and the first encapsulated and encrypted in the public key is obtained. label.
由上述可知,X+Y=Z,将私钥对应的第一求值X导入至第一随机算式中,若能够正确求得公钥的第一得值Z,则计算机设备判定公钥被私钥解密,进而服务器能够获取到封装加密与公钥中的第一标签。From the above, X+Y=Z, the first evaluation X corresponding to the private key is imported into the first random calculation. If the first value Z of the public key can be obtained correctly, the computer device determines that the public key is private The key is decrypted, and then the server can obtain the first label in the encapsulated encryption and public key.
S520,获取与第一标签关联的第一登录信息。S520: Acquire first login information associated with the first tag.
在计算机设备获取到第一标签后,因为第一标签和第一登录信息在用户首次注册登入服务器时已经相互关联,则计算机设备在获取第一标签后,可再获得与第一标签相关联的第一登录信息。After the computer device obtains the first tag, because the first tag and the first login information are already associated with each other when the user first registers to log in to the server, the computer device can obtain the first tag after obtaining the first tag. The first login information.
在一个实施例中,随机算式采用RSA算法(RSA加密算法)、AES算法(Advanced Encryption Standard,高级加密标准)和ElGamal算法的任意一项;但在另一实施例中,随机算式还可以是各种等式,如一次方程、欧姆定律方程等。In one embodiment, the random calculation uses RSA algorithm (RSA encryption algorithm), AES algorithm (Advanced Encryption Standard (Advanced Encryption Standard) and ElGamal algorithm; but in another embodiment, the random calculation formula can also be various equations, such as a linear equation, Ohm's law equation, etc.
在一个实施例中,发送私钥至预关联的终端设备的步骤,包括:In an embodiment, the step of sending the private key to the pre-associated terminal device includes:
S310,获取用户操作终端设备首次登入服务器时输入的终端号码,终端号码为应用于终端设备的号码;S310: Obtain the terminal number entered when the user operates the terminal device to log in to the server for the first time, and the terminal number is a number applied to the terminal device;
S320,发送私钥至与终端号码对应的终端设备。S320: Send the private key to the terminal device corresponding to the terminal number.
终端设备包括计算机设备、智能手机和平板手机,在用户操作终端设备首次登入服务器时,服务器会请求用户进行注册,而用户的注册信息即为登录信息,此时,服务器还请求用户输入与终端设备相关联的终端号码,以使登录信息与移动终端进行绑定。Terminal devices include computer equipment, smart phones, and tablet phones. When a user logs in to the server for the first time by operating a terminal device, the server will request the user to register, and the user’s registration information is the login information. At this time, the server also requests the user to input and the terminal device The associated terminal number to bind the login information with the mobile terminal.
服务器在生成相互绑定的私钥和公钥后,会将公钥存储于服务器的会话库中,并将私钥发送至与终端号码绑定的移动终端。After the server generates the private key and public key that are bound to each other, the public key is stored in the server's session library, and the private key is sent to the mobile terminal bound to the terminal number.
在一个实施例中,获取用户输入的待验证私钥,并验证待验证私钥是否与私钥相同的步骤,包括:In one embodiment, the steps of obtaining the private key to be verified input by the user and verifying whether the private key to be verified is the same as the private key include:
S410,接收终端设备输入的登录指令;S410: Receive a login instruction input by a terminal device;
S420,根据登录指令,生成私钥输入请求,并发送私钥输入请求至终端设备;S420: Generate a private key input request according to the login instruction, and send the private key input request to the terminal device;
S430,获取用户根据私钥输入请求输入的待验证私钥,以验证待验证私钥是否与私钥相同。S430: Obtain the private key to be verified input by the user according to the private key input request to verify whether the private key to be verified is the same as the private key.
若用户需要一键单点登入服务器,则向终端输入登录指令,以通过登录指令一键再次登入服务器;服务器记载有首次登入的第一登录信息,服务器在获取到登录指令后,输出与第一登录信息对应关联的私钥的私钥输入请求至终端设备,以通过私钥输入请求请求用户输入待验证私钥,待用户输入待验证私钥后,对比待验证私钥和私钥是否相同,若相同,则服务器在会话库中查找与与私钥绑定的第一随机算法并计算出公钥,从而计算机设备获得解密公钥后的第一标签,以通过第一标签登入服务器,实现登入的过程。If the user needs to log in to the server with one-key single sign-on, enter the login instruction to the terminal to log in to the server again with one-click through the login instruction; the server records the first login information for the first login, and the server outputs the first login information after obtaining the login instruction. The login information corresponds to the private key input request of the associated private key to the terminal device to request the user to input the private key to be verified through the private key input request. After the user enters the private key to be verified, compare whether the private key to be verified and the private key are the same, If it is the same, the server searches the session database for the first random algorithm bound to the private key and calculates the public key, so that the computer device obtains the first label after decrypting the public key, and logs in to the server through the first label to achieve login the process of.
综上所述,服务器通过获取用户登入服务器的第一登录信息,并将第一登录信息与第一标签关联,生成相互绑定的私钥与公钥,将第一标签封装加密在公钥中,将已封装第一标签的公钥存储在服务器的会话库中,实现标签的加密,防止非法者向会话库中输入标签而直接进入服务器,发送私钥至预关联的终端设备;当用户需要单点登录时,服务器获取用户通过终端设备输入的待验证私钥,判断待验证私钥与私钥否相同,若相同,则从会话库中查找是否存在与私钥对应的公钥,若存在,则由私钥解密公钥而获得第一标签,根据第一标签获取第一登录信息,以通过第一登录信息再次登入服务器,从而实现用户的单点登录;因为采用了对第一标签的加密保护,保证了第一标签不会被盗取,有效的防止了非法者向SESSION输入第一标签而绕过用户登录过程。In summary, the server obtains the first login information of the user logging in to the server, and associates the first login information with the first tag, generates a private key and public key that are bound to each other, and encapsulates and encrypts the first tag in the public key , Store the public key of the encapsulated first label in the session library of the server to realize the encryption of the label, prevent illegal persons from entering the label into the session library and directly enter the server, and send the private key to the pre-associated terminal device; when the user needs During single sign-on, the server obtains the private key to be verified entered by the user through the terminal device, and judges whether the private key to be verified is the same as the private key. If they are the same, it searches the session database to see if there is a public key corresponding to the private key. , The public key is decrypted by the private key to obtain the first tag, and the first login information is obtained according to the first tag, so as to log in to the server again through the first login information, so as to realize the user's single sign-on; Encryption protection ensures that the first label will not be stolen, and effectively prevents illegal persons from entering the first label into SESSION and bypassing the user login process.
参考附图2,为本申请所提供的单点登录防篡改装置的结构框图,装置包括:Referring to Figure 2, the structure block diagram of the single sign-on tamper-proof device provided by this application, the device includes:
第一登录单元10,用于获取用户首次登入服务器的第一登录信息,并判断用户是否输入单点登录指令,单点登录指令为用户登入服务器时无需输入第一登录信息的指令。The first login unit 10 is configured to obtain the first login information of the user logging in to the server for the first time, and determine whether the user enters a single sign-on instruction. The single sign-on instruction is an instruction for the user to log in to the server without entering the first login information.
第一登录信息包括用户ID和密码信息,在用户首次登入服务器之前需要进行注册,用户通过终端设备在服务器中进行注册,得到登录信息;登录信息可根据不同的用户具有多个,在本方案中用户通过向终端设备输入第一登录信息以登入服务器。The first login information includes user ID and password information. The user needs to register before logging in to the server for the first time. The user registers in the server through the terminal device to obtain the login information; the login information can be multiple according to different users. In this solution The user inputs the first login information to the terminal device to log in to the server.
在用户首次登入服务器时,服务器判断用户操作终端设备是否输入单点登录指令,例如:用户在终端设备的应用程序中输入第一登录信息,服务器判断用户是否在应用程序中选择“记住第一登录信息”等的指令,从而实现服务器判断用户是否输入单点登录指令的过程。When the user logs in to the server for the first time, the server determines whether the user operates the terminal device to enter a single sign-on instruction. For example, the user enters the first login information in the terminal device application, and the server determines whether the user selects "Remember the first" in the application program. "Login information" and other instructions, so as to realize the process of the server to determine whether the user enters a single sign-on instruction.
标签关联单元20,用于若是,则生成第一标签,并将第一登录信息与第一标签关联,第一标签为调用第一登录信息以登入服务器的标签;The tag associating unit 20 is configured to, if yes, generate a first tag and associate the first login information with the first tag, the first tag being a tag for calling the first login information to log in to the server;
服务器建立一个第一标签,由第一标签关联第一登录信息,在用户通过终端设备进行单点登录时,通过第一标签在服务器的会话库中找到与第一标签对应的第一登录信息,以帮助用户实现单点登录。The server creates a first tag, and the first tag is associated with the first login information. When the user performs single sign-on through the terminal device, the first tag is used to find the first login information corresponding to the first tag in the session database of the server. To help users achieve single sign-on.
封装加密单元30,用于生成相互绑定的私钥与公钥,将第一标签封装加密在公钥中,并已封装所述第一标签的将公钥存储在服务器的会话库中,发送私钥至预关联的终端设备;The encapsulation encryption unit 30 is used to generate a private key and a public key that are bound to each other, encapsulate and encrypt the first label in the public key, and store the public key of the first label in the session database of the server, and send Private key to pre-associated terminal equipment;
由上述可知,服务器生成与第一登录信息关联的第一标签,通过第一标签替换第一登录信息,实现帮助用户单点登录进入服务器,但为防止非法者通过盗取第一标签,随后向服务器输入第一标签,而进入用户的服务器账户中的技术问题,提出如下技术手段:It can be seen from the above that the server generates the first tag associated with the first login information, and replaces the first login information with the first tag to help users single sign-on to enter the server, but to prevent illegal persons from stealing the first tag, then The server enters the first label and enters the technical problem of the user's server account, and proposes the following technical means:
服务器生成相互绑定的私钥与公钥,私钥可以理解为钥匙,公钥可以理解为密码箱,将第一标签封装在公钥中,由公钥对第一标签进行加密,以保证获取第一标签需要先对公钥进行解密,达到第一标签防盗的效果,随后,将封装好第一标签的公钥存储至服务器的会话库中,非法者通过SESSION进入会话库,但因为有公钥加密第一标签,从而使非法者不能盗取第一标签。The server generates a private key and a public key that are bound to each other. The private key can be understood as a key, and the public key can be understood as a lockbox. The first label is encapsulated in the public key, and the first label is encrypted by the public key to ensure that the first label is obtained. A tag needs to decrypt the public key first to achieve the anti-theft effect of the first tag. Then, the public key encapsulated in the first tag is stored in the session database of the server. The illegal person enters the session database through SESSION, but because of the public key Encrypt the first label so that illegal persons cannot steal the first label.
上述私钥为随机的数字,服务器将私钥发送至终端设备。The above private key is a random number, and the server sends the private key to the terminal device.
私钥获取单元40,用于当用户使用所述单点登录所述服务器时,获取用户输入的待验证私钥,并验证待验证私钥是否与私钥相同。The private key obtaining unit 40 is configured to obtain the private key to be verified input by the user when the user uses the single sign-on to log in to the server, and verify whether the private key to be verified is the same as the private key.
用户通过终端设备获知到私钥后,通过终端设备向服务器输入待验证私钥,服务器验证待验证私钥和私钥否相同。After obtaining the private key through the terminal device, the user inputs the private key to be verified to the server through the terminal device, and the server verifies whether the private key to be verified and the private key are the same.
由上述可知,私钥为随机数字,故用户操作终端设备在应用程序上输入待验证私钥,由服务器验证待验证私钥。It can be seen from the above that the private key is a random number, so the user operates the terminal device to input the private key to be verified on the application program, and the server verifies the private key to be verified.
第二登录单元50,用于若相同,则从会话库中查找出与私钥对应的公钥,并由私钥解密公钥而获得第一标签,通过第一标签调用第一登录信息以再次登入服务器。The second login unit 50 is used to find the public key corresponding to the private key from the session database if the same, and decrypt the public key by the private key to obtain the first label, and call the first login information through the first label to again Log in to the server.
若服务器判定待验证私钥与私钥相同,则通过私钥向服务器的会话库中查询出公钥,查询的方式为:将私钥导入至预关联的随机公式中,其中随机公式为生成私钥时与私钥绑定的公式,通过识别出的私钥导入至随机公式中以判断是否能够求出公钥,以确定输入的私钥是否正确。例如:X+Y=Z,其中X为私钥、Y为其它值、Z为公钥,Y和Z均是锁定的,服务器将X导入至该公式中,判断是否能够求出Z,若能求出Z,则服务器判定输入的私钥X为正确的。If the server determines that the private key to be verified is the same as the private key, it queries the server’s session database for the public key through the private key. The query method is: import the private key into the pre-associated random formula, where the random formula is to generate the private key. When the key is the formula bound to the private key, the recognized private key is imported into the random formula to determine whether the public key can be obtained to determine whether the entered private key is correct. For example: X+Y=Z, where X is the private key, Y is other value, Z is the public key, and both Y and Z are locked. The server imports X into the formula to determine whether Z can be found. If Z is obtained, the server determines that the entered private key X is correct.
若服务器验证私钥是正确的,既能够通过上述的随机公式查询出对应的公钥,并对公钥进行解密,从而计算机设备获取到第一标签,由上述可知,在用户注册登入服务器时,第一标签与第一登录信息已进行了关联,故服务器能获取第一登录信息,并根据第一登录信息再次登入服务器。If the server verifies that the private key is correct, the corresponding public key can be found through the above random formula, and the public key can be decrypted, so that the computer device can obtain the first label. From the above, it can be seen that when the user logs in to the server, The first tag has been associated with the first login information, so the server can obtain the first login information, and log in to the server again according to the first login information.
通过对第一标签附加私钥和公钥的加密关系,使得第一标签不易被盗取。By attaching the encryption relationship between the private key and the public key to the first tag, the first tag is not easily stolen.
在另一实施例,用户首次通过第一登录信息登入服务器,并向服务器输入单点登录指令之后,用户再次登录服务器可以采用不同的终端输入私钥,达到再次登入服务器,例如:用户在第一终端登入服务器,获取到服务器反馈的私钥,用户可以向第二终端输入待验证私钥,在服务器验证待验证私钥无误后,可通过第二终端登入服务器,实现第二终端单点登入服务器的效果,极大的提升了登录的便捷性,同时提升安全性。In another embodiment, after the user logs in to the server through the first login information for the first time and inputs a single sign-on instruction to the server, the user can log in to the server again by using a different terminal to enter the private key to log in to the server again, for example: The terminal logs in to the server and obtains the private key fed back by the server. The user can input the private key to be verified into the second terminal. After the server verifies that the private key to be verified is correct, the second terminal can log in to the server to realize the second terminal single sign-on server The effect of this greatly improves the convenience of logging in and at the same time enhances security.
在一个实施例中,封装加密单元30包括:In one embodiment, the encapsulation encryption unit 30 includes:
公式关联模块,用于生成随机公式,随机公式为求值、得值和其他值三者之间的任意数学计算组合,得值和其他值为随机生成的常数;The formula association module is used to generate random formulas. A random formula is any combination of mathematical calculations between evaluation, obtained value and other values. The obtained value and other values are randomly generated constants;
密钥确定模块,用于将随机公式中的求值视为私钥,以及将随机公式中的得值视为公钥。The key determination module is used to treat the evaluation in the random formula as the private key and the value in the random formula as the public key.
服务器随机的生成随机公式,得值和其他值三者之间的任意数学计算组合,得值和其他值为随机生成的常数,将随机公式中的求值视为私钥,以及将随机公式中的得值视为公钥,具体如下:The server randomly generates a random formula, any combination of mathematical calculations between the obtained value and other values, the obtained value and other values are randomly generated constants, the evaluation in the random formula is regarded as a private key, and the random formula is The value of is regarded as the public key, as follows:
服务器生成随机公式,随机公式包括求值、得值和其它值,求值视为私钥,在私钥解密公开时,由用户输入私钥(即求值),若服务器判定随机公式成立,则解密成功;得值视为公钥,数值是锁定的;其他值也是锁定的,继续采用上述例子:X+Y=Z,X为求值、Y为其他值、Z为得值,X可以理解为私钥由用户输入,Y与Z数值是锁定的,通过服务器生成的随机公式进一步的确定私钥与公钥的生成,从而实现私钥和公钥的生成以及相互绑定。The server generates a random formula. The random formula includes evaluation, obtained value and other values. The evaluation is regarded as a private key. When the private key is decrypted and disclosed, the user enters the private key (ie, evaluation). If the server determines that the random formula is valid, then Decryption is successful; the value obtained is regarded as the public key, the value is locked; other values are also locked, continue to use the above example: X+Y=Z, X is evaluation, Y is other value, Z is obtained value, X can be understood Since the private key is input by the user, the Y and Z values are locked, and the generation of the private key and the public key is further determined by the random formula generated by the server, so as to realize the generation and mutual binding of the private key and the public key.
在一个实施例中,第二登录单元50包括:In an embodiment, the second login unit 50 includes:
公钥搜索模块,用于获取绑定私钥与公钥的第一随机公式,以通过第一随机公式查找出与私钥对应的公钥。The public key search module is used to obtain the first random formula binding the private key and the public key, so as to find the public key corresponding to the private key through the first random formula.
本实施例为在会话库中查找与私钥对应的公钥的具体手段,第一随机算式为服务器生成私钥时携带生成的与私钥绑定的算式,并将该第一随机算式存储至服务器的会话库中,服务器在会话库中识别出与私钥绑定的第一随机算式;随后,继续沿用上述例子:X+Y=Z,将私钥对应的第一求值X导入至第一随机算式中,若能够正确求得公钥的第一得值Z,则计算机设备认定第一得值对应的公钥为与私钥绑定的公钥。This embodiment is a specific method for finding the public key corresponding to the private key in the session database. The first random calculation is the calculation that is bound to the private key carried when the server generates the private key, and the first random calculation is stored in In the server’s session database, the server recognizes the first random formula bound to the private key in the session database; then, continue to use the above example: X+Y=Z, import the first evaluation X corresponding to the private key to the first In a random calculation formula, if the first value Z of the public key can be obtained correctly, the computer device determines that the public key corresponding to the first value is the public key bound to the private key.
在一个实施例中,第二登录单元50还包括:In an embodiment, the second login unit 50 further includes:
解密模块,用于若私钥的第一求值导入至第一随机算式中能够求得与公钥对应的第一得值,则判定公钥被私钥解密,而获得封装加密于公钥中的第一标签。The decryption module is used to determine that the public key is decrypted by the private key if the first evaluation of the private key is imported into the first random calculation to obtain the first value corresponding to the public key, and the package is encrypted in the public key The first label.
由上述可知,X+Y=Z,将私钥对应的第一求值X导入至第一随机算式中,若能够正确求得公钥的第一得值Z,则计算机设备判定公钥被私钥解密,进而服务器能够获取到封装加密与公钥中的第一标签。From the above, X+Y=Z, the first evaluation X corresponding to the private key is imported into the first random calculation. If the first value Z of the public key can be obtained correctly, the computer device determines that the public key is private The key is decrypted, and then the server can obtain the first label in the encapsulated encryption and public key.
获取与第一标签关联的第一登录信息。Obtain the first login information associated with the first tag.
在计算机设备获取到第一标签后,因为第一标签和第一登录信息在用户首次注册登入服务器时已经相互关联,则计算机设备在获取第一标签后,可再获得与第一标签相关联的第一登录信息。After the computer device obtains the first tag, because the first tag and the first login information are already associated with each other when the user first registers to log in to the server, the computer device can obtain the first tag after obtaining the first tag. The first login information.
在一个实施例中,随机算式采用RSA算法(RSA加密算法)、AES算法(Advanced Encryption Standard,高级加密标准)和ElGamal算法的任意一项;但在另一实施例中,随机算式还可以是各种等式,如一次方程、欧姆定律方程等。In one embodiment, the random calculation uses RSA algorithm (RSA encryption algorithm), AES algorithm (Advanced Encryption Standard (Advanced Encryption Standard) and ElGamal algorithm; but in another embodiment, the random calculation formula can also be various equations, such as a linear equation, Ohm's law equation, etc.
在一个实施例中,封装加密单元30包括:In one embodiment, the encapsulation encryption unit 30 includes:
号码获取模块,用于获取用户操作终端设备首次登入服务器时输入的终端号码,终端号码为应用于终端设备的号码;The number obtaining module is used to obtain the terminal number entered when the user operates the terminal device to log in to the server for the first time, and the terminal number is the number applied to the terminal device;
私钥发送模块,用于发送私钥至与终端号码对应的终端设备。The private key sending module is used to send the private key to the terminal device corresponding to the terminal number.
终端设备包括计算机设备、智能手机和平板手机,在用户操作终端设备首次登入服务器时,服务器会请求用户进行注册,而用户的注册信息即为登录信息,此时,服务器还请求用户输入与终端设备相关联的终端号码,以使登录信息与移动终端进行绑定。Terminal devices include computer equipment, smart phones, and tablet phones. When a user logs in to the server for the first time by operating a terminal device, the server will request the user to register, and the user’s registration information is the login information. At this time, the server also requests the user to input and the terminal device The associated terminal number to bind the login information with the mobile terminal.
服务器在生成相互绑定的私钥和公钥后,会将公钥存储于服务器的会话库中,并将私钥发送至与终端号码绑定的移动终端。After the server generates the private key and public key that are bound to each other, the public key is stored in the server's session library, and the private key is sent to the mobile terminal bound to the terminal number.
在一个实施例中,私钥获取单元包括:In an embodiment, the private key acquisition unit includes:
指令接收模块,用于接收终端设备输入的登录指令;The instruction receiving module is used to receive the login instruction input by the terminal device;
请求生成模块,用于根据登录指令,生成私钥输入请求,并发送私钥输入请求至终端设备;The request generation module is used to generate a private key input request according to the login instruction, and send the private key input request to the terminal device;
获取模块,用于获取用户根据私钥输入请求输入的待验证私钥,以验证待验证私钥是否与私钥相同。The obtaining module is used to obtain the private key to be verified input by the user according to the private key input request to verify whether the private key to be verified is the same as the private key.
若用户需要一键单点登入服务器,则向终端输入登录指令,以通过登录指令一键再次登入服务器;服务器记载有首次登入的第一登录信息,服务器在获取到登录指令后,输出与第一登录信息对应关联的私钥的私钥输入请求至终端设备,以通过私钥输入请求请求用户输入待验证私钥,待用户输入待验证私钥后,对比待验证私钥和私钥是否相同,若相同,则服务器在会话库中查找与与私钥绑定的第一随机算法并计算出公钥,从而计算机设备获得解密公钥后的第一标签,以通过第一标签登入服务器,实现登入的过程。If the user needs to log in to the server with one-key single sign-on, enter the login instruction to the terminal to log in to the server again with one-click through the login instruction; the server records the first login information for the first login, and the server outputs the first login information after obtaining the login instruction. The login information corresponds to the private key input request of the associated private key to the terminal device to request the user to input the private key to be verified through the private key input request. After the user enters the private key to be verified, compare whether the private key to be verified and the private key are the same, If it is the same, the server searches the session database for the first random algorithm bound to the private key and calculates the public key, so that the computer device obtains the first label after decrypting the public key, and logs in to the server through the first label to achieve login the process of.
参照图3,本申请实施例中还提供一种计算机设备,该计算机设备可以是服务器,其内部结构可以如图3所示。该计算机设备包括通过系统总线连接的处理器、存储器、网络接口和数据库。其中,该计算机设计的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作系统、计算机程序和数据库。该内存储器为非易失性存储介质中的操作系统和计算机程序的运行提供环境。该计算机设备的数据库用于存储测试数据表等数据。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机程序被处理器执行时以实现一种单点登录防篡改方法。3, an embodiment of the present application also provides a computer device. The computer device may be a server, and its internal structure may be as shown in FIG. 3. The computer equipment includes a processor, a memory, a network interface and a database connected through a system bus. Among them, the computer designed processor is used to provide calculation and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage medium. The database of the computer equipment is used to store test data tables and other data. The network interface of the computer device is used to communicate with an external terminal through a network connection. The computer program is executed by the processor to realize a single sign-on anti-tampering method.
本申请一实施例还提供一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现一种单点登录防篡改方法的步骤。所述计算机可读存储介质,例如为非易失性的计算机可读存储介质,或者为易失性的计算机可读存储介质。An embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of a single sign-on anti-tampering method are realized. The computer-readable storage medium is, for example, a non-volatile computer-readable storage medium or a volatile computer-readable storage medium.

Claims (20)

  1. 一种单点登录防篡改方法,其特征在于,包括:A single sign-on anti-tampering method, which is characterized in that it includes:
    获取用户首次登入服务器的第一登录信息,并判断用户是否输入单点登录指令,所述单点登录指令为用户登入所述服务器时无需输入所述第一登录信息的指令;Obtain the first login information of the user logging in to the server for the first time, and determine whether the user enters a single sign-on instruction, the single sign-on instruction being an instruction for the user to log in to the server without entering the first login information;
    若是,则生成第一标签,并将所述第一登录信息与所述第一标签关联,所述第一标签为调用所述第一登录信息以登入所述服务器的标签;If so, generate a first tag, and associate the first login information with the first tag, where the first tag is a tag that calls the first login information to log in to the server;
    生成相互绑定的私钥与公钥,将所述第一标签封装在所述公钥中,并将已封装所述第一标签的所述公钥存储至会话库中,以及将所述私钥发送至预关联的终端设备;Generate a private key and a public key that are bound to each other, encapsulate the first tag in the public key, store the public key of the encapsulated first tag in the session database, and store the private The key is sent to the pre-associated terminal device;
    当用户使用所述单点登录所述服务器时,获取用户输入的待验证私钥,并验证所述待验证私钥是否与所述私钥相同;When the user uses the single sign-on to log in to the server, obtain the private key to be verified input by the user, and verify whether the private key to be verified is the same as the private key;
    若相同,则从所述会话库中查找出与所述私钥对应的所述公钥,并由所述私钥解密所述公钥而获得所述第一标签,通过所述第一标签调用所述第一登录信息以再次登入所述服务器。If they are the same, the public key corresponding to the private key is found from the conversation library, and the public key is decrypted by the private key to obtain the first label, which is called by the first label The first login information to log in to the server again.
  2. 根据权利要求1所述的单点登录防篡改方法,其特征在于,所述生成相互绑定的私钥与公钥的步骤,包括:The single sign-on anti-tampering method according to claim 1, wherein the step of generating a private key and a public key that are bound to each other comprises:
    生成随机公式,所述随机公式为求值、得值和其他值三者之间的任意数学计算组合,所述得值和所述其他值为随机生成的常数;Generating a random formula, the random formula being an arbitrary mathematical calculation combination between evaluation, obtaining and other values, the obtained value and the other values are randomly generated constants;
    将所述随机公式中的求值视为私钥,以及将所述随机公式中的得值视为公钥。The evaluation in the random formula is regarded as a private key, and the value obtained in the random formula is regarded as a public key.
  3. 根据权利要求2所述的单点登录防篡改方法,其特征在于,所述从会话库中查找出与所述私钥对应的所述公钥的步骤,包括:The single sign-on tamper-proof method according to claim 2, wherein the step of finding the public key corresponding to the private key from the session database comprises:
    获取绑定所述私钥与所述公钥的第一随机公式,以通过所述第一随机公式查找出与所述私钥对应的所述公钥。Obtain a first random formula binding the private key and the public key to find the public key corresponding to the private key through the first random formula.
  4. 根据权利要求3所述的单点登录防篡改方法,其特征在于,所述由所述私钥解密所述公钥而获得所述第一标签的步骤,包括:The single sign-on tamper-proof method according to claim 3, wherein the step of decrypting the public key by the private key to obtain the first label comprises:
    若所述私钥的第一求值导入至所述第一随机算式中能够求得与所述公钥对应的所述第一得值,则判定所述公钥被所述私钥解密;If the first evaluation of the private key is imported into the first random calculation formula and the first obtained value corresponding to the public key can be obtained, it is determined that the public key is decrypted by the private key;
    获得封装加密于所述公钥中的第一标签。Obtain the first label encapsulated and encrypted in the public key.
  5. 根据权利要求1所述的单点登录防篡改方法,其特征在于,在所述从会话库中查找出与私钥对应的公钥的步骤中,包括:The single sign-on tamper-proof method according to claim 1, wherein the step of finding the public key corresponding to the private key from the session database comprises:
    通过私钥向服务器的会话库中查询出公钥,查询的方式为:将私钥导入至预关联的随机公式中,其中随机公式为生成私钥时与私钥绑定的公式,通过识别出的私钥导入至随机公式中以判断是否能够求出公钥,以确定输入的私钥是否正确;The public key is queried from the server’s session database through the private key. The query method is: import the private key into the pre-associated random formula. The random formula is the formula bound to the private key when the private key is generated. The private key of is imported into the random formula to determine whether the public key can be obtained to determine whether the entered private key is correct;
    若服务器验证私钥是正确的,通过随机公式查询出对应的公钥。If the server verifies that the private key is correct, it queries the corresponding public key through a random formula.
  6. 根据权利要求1所述的单点登录防篡改方法,其特征在于,所述将所述私钥发送至预关联的终端设备的步骤,包括:The single sign-on anti-tampering method according to claim 1, wherein the step of sending the private key to a pre-associated terminal device comprises:
    获取用户操作所述终端设备首次登入服务器时输入的终端号码,所述终端号码为应用于所述终端设备的号码;Acquiring the terminal number entered when the user operates the terminal device to log in to the server for the first time, where the terminal number is a number applied to the terminal device;
    发送所述私钥至与所述终端号码对应的所述终端设备。Sending the private key to the terminal device corresponding to the terminal number.
  7. 根据权利要求1所述的单点登录防篡改方法,其特征在于,所述获取用户输入的待验证私钥,并验证所述待验证私钥是否与所述私钥相同的步骤,包括:The single sign-on anti-tampering method according to claim 1, wherein the step of obtaining the private key to be verified input by the user and verifying whether the private key to be verified is the same as the private key comprises:
    接收所述终端设备输入的登录指令;Receiving a login instruction input by the terminal device;
    根据所述登录指令,生成私钥输入请求,并发送所述私钥输入请求至所述终端设备;Generate a private key input request according to the login instruction, and send the private key input request to the terminal device;
    获取用户根据所述私钥输入请求输入的所述待验证私钥,以验证所述待验证私钥是否与所述私钥相同。Obtain the private key to be verified input by the user according to the private key input request to verify whether the private key to be verified is the same as the private key.
  8. 一种单点登录防篡改装置,其特征在于,包括:An anti-tampering device for single sign-on, which is characterized in that it comprises:
    第一登录单元,用于获取用户首次登入服务器的第一登录信息,并判断用户是否输入单点登录指令,所述单点登录指令为用户登入所述服务器时无需输入所述第一登录信息的指令;The first login unit is used to obtain the first login information of the user logging in to the server for the first time, and determine whether the user enters a single sign-on instruction, the single sign-on instruction is for the user to log in to the server without entering the first login information instruction;
    标签关联单元,用于若是,则生成第一标签,并将所述第一登录信息与所述第一标签关联,所述第一标签为调用所述第一登录信息以登入所述服务器的标签;The tag association unit is configured to generate a first tag if yes, and associate the first login information with the first tag, where the first tag is a tag for calling the first login information to log in to the server ;
    封装加密单元,用于生成相互绑定的私钥与公钥,将所述第一标签封装在所述公钥中,并将已封装所述第一标签的所述公钥存储至会话库中,以及将所述私钥发送至预关联的终端设备;The encapsulation encryption unit is configured to generate a private key and a public key that are bound to each other, encapsulate the first label in the public key, and store the public key of the encapsulated first label in the session database , And sending the private key to the pre-associated terminal device;
    私钥获取单元,用于当用户使用所述单点登录所述服务器时,获取用户输入的待验证私钥,并验证所述待验证私钥是否与所述私钥相同;The private key obtaining unit is configured to obtain the private key to be verified input by the user when the user uses the single sign-on to log in to the server, and verify whether the private key to be verified is the same as the private key;
    第二登录单元,用于若相同,则从所述会话库中查找出与所述私钥对应的所述公钥,并由所述私钥解密所述公钥而获得所述第一标签,通过所述第一标签调用所述第一登录信息以再次登入所述服务器。The second login unit is configured to, if the same, find the public key corresponding to the private key from the conversation library, and decrypt the public key by the private key to obtain the first label, The first login information is called through the first tag to log in to the server again.
  9. 根据权利要求8所述的单点登录防篡改装置,其特征在于,所述封装加密单元包括:The single sign-on tamper-resistant device according to claim 8, wherein the encapsulation encryption unit comprises:
    公式关联模块,用于生成随机公式,所述随机公式为求值、得值和其他值三者之间的任意数学计算组合,所述得值和所述其他值为随机生成的常数;The formula association module is used to generate a random formula, where the random formula is any combination of mathematical calculations between evaluation, obtained value and other values, and the obtained value and the other values are randomly generated constants;
    密钥确定模块,用于将所述随机公式中的求值视为私钥,以及将所述随机公式中的得值视为公钥。The key determination module is used to treat the evaluation in the random formula as a private key and the value obtained in the random formula as a public key.
  10. 根据权利要求9所述的单点登录防篡改装置,其特征在于,所述第二登录单元包括:The single sign-on anti-tampering device according to claim 9, wherein the second login unit comprises:
    公钥搜索模块,用于获取绑定所述私钥与所述公钥的第一随机公式,以通过所述第一随机公式查找出与所述私钥对应的所述公钥。The public key search module is configured to obtain a first random formula binding the private key and the public key, so as to find the public key corresponding to the private key through the first random formula.
  11. 根据权利要求10所述的单点登录防篡改装置,其特征在于,所述第二登录单元还包括:The single sign-on anti-tampering device according to claim 10, wherein the second login unit further comprises:
    解密模块,用于若所述私钥的第一求值导入至所述第一随机算式中能够求得与所述公钥对应的所述第一得值,则判定所述公钥被所述私钥解密;获得封装加密于所述公钥中的第一标签。The decryption module is configured to determine that if the first evaluation of the private key is imported into the first random formula and the first obtained value corresponding to the public key can be obtained, it is determined that the public key is Private key decryption; obtain the first label encapsulated and encrypted in the public key.
  12. 根据权利要求9所述的单点登录防篡改装置,其特征在于,所述随机算式采用RSA算法、AES算法和ElGamal算法的任意一项。The single sign-on tamper-proof device according to claim 9, wherein the random calculation formula adopts any one of RSA algorithm, AES algorithm and ElGamal algorithm.
  13. 根据权利要求8所述的单点登录防篡改装置,其特征在于,所述封装加密单元包括:The single sign-on tamper-resistant device according to claim 8, wherein the encapsulation encryption unit comprises:
    号码获取模块,用于获取用户操作所述终端设备首次登入服务器时输入的终端号码,所述终端号码为应用于所述终端设备的号码;A number obtaining module, configured to obtain a terminal number entered when a user operates the terminal device to log in to the server for the first time, and the terminal number is a number applied to the terminal device;
    私钥发送模块,用于发送所述私钥至与所述终端号码对应的所述终端设备。The private key sending module is used to send the private key to the terminal device corresponding to the terminal number.
  14. 根据权利要求8所述的单点登录防篡改装置,其特征在于,所述私钥获取单元包括:The single sign-on tamper-proof device according to claim 8, wherein the private key obtaining unit comprises:
    指令接收模块,用于接收所述终端设备输入的登录指令;An instruction receiving module, configured to receive a login instruction input by the terminal device;
    请求生成模块,用于根据所述登录指令,生成私钥输入请求,并发送所述私钥输入请求至所述终端设备;A request generation module, configured to generate a private key input request according to the login instruction, and send the private key input request to the terminal device;
    获取模块,用于获取用户根据所述私钥输入请求输入的所述待验证私钥,以验证所述待验证私钥是否与所述私钥相同。The obtaining module is configured to obtain the private key to be verified input by the user according to the private key input request to verify whether the private key to be verified is the same as the private key.
  15. 一种计算机设备,包括存储器和处理器,所述存储器中存储有计算机程序,其特征在于,所述处理器执行所述计算机程序时实现单点登录防篡改方法的步骤,所述方法包括:A computer device includes a memory and a processor, wherein a computer program is stored in the memory, and is characterized in that, when the processor executes the computer program, the steps of a single sign-on anti-tampering method are implemented, and the method includes:
    获取用户首次登入服务器的第一登录信息,并判断用户是否输入单点登录指令,所述单点登录指令为用户登入所述服务器时无需输入所述第一登录信息的指令;Obtain the first login information of the user logging in to the server for the first time, and determine whether the user enters a single sign-on instruction, the single sign-on instruction being an instruction for the user to log in to the server without entering the first login information;
    若是,则生成第一标签,并将所述第一登录信息与所述第一标签关联,所述第一标签为调用所述第一登录信息以登入所述服务器的标签;If so, generate a first tag, and associate the first login information with the first tag, where the first tag is a tag that calls the first login information to log in to the server;
    生成相互绑定的私钥与公钥,将所述第一标签封装在所述公钥中,并将已封装所述第一标签的所述公钥存储至会话库中,以及将所述私钥发送至预关联的终端设备;Generate a private key and a public key that are bound to each other, encapsulate the first tag in the public key, store the public key of the encapsulated first tag in the session database, and store the private The key is sent to the pre-associated terminal device;
    当用户使用所述单点登录所述服务器时,获取用户输入的待验证私钥,并验证所述待验证私钥是否与所述私钥相同;When the user uses the single sign-on to log in to the server, obtain the private key to be verified input by the user, and verify whether the private key to be verified is the same as the private key;
    若相同,则从所述会话库中查找出与所述私钥对应的所述公钥,并由所述私钥解密所述公钥而获得所述第一标签,通过所述第一标签调用所述第一登录信息以再次登入所述服务器。If they are the same, the public key corresponding to the private key is found from the conversation library, and the public key is decrypted by the private key to obtain the first label, which is called by the first label The first login information to log in to the server again.
  16. 根据权利要求15所述的计算机设备,其特征在于,所述生成相互绑定的私钥与公钥的步骤,包括:The computer device according to claim 15, wherein the step of generating a private key and a public key that are bound to each other comprises:
    生成随机公式,所述随机公式为求值、得值和其他值三者之间的任意数学计算组合,所述得值和所述其他值为随机生成的常数;Generating a random formula, the random formula being an arbitrary mathematical calculation combination between evaluation, obtaining and other values, the obtained value and the other values are randomly generated constants;
    将所述随机公式中的求值视为私钥,以及将所述随机公式中的得值视为公钥。The evaluation in the random formula is regarded as a private key, and the value obtained in the random formula is regarded as a public key.
  17. 根据权利要求16所述的计算机设备,其特征在于,所述从会话库中查找出与所述私钥对应的所述公钥的步骤,包括:The computer device according to claim 16, wherein the step of finding the public key corresponding to the private key from a session database comprises:
    获取绑定所述私钥与所述公钥的第一随机公式,以通过所述第一随机公式查找出与所述私钥对应的所述公钥。Obtain a first random formula binding the private key and the public key to find the public key corresponding to the private key through the first random formula.
  18. 根据权利要求17所述的计算机设备,其特征在于,所述由所述私钥解密所述公钥而获得所述第一标签的步骤,包括:18. The computer device according to claim 17, wherein the step of decrypting the public key by the private key to obtain the first label comprises:
    若所述私钥的第一求值导入至所述第一随机算式中能够求得与所述公钥对应的所述第一得值,则判定所述公钥被所述私钥解密;If the first evaluation of the private key is imported into the first random calculation formula and the first obtained value corresponding to the public key can be obtained, it is determined that the public key is decrypted by the private key;
    获得封装加密于所述公钥中的第一标签。Obtain the first label encapsulated and encrypted in the public key.
  19. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现单点登录防篡改方法的步骤,所述方法包括:A computer-readable storage medium with a computer program stored thereon, characterized in that, when the computer program is executed by a processor, the steps of a single sign-on tamper-proof method are implemented, the method comprising:
    获取用户首次登入服务器的第一登录信息,并判断用户是否输入单点登录指令,所述单点登录指令为用户登入所述服务器时无需输入所述第一登录信息的指令;Obtain the first login information of the user logging in to the server for the first time, and determine whether the user enters a single sign-on instruction, the single sign-on instruction being an instruction for the user to log in to the server without entering the first login information;
    若是,则生成第一标签,并将所述第一登录信息与所述第一标签关联,所述第一标签为调用所述第一登录信息以登入所述服务器的标签;If so, generate a first tag, and associate the first login information with the first tag, where the first tag is a tag that calls the first login information to log in to the server;
    生成相互绑定的私钥与公钥,将所述第一标签封装在所述公钥中,并将已封装所述第一标签的所述公钥存储至会话库中,以及将所述私钥发送至预关联的终端设备;Generate a private key and a public key that are bound to each other, encapsulate the first tag in the public key, store the public key of the encapsulated first tag in the session database, and store the private The key is sent to the pre-associated terminal device;
    当用户使用所述单点登录所述服务器时,获取用户输入的待验证私钥,并验证所述待验证私钥是否与所述私钥相同;When the user uses the single sign-on to log in to the server, obtain the private key to be verified input by the user, and verify whether the private key to be verified is the same as the private key;
    若相同,则从所述会话库中查找出与所述私钥对应的所述公钥,并由所述私钥解密所述公钥而获得所述第一标签,通过所述第一标签调用所述第一登录信息以再次登入所述服务器。If they are the same, the public key corresponding to the private key is found from the conversation library, and the public key is decrypted by the private key to obtain the first label, which is called by the first label The first login information to log in to the server again.
  20. 根据权利要求19所述的计算机可读存储介质,其特征在于,所述生成相互绑定的私钥与公钥的步骤,包括:The computer-readable storage medium according to claim 19, wherein the step of generating a private key and a public key that are bound to each other comprises:
    生成随机公式,所述随机公式为求值、得值和其他值三者之间的任意数学计算组合,所述得值和所述其他值为随机生成的常数;Generating a random formula, the random formula being an arbitrary mathematical calculation combination between evaluation, obtaining and other values, the obtained value and the other values are randomly generated constants;
    将所述随机公式中的求值视为私钥,以及将所述随机公式中的得值视为公钥。The evaluation in the random formula is regarded as a private key, and the value obtained in the random formula is regarded as a public key.
PCT/CN2019/117662 2019-05-13 2019-11-12 Single-point login tamper-proof method, apparatus, computer device and storage medium WO2020228278A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910394530.1A CN110266640B (en) 2019-05-13 2019-05-13 Single sign-on tamper-proof method and device, computer equipment and storage medium
CN201910394530.1 2019-05-13

Publications (1)

Publication Number Publication Date
WO2020228278A1 true WO2020228278A1 (en) 2020-11-19

Family

ID=67914630

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/117662 WO2020228278A1 (en) 2019-05-13 2019-11-12 Single-point login tamper-proof method, apparatus, computer device and storage medium

Country Status (2)

Country Link
CN (1) CN110266640B (en)
WO (1) WO2020228278A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112926996A (en) * 2021-02-25 2021-06-08 有呗网(深圳)科技有限公司 Full-process automatic intelligent customer service system based on converged communication

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266640B (en) * 2019-05-13 2021-11-05 平安科技(深圳)有限公司 Single sign-on tamper-proof method and device, computer equipment and storage medium
CN113591140B (en) * 2021-07-30 2023-10-03 安徽韬珀信息技术有限公司 Resource data tamper-proof method, system, computer equipment and storage medium
CN113961956A (en) * 2021-10-28 2022-01-21 平安科技(深圳)有限公司 Method, device, equipment and medium for generating and applying tagged network information service

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003065640A1 (en) * 2002-01-29 2003-08-07 Plumtree Software, Inc. Single sign-on over the internet using public-key cryptography
CN101207482A (en) * 2007-12-13 2008-06-25 深圳市戴文科技有限公司 System and method for implementation of single login
CN105430014A (en) * 2015-12-30 2016-03-23 福建亿榕信息技术有限公司 Single sign on method and system
CN110266640A (en) * 2019-05-13 2019-09-20 平安科技(深圳)有限公司 Single-sign-on tamper resistant method, device, computer equipment and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2349244A (en) * 1999-04-22 2000-10-25 Visage Developments Limited Providing network access to restricted resources
KR20070032805A (en) * 2004-07-09 2007-03-22 마츠시타 덴끼 산교 가부시키가이샤 System and method for managing user authentication and authorization to realize single-sign-on for accessing multiple networks
CN101510877B (en) * 2009-02-25 2012-05-23 中国联合网络通信集团有限公司 Single-point logging-on method and system, communication apparatus
CN102790712B (en) * 2011-05-17 2015-07-15 北京航空航天大学 Web service security treatment method and system
CN102868704B (en) * 2012-10-11 2015-11-11 北京新媒传信科技有限公司 A kind of method and system of single-sign-on
CN106330829A (en) * 2015-06-26 2017-01-11 东方电气集团东方电机有限公司 Method and system for realizing single signing on by using middleware
CN106341232B (en) * 2016-09-18 2019-04-09 中国科学院软件研究所 A kind of anonymous entity discrimination method based on password

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003065640A1 (en) * 2002-01-29 2003-08-07 Plumtree Software, Inc. Single sign-on over the internet using public-key cryptography
CN101207482A (en) * 2007-12-13 2008-06-25 深圳市戴文科技有限公司 System and method for implementation of single login
CN105430014A (en) * 2015-12-30 2016-03-23 福建亿榕信息技术有限公司 Single sign on method and system
CN110266640A (en) * 2019-05-13 2019-09-20 平安科技(深圳)有限公司 Single-sign-on tamper resistant method, device, computer equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112926996A (en) * 2021-02-25 2021-06-08 有呗网(深圳)科技有限公司 Full-process automatic intelligent customer service system based on converged communication

Also Published As

Publication number Publication date
CN110266640A (en) 2019-09-20
CN110266640B (en) 2021-11-05

Similar Documents

Publication Publication Date Title
WO2020228278A1 (en) Single-point login tamper-proof method, apparatus, computer device and storage medium
US9887989B2 (en) Protecting passwords and biometrics against back-end security breaches
WO2020237868A1 (en) Data transmission method, electronic device, server and storage medium
CN101005361B (en) Server and software protection method and system
EP2731040B1 (en) Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method
US9288201B2 (en) Disconnected credential validation using pre-fetched service tickets
TWI274500B (en) User authentication system
WO2019095567A1 (en) Single sign-on verification device, method, and computer readable storage medium
WO2016202207A1 (en) Method and device for obtaining electronic document
CN106452770B (en) Data encryption method, data decryption method, device and system
TW200423661A (en) Methods and systems for authentication of a user for sub-locations of a network location
US20180295115A1 (en) Management of and persistent storage for nodes in a secure cluster
JP2018197997A5 (en)
CN114021164B (en) Credit system privacy protection method based on block chain
CN111954211A (en) Novel authentication key negotiation system of mobile terminal
KR101570773B1 (en) Cloud authentication method for securing mobile service
Rana et al. Secure and ubiquitous authenticated content distribution framework for IoT enabled DRM system
US20100146605A1 (en) Method and system for providing secure online authentication
WO2020260864A1 (en) Cryptocurrency key management
WO2023061320A1 (en) Device identifier counterfeiting prevention method and apparatus, and electronic device
WO2020215698A1 (en) Single sign-on verification method, device, computer apparatus, and storage medium
US9245097B2 (en) Systems and methods for locking an application to device without storing device information on server
US8755521B2 (en) Security method and system for media playback devices
CN113904830B (en) SPA authentication method, SPA authentication device, electronic equipment and readable storage medium
EP3757920A1 (en) Cryptocurrency key management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19928894

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19928894

Country of ref document: EP

Kind code of ref document: A1